[
https://issues.apache.org/jira/browse/HAWQ-1207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15831463#comment-15831463
]
Lili Ma edited comment on HAWQ-1207 at 1/20/17 9:40 AM:
--------------------------------------------------------
[~thebellhead] I split the stories given that they are from two aspects:
catalog table and super user.
For super user, HAWQ behavior without Ranger is that superuser can have all the
privileges upon HAWQ internal tables. We need limit the super user behavior
for accessing tables create by others.
Besides this, there are a lot of super user specific behaviors for some
objects. Only superuser has the rights for following operations:
1. create cast: when function is NULL
2. create filespace
3. create/remove/alter foreign-data wrapper
4. create function: For untrusted language, only superuser can create function.
5. create/drop procedural language
6. create/drop/alter resource queue
7. create tablespace: It means the privilege to create tablespace, and only
superuser can do. But the CREATE privilege for tablespace means creating
database/table/index... in tablespace, which is different.
8. create external table: Only super user can create EXECUTE external web table
or create an external table with a file protocol (but in HAWQ 2.0, the file
protocol is not supported any more).
9. create operator class
10. copy: Only superuser can copy to or from a file. And in ranger, the
superuser can not run copy to or from when he doesn't have the privilege for
that table select or insert.
11. alter state of system triggers
12. some build in functions, including pg_logdir_ls, pg_ls_dir, pg_read_file,
pg_reload_conf, pg_rotate_logfile, pg_signal_backend, pg_start_backup,
pg_stat_file, pg_stat_get_activity, pg_stat_get_backend_activity_start,
pg_stat_get_backend_activity, pg_stat_get_backend_client_addr,
pg_stat_get_backend_client_port, pg_stat_get_backend_start,
pg_stat_get_backend_waiting, pg_stop_backup, pg_switch_xlog, pg_stat_reset
For above operations, we'd rather keep it checked in HAWQ side if there is no
other concerns.
was (Author: lilima):
[~thebellhead] I split the stories given that they are from two aspects:
catalog table and super user.
For super user, HAWQ behavior without Ranger is that superuser can have all the
privileges upon HAWQ internal tables. We need limit the super user behavior
for accessing tables create by others.
Besides this, there are a lot of super user specific behaviors for some
objects. Only superuser has the rights for following operations:
1. create cast: when function is NULL
2. create filespace
3. create/remove/alter foreign-data wrapper
4. create function: For untrusted language, only superuser can create function.
5. create/drop procedural language
6. create/drop/alter resource queue
7. create tablespace: It means the privilege to create tablespace, and only
superuser can do. But the CREATE privilege for tablespace means creating
database/table/index... in tablespace, which is different.
8. create external table: Only super user can create EXECUTE external web table
or create an external table with a file protocol (but in HAWQ 2.0, the file
protocol is not supported any more).
9. create operator class
10. copy: Only superuser can copy to or from a file. And in ranger, the
superuser can not run copy to or from when he doesn't have the privilege for
that table select or insert.
11. alter state of system triggers
12. some build in functions, including pg_logdir_ls, pg_ls_dir, pg_read_file,
pg_reload_conf, pg_rotate_logfile, pg_signal_backend, pg_start_backup,
pg_stat_file, pg_stat_get_activity, pg_stat_get_backend_activity_start,
pg_stat_get_backend_activity, pg_stat_get_backend_client_addr,
pg_stat_get_backend_client_port, pg_stat_get_backend_start,
pg_stat_get_backend_waiting, pg_stop_backup, pg_switch_xlog, pg_stat_reset
For above operations, we'd rather keep it checked in HAWQ side, if there is no
other concerns.
> Gpadmin super user processing on ACL
> ------------------------------------
>
> Key: HAWQ-1207
> URL: https://issues.apache.org/jira/browse/HAWQ-1207
> Project: Apache HAWQ
> Issue Type: Sub-task
> Components: Security
> Reporter: Lili Ma
> Assignee: Alexander Denissov
> Fix For: backlog
>
>
> Once we specify enable_ranger, we need process gpadmin user privileges.
> Ideally, we should also restrict gpadmin behavior since we won't allow
> gpadmin to have all control on all user data.
> During the init system period, we can let gpadmin has all the privileges on
> all the objects. May implement this as seed policy in Ranger plugin side.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
