incubator-hawq-docs git commit: create external table - correct formatting error
Repository: incubator-hawq-docs Updated Branches: refs/heads/master 776ede0e5 -> 39cd81475 create external table - correct formatting error Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/39cd8147 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/39cd8147 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/39cd8147 Branch: refs/heads/master Commit: 39cd814753136cb8b925aec68dca0907ac20b276 Parents: 776ede0 Author: Lisa OwenAuthored: Fri Jul 21 12:19:59 2017 -0700 Committer: Lisa Owen Committed: Fri Jul 21 12:19:59 2017 -0700 -- markdown/reference/sql/CREATE-EXTERNAL-TABLE.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/39cd8147/markdown/reference/sql/CREATE-EXTERNAL-TABLE.html.md.erb -- diff --git a/markdown/reference/sql/CREATE-EXTERNAL-TABLE.html.md.erb b/markdown/reference/sql/CREATE-EXTERNAL-TABLE.html.md.erb index c458cae..8cb661b 100644 --- a/markdown/reference/sql/CREATE-EXTERNAL-TABLE.html.md.erb +++ b/markdown/reference/sql/CREATE-EXTERNAL-TABLE.html.md.erb @@ -183,7 +183,7 @@ For writable external tables, specifies the URI location of the `gpfdist` proces With two `gpfdist` locations listed as in the above example, half of the segments would send their output data to the `data1.out` file and the other half to the `data2.out` file. -For the `pxf` protocol, the `LOCATION` string specifies the HDFS NameNode \ and the \ of the PXF service, the location of the data, and the PXF profile or Java classes used to convert the data between storage format and HAWQ format. If the \ is omitted, the \ is taken to be the logical name for the high availability Nameservice, and the \ is the value of the `pxf_service_port` configuration parameter, 51200 by default. The URL parameters `FRAGMENTER`, `ACCESSOR`, and `RESOLVER` are the names of PXF plug-ins (Java classes) that convert between the external data format and HAWQ data format. The `FRAGMENTER` parameter is only used with readable external tables. PXF allows combinations of these parameters to be configured as profiles so that a single `PROFILE` parameter can be specified to access external data, for example `?PROFILE=Hive`. Additional \ ` can be added to the LOCATION URI to further describe the external data format or st orage options. For details about the plug-ins and profiles provided with PXF and information about creating custom plug-ins for other data sources see [Using PXF with Unmanaged Data](../../pxf/HawqExtensionFrameworkPXF.html). +For the `pxf` protocol, the `LOCATION` string specifies the HDFS NameNode \ and the \ of the PXF service, the location of the data, and the PXF profile or Java classes used to convert the data between storage format and HAWQ format. If the \ is omitted, the \ is taken to be the logical name for the high availability Nameservice, and the \ is the value of the `pxf_service_port` configuration parameter, 51200 by default. The URL parameters `FRAGMENTER`, `ACCESSOR`, and `RESOLVER` are the names of PXF plug-ins (Java classes) that convert between the external data format and HAWQ data format. The `FRAGMENTER` parameter is only used with readable external tables. PXF allows combinations of these parameters to be configured as profiles so that a single `PROFILE` parameter can be specified to access external data, for example `?PROFILE=Hive`. Additional \ s can be added to the LOCATION URI to further describe the external data format or sto rage options. For details about the plug-ins and profiles provided with PXF and information about creating custom plug-ins for other data sources see [Using PXF with Unmanaged Data](../../pxf/HawqExtensionFrameworkPXF.html). EXECUTE '\ ' ON ... Allowed for readable web external tables or writable external tables only. For readable web external tables, specifies the OS command to be executed by the segment instances. The \ can be a single OS command or a script. If \ executes a script, that script must reside in the same location on all of the segment hosts and be executable by the HAWQ superuser (`gpadmin`).
