[
https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856444#comment-15856444
]
Kyle R Dunn commented on HAWQ-256:
----------------------------------
[~Lili Ma] - here's some input for you
*1) Why do they want to use Ranger? What are the scenario and use cases?*
Ranger provides the missing (and very important) functionality for
synchronizing roles and groups from a identity management provider (like LDAP)
into HAWQ. Without this capability, roles must be provisioned manually or
something like pg-ldap-sync must be used, neither are very enterprise-friendly
or "baked" solutions.
*2) Which version of Ranger do they want to use? Is the version 0.6+
acceptable (shipped in HDP 2.5+) ?*
I think any version is a good starting point, in my opinion, it is best we stay
aligned with what is available the current GA HDP GA.
*3) What are the specific HAWQ objects they want to manage in Ranger, for
example, Database/Tablespace/Schema/Table/Sequence/Language/Function/Protocol?
Is there anything else?*
In my mind, support for schema, table, sequence, function, protocol are more
important. Then prioritize database, tablespace - those seem to the more
"advanced" usage (compared to the former) for most SQL on Hadoop installations
I've seen.
*4) What kind of tables do they want to manage? Heap (catalog) table, or data
table on HDFS?*
Data tables. My opinion, catalog should only be managed by a local superuser.
*5) Do they want to restrict superuser privileges? If yes, what kind of
privileges do they want to restrict, including catalog table or just the table
on HDFS?*
I've not seen this requirement, except with PL/x function creation /
invocation.
*6) Do they want to use Ambari to deploy HAWQ and Ranger?*
Whenever possible, yes.
*7) Do they have requirements for integration with user management tool such as
LDAP?*
Absolutely, this is the main motivator from my perspective.
*8) Do they have a need to switch back and forth from Ranger? Say, setting
Ranger on, and then setting off (using HAWQ native authorization)?*
Hard to say here. If it is possible for HAWQ to reach some un-usable state as a
result of have Ranger on, then yes, otherwise, it seems unlikely this would be
a common activity.
*9) Are they ok with the solution that we put system catalog/function/owner
check in HAWQ?
--- There are a lot of catalog information check(for example, pg_catalog,
information_schema, etc) and system embedded function(for example, count,
charne, etc) check in a simple SQL command such as “analyze” and “\d”, which
will consume a lot of communication cost with Ranger if we process it in
Ranger. Also, the embedded catalog/function may not include so much sensitive
data.
--- HAWQ does owner check under some cases. For example, only the owner who
creates the table can drop it. Are the customer OK with that we keep the owner
check in HAWQ?*
This makes sense to me. Having admin functions only available via a local
account but auditable by Ranger is likely a fair tradeoff here.
*10) Are they ok with the solution that once Ranger is configured, we will
forbid GRANT/REVOKE command in HAWQ?*
This seems to be the correct behavior to avoid inconsistencies.
*11) Are they ok with the solution that HAWQ handles the privileges check for
drop table/create database?*
This comes back to the third question - I think it makes sense, others may have
a different opinion.
*12) Are they ok with the solution that configuring an extra GUC in Ambari side
for indicating Ranger on/off?*
Not sure here. If Ranger thinks it's managing HAWQ, HAWQ should not be allowed
to be "off" in Ambari. For the "disable Ranger" mode in HAWQ, maybe it should
be command line only, as it would likely be only for troubleshooting /
temporary usage.
*13) Are they OK if we don’t provide High Availability with HAWQ Ranger Plugin
Service (RPS) in the first (beta) release?*
I think this is ok. Right now, it is not easy (or maybe even possible) to have
high availability with HAWQ+LDAP, so this is still at parity with current
functionality.
Hope this helps.
> Integrate Security with Apache Ranger
> -------------------------------------
>
> Key: HAWQ-256
> URL: https://issues.apache.org/jira/browse/HAWQ-256
> Project: Apache HAWQ
> Issue Type: New Feature
> Components: Security
> Reporter: Michael Andre Pearce (IG)
> Assignee: Lili Ma
> Fix For: backlog
>
> Attachments: HAWQRangerSupportDesign.pdf,
> HAWQRangerSupportDesign_v0.2.pdf, HAWQRangerSupportDesign_v0.3.pdf
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
