[ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15434467#comment-15434467 ]
Vineet Goel commented on HAWQ-256: ---------------------------------- I found this in the Hive documentation: "The ADMIN permission in Ranger is the equivalent to the WITH GRANT OPTION in SQL standard-based authorization. However, the ADMIN permission gives the grantee the ability to grant all permissions rather than just the permissions possessed by the grantor. With SQL standard-based authorization, the WITH GRANT OPTION applies only to permissions possessed by the grantor." This seems to suggest that "WITH GRANT OPTION" doesn't translate into same behavior at the Ranger level. This is understandable and acceptable I think. Ranger users and Component (Hive or HAWQ) users are likely two separate groups and they don't need to cross in their functions. This likely means, WITH GRANT OPTION on the CLI probably doesn't propagate into any Ranger policy updates and is ignored? Secondly, I'm late to this discussion, but it seems like [~bosco] was suggesting to design in such a way that "native component CLI commands" should not be encouraged, but rather, only Ranger UI/APIs should be used to set those policies (if Ranger authentication is switched ON in the component). If that's the case, I like that idea, to reduce design complexity. Hence, Authentication changes made with GRANT and REVOKE statements on component CLI must be disabled if Ranger authentication is switched ON. If Ranger is not in use, native component behavior remains unchanged. Users are expected not to flip back and forth between using Ranger and not using Ranger. > Integrate Security with Apache Ranger > ------------------------------------- > > Key: HAWQ-256 > URL: https://issues.apache.org/jira/browse/HAWQ-256 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security > Reporter: Michael Andre Pearce (IG) > Assignee: Lili Ma > Fix For: backlog > > Attachments: HAWQRangerSupportDesign.pdf > > > Integrate security with Apache Ranger for a unified Hadoop security solution. -- This message was sent by Atlassian JIRA (v6.3.4#6332)