incubator-hawq-docs git commit: pxf jdbc profile - enhance INTERVAL discussion
Repository: incubator-hawq-docs Updated Branches: refs/heads/master abea80853 -> f6d40aaca pxf jdbc profile - enhance INTERVAL discussion Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/f6d40aac Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/f6d40aac Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/f6d40aac Branch: refs/heads/master Commit: f6d40aaca08e78d208a7ac8192ebf88a3564bec4 Parents: abea808 Author: Lisa OwenAuthored: Wed Jul 12 09:18:48 2017 -0600 Committer: Lisa Owen Committed: Wed Jul 12 09:18:48 2017 -0600 -- markdown/pxf/JdbcPXF.html.md.erb | 2 ++ 1 file changed, 2 insertions(+) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/f6d40aac/markdown/pxf/JdbcPXF.html.md.erb -- diff --git a/markdown/pxf/JdbcPXF.html.md.erb b/markdown/pxf/JdbcPXF.html.md.erb index 337de66..9135e2b 100644 --- a/markdown/pxf/JdbcPXF.html.md.erb +++ b/markdown/pxf/JdbcPXF.html.md.erb @@ -87,6 +87,8 @@ Example JDBC \ connection string: _DRIVER=com.mysql.jdbc.Driver_URL=jdbc:mysql://:/testdb=user1=changeme ``` +When specifying the `PARTITION_BY` option, tune the `INTERVAL` value and unit based upon the optimal number of JDBC connections to the target database and the optimal distribution of fragments across HAWQ segments. The `INTERVAL` low boundary is driven by the number of HAWQ segments (`default_hash_table_bucket_number`), while the high boundary is driven by the acceptable number of JDBC connections to the target database. `INTERVAL` settings influence the number of fragments, and should ideally not be set too high nor too low. Testing with multiple values may help you select the optimal settings. + Example JDBC \ substrings identifying partitioning parameters: ``` pre
incubator-hawq-docs git commit: use ANALYZE command, not operation
Repository: incubator-hawq-docs Updated Branches: refs/heads/master aaa7ebba5 -> a9fcece43 use ANALYZE command, not operation Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/a9fcece4 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/a9fcece4 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/a9fcece4 Branch: refs/heads/master Commit: a9fcece4308e51a5c1bc55b70ce3b3ef3305c5df Parents: aaa7ebb Author: Lisa OwenAuthored: Thu Jun 1 10:49:14 2017 -0700 Committer: Lisa Owen Committed: Thu Jun 1 10:49:14 2017 -0700 -- markdown/pxf/HBasePXF.html.md.erb | 2 +- markdown/pxf/JsonPXF.html.md.erb | 2 +- markdown/reference/sql/ANALYZE.html.md.erb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/a9fcece4/markdown/pxf/HBasePXF.html.md.erb -- diff --git a/markdown/pxf/HBasePXF.html.md.erb b/markdown/pxf/HBasePXF.html.md.erb index 90dacf3..4341de3 100644 --- a/markdown/pxf/HBasePXF.html.md.erb +++ b/markdown/pxf/HBasePXF.html.md.erb @@ -53,7 +53,7 @@ The HBase profile is equivalent to the following PXF parameters: - Accessor=org.apache.hawq.pxf.plugins.hbase.HBaseAccessor - Resolver=org.apache.hawq.pxf.plugins.hbase.HBaseResolver -**Note**: `ANALYZE` operations are not supported on external tables you create with the `HBase` profile. +**Note**: The `ANALYZE` command is not supported on external tables you create with the `HBase` profile. ## Column Mapping http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/a9fcece4/markdown/pxf/JsonPXF.html.md.erb -- diff --git a/markdown/pxf/JsonPXF.html.md.erb b/markdown/pxf/JsonPXF.html.md.erb index e22a75c..c56c28e 100644 --- a/markdown/pxf/JsonPXF.html.md.erb +++ b/markdown/pxf/JsonPXF.html.md.erb @@ -176,7 +176,7 @@ JSON-plug-in-specific keywords and values used in the `CREATE EXTERNAL TABLE` ca | FORMAT| The `FORMAT` clause must specify `CUSTOM`. | | FORMATTER| The JSON `CUSTOM` format supports only the built-in `pxfwritable_import` `FORMATTER`. | -**Note**: `ANALYZE` operations are not supported on external tables you create with the `Json` profile. +**Note**: The `ANALYZE` command is not supported on external tables you create with the `Json` profile. ### Example 1 