[ 
https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15434467#comment-15434467
 ] 

Vineet Goel commented on HAWQ-256:
----------------------------------

I found this in the Hive documentation:

"The ADMIN permission in Ranger is the equivalent to the WITH GRANT OPTION in 
SQL standard-based authorization. However, the ADMIN permission gives the 
grantee the ability to grant all permissions rather than just the permissions 
possessed by the grantor. With SQL standard-based authorization, the WITH GRANT 
OPTION applies only to permissions possessed by the grantor."

This seems to suggest that "WITH GRANT OPTION" doesn't translate into same 
behavior at the Ranger level. This is understandable and acceptable I think. 
Ranger users and Component (Hive or HAWQ) users are likely two separate groups 
and they don't need to cross in their functions. This likely means, WITH GRANT 
OPTION on the CLI probably doesn't propagate into any Ranger policy updates and 
is ignored?

Secondly, I'm late to this discussion, but it seems like [~bosco] was 
suggesting to design in such a way that "native component CLI commands" should 
not be encouraged, but rather, only Ranger UI/APIs should be used to set those 
policies (if Ranger authentication is switched ON in the component). If that's 
the case, I like that idea, to reduce design complexity. Hence, Authentication 
changes made with GRANT and REVOKE statements on component CLI must be disabled 
if Ranger authentication is switched ON. If Ranger is not in use, native 
component behavior remains unchanged. Users are expected not to flip back and 
forth between using Ranger and not using Ranger.

> Integrate Security with Apache Ranger
> -------------------------------------
>
>                 Key: HAWQ-256
>                 URL: https://issues.apache.org/jira/browse/HAWQ-256
>             Project: Apache HAWQ
>          Issue Type: New Feature
>          Components: PXF, Security
>            Reporter: Michael Andre Pearce (IG)
>            Assignee: Lili Ma
>             Fix For: backlog
>
>         Attachments: HAWQRangerSupportDesign.pdf
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to