http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/a9fcece4/markdown/reference/sql/ANALYZE.html.md.erb -- diff --git a/markdown/reference/sql/ANALYZE.html.md.erb b/markdown/reference/sql/ANALYZE.html.md.erb index 98fadd8..779fd7c 100644 --- a/markdown/reference/sql/ANALYZE.html.md.erb +++ b/markdown/reference/sql/ANALYZE.html.md.erb @@ -75,7 +75,7 @@ When `pxf_stat_max_fragments` is false, `ANALYZE` outputs a message to warn that There may be situations where the remote statistics retrieval could fail to perform a task on a PXF table. For example, if a PXF Java component is down, the remote statistics retrieval might not occur, and the database transaction would not succeed. In these cases, the statistics remain with the default external table values. -**Note**: `ANALYZE` operations are not supported on PXF external tables created with the `HBase` or `Json` profiles. +**Note**: The `ANALYZE` command is not supported on PXF external tables created with the `HBase` or `Json` profiles. ## Examples
incubator-hawq-docs git commit: remove graffle files
Repository: incubator-hawq-docs Updated Branches: refs/heads/master 18ee9446d -> 6b42b34f9 remove graffle files Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/6b42b34f Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/6b42b34f Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/6b42b34f Branch: refs/heads/master Commit: 6b42b34f97b9c805df8761cd700a2b2c82b5819a Parents: 18ee944 Author: Lisa OwenAuthored: Tue May 30 15:06:10 2017 -0700 Committer: Lisa Owen Committed: Tue May 30 15:06:10 2017 -0700 -- markdown/images/source/gporca.graffle| Bin 2814 -> 0 bytes markdown/images/source/hawq_hcatalog.graffle | Bin 2967 -> 0 bytes 2 files changed, 0 insertions(+), 0 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/6b42b34f/markdown/images/source/gporca.graffle -- diff --git a/markdown/images/source/gporca.graffle b/markdown/images/source/gporca.graffle deleted file mode 100644 index fb835d5..000 Binary files a/markdown/images/source/gporca.graffle and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/6b42b34f/markdown/images/source/hawq_hcatalog.graffle -- diff --git a/markdown/images/source/hawq_hcatalog.graffle b/markdown/images/source/hawq_hcatalog.graffle deleted file mode 100644 index f46bfb2..000 Binary files a/markdown/images/source/hawq_hcatalog.graffle and /dev/null differ
incubator-hawq-docs git commit: policy doc - built-in func warning, revise hdfs/hive considers
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop a3ebec2d8 -> e85f3a49e policy doc - built-in func warning, revise hdfs/hive considers Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/e85f3a49 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/e85f3a49 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/e85f3a49 Branch: refs/heads/develop Commit: e85f3a49ec1721c6f08567b782d537a691b5928e Parents: a3ebec2 Author: Lisa OwenAuthored: Fri Apr 7 15:24:12 2017 -0700 Committer: Lisa Owen Committed: Fri Apr 7 17:41:31 2017 -0700 -- markdown/ranger/ranger-policy-creation.html.md.erb | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/e85f3a49/markdown/ranger/ranger-policy-creation.html.md.erb -- diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb index 5bd12b4..ec78c35 100644 --- a/markdown/ranger/ranger-policy-creation.html.md.erb +++ b/markdown/ranger/ranger-policy-creation.html.md.erb @@ -319,10 +319,13 @@ Make note of the following considerations when employing Ranger authorization fo - `CREATE LANGUAGE` commands (superuser-only) issued for non-built-in languages (pljava, plpython, ..) require the `usage` permission for the `c` language. -- If Ranger is enabled for Hive authorization in your HAWQ cluster: -- Create Hive policy(s) providing the user `pxf` access to any Hive tables you want to expose via PXF HCatalog integration or HAWQ PXF external tables. -- The HAWQ policies providing access to PXF HCatalog integration must identify database `hcatalog`, schema ``, and table `` resources. These privileges are required in addition to any Hive policies for user `pxf` when Ranger is enabled for Hive authorization. +- Using built-in functions may generate the message: âWARNING: usage privilege of namespace \ is required.â This message is displayed even though the usage permission on \ is not actually required to execute the built-in function. -- If you have enabled Ranger authorization for HDFS in your HAWQ cluster: -- Create an HDFS policy(s) providing user `gpadmin` access to the HDFS HAWQ filespace. -- If you plan to use PXF external tables to read and write HDFS data, create HDFS policies providing user `pxf` access to the HDFS files backing your PXF external tables. +- When Ranger authorization is enabled for HDFS in your HAWQ cluster: +- The HDFS `xasecure.add-hadoop-authorization` property determines whether or not HDFS access controls are used as a fallback when no policy exists for a given HDFS resource. HAWQ access to HDFS is not affected when the `xasecure.add-hadoop-authorization` property is set to `true`. When this property is set to `false`, you must define HDFS Ranger policies permitting the `gadmin` HAWQ user read/write/execute access to the HAWQ HDFS filespace. +- Access to HDFS-backed PXF external tables is not affected by the `xasecure.add-hadoop-authorization` property value, since the `pxf` user is a member of the `hdfs` superuser group. + +- Hive Ranger policies cannot control PXF access to Hive tables. +- When Ranger authorization is enabled for HAWQ, the `gpadmin` user has access permissions to all Hive tables exposed through PXF external tables and HCatalog integration. +- Other HAWQ users may gain access to Hive-backed PXF external tables when provided `usage-schema` and `create` permissions on the `public` or any private schema. To restrict this access, selectively assign permissions to the `pxf` protocol. +- HCatalog access to Hive tables is restricted by default when Ranger authorization is enabled for HAWQ; you must create policies to explicitly allow this access.
incubator-hawq-docs git commit: hawq_rm_return_percent_on_overcommit clarification
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop 975ef85d8 -> a3ebec2d8 hawq_rm_return_percent_on_overcommit clarification Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/a3ebec2d Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/a3ebec2d Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/a3ebec2d Branch: refs/heads/develop Commit: a3ebec2d865b67eb4a292ab6bbacf11c3fe6e3b1 Parents: 975ef85 Author: Lisa OwenAuthored: Fri Apr 7 09:46:58 2017 -0700 Committer: Lisa Owen Committed: Fri Apr 7 09:46:58 2017 -0700 -- markdown/reference/guc/parameter_definitions.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/a3ebec2d/markdown/reference/guc/parameter_definitions.html.md.erb -- diff --git a/markdown/reference/guc/parameter_definitions.html.md.erb b/markdown/reference/guc/parameter_definitions.html.md.erb index 1f94c5a..70416d6 100644 --- a/markdown/reference/guc/parameter_definitions.html.md.erb +++ b/markdown/reference/guc/parameter_definitions.html.md.erb @@ -2043,7 +2043,7 @@ Amount of time, in seconds, before idle resources are returned to YARN. ## hawq\_rm\_return\_percent\_on\_overcommit -Determines how many containers the global resource manager should return to the global resource manager (YARN for example.) This configuration only applies when HAWQ's YARN queue is busy, and HAWQ makes the YARN queue overuse its resources. The default value is 10, which means HAWQ will return 10% of acquired YARN containers by pausing the allocation of resources to HAWQ queries. +Determines how many containers HAWQ should return to the global resource manager (YARN for example.) This configuration only applies when HAWQ's YARN queue is busy, and HAWQ makes the YARN queue overuse its resources. The default value is 10, which means HAWQ will return 10% of acquired YARN containers by pausing the allocation of resources to HAWQ queries. In a typical deployment, you do not need to modify the default value of this parameter.
incubator-hawq-docs git commit: update rps port value range to valid port number
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop 6391858bb -> bd6ce7830 update rps port value range to valid port number Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/bd6ce783 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/bd6ce783 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/bd6ce783 Branch: refs/heads/develop Commit: bd6ce78308edc0bcf595ca0e9b2ff459cdde9122 Parents: 6391858 Author: Lisa OwenAuthored: Thu Apr 6 11:18:05 2017 -0700 Committer: Lisa Owen Committed: Thu Apr 6 11:18:05 2017 -0700 -- markdown/reference/guc/parameter_definitions.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/bd6ce783/markdown/reference/guc/parameter_definitions.html.md.erb -- diff --git a/markdown/reference/guc/parameter_definitions.html.md.erb b/markdown/reference/guc/parameter_definitions.html.md.erb index 43a8d8a..1f94c5a 100644 --- a/markdown/reference/guc/parameter_definitions.html.md.erb +++ b/markdown/reference/guc/parameter_definitions.html.md.erb @@ -2145,7 +2145,7 @@ Identifies the port on which the HAWQ Ranger Plug-in Service runs. The `hawq_rps | Value Range | Default | Set Classifications | |-|-|-| -| 1-65535 | 8432 | master, reload | +| valid port number | 8432 | master, reload | ## hawq\_segment\_address\_port
incubator-hawq-docs git commit: update plugin output to use hosts from invocation
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop bb7086214 -> 187f22431 update plugin output to use hosts from invocation Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/187f2243 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/187f2243 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/187f2243 Branch: refs/heads/develop Commit: 187f22431ce64da95a8e6172d68d451e2ae6e3c1 Parents: bb70862 Author: Lisa OwenAuthored: Fri Mar 31 13:41:14 2017 -0700 Committer: Lisa Owen Committed: Fri Mar 31 13:41:14 2017 -0700 -- markdown/ranger/ranger-integration-config.html.md.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/187f2243/markdown/ranger/ranger-integration-config.html.md.erb -- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index a274158..3da8e78 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -73,16 +73,16 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apa ``` bash gpadmin@master$ cd /usr/local/hawq/ranger/bin gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin -RANGER URL = localhost:6080 +RANGER URL = ranger_host:6080 RANGER User = admin RANGER Password = [*] -HAWQ HOST = localhost +HAWQ HOST = hawq_master HAWQ PORT = 5432 HAWQ User = gpadmin HAWQ Password = [***] HAWQ service definition was not found in Ranger Admin, creating it by uploading /usr/local/hawq_2_2_0_0/ranger/etc/ranger-servicedef-hawq.json HAWQ service instance was not found in Ranger Admin, creating it. -Updated POLICY_MGR_URL to http://localhost:6080 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties +Updated POLICY_MGR_URL to http://ranger_host:6080 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties Updated default value of JAVA_HOME to /usr/jdk64/jdk1.8.0_77 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties ```
incubator-hawq-docs git commit: overview - include link to config doc, add polling prop name
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop f9f7d151b -> bb7086214 overview - include link to config doc, add polling prop name Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/bb708621 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/bb708621 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/bb708621 Branch: refs/heads/develop Commit: bb7086214c9d25e7ea0cf2f07294d297f90b97e7 Parents: f9f7d15 Author: Lisa OwenAuthored: Fri Mar 31 13:26:11 2017 -0700 Committer: Lisa Owen Committed: Fri Mar 31 13:26:11 2017 -0700 -- markdown/ranger/ranger-overview.html.md.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/bb708621/markdown/ranger/ranger-overview.html.md.erb -- diff --git a/markdown/ranger/ranger-overview.html.md.erb b/markdown/ranger/ranger-overview.html.md.erb index 55ef691..ef223e8 100644 --- a/markdown/ranger/ranger-overview.html.md.erb +++ b/markdown/ranger/ranger-overview.html.md.erb @@ -27,11 +27,11 @@ HAWQ supports using Apache Ranger for authorizing user access to HAWQ resources. ## Policy Management Architecture Each HAWQ installation includes a Ranger plug-in service to support Ranger Policy management. The Ranger plug-in service implements the Ranger REST API to bridge all requests between the Ranger Policy Manager and a HAWQ instance. -HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. +HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. See [Configuring HAWQ to use Ranger Policy Management](ranger-integration-config.html). -A single configuration parameter, `hawq_acl_type` determines whether HAWQ defers all policy management to Ranger via the plug-in service, or whether HAWQ handles authorization natively using catalog tables. By default, HAWQ uses SQL commands to create all access policies, and the policy information is stored in catalog tables. When you enable Ranger integration for policy management, any authorization policies that you have configured in HAWQ using SQL no longer apply to your installation; you must create new policies using the Ranger interface. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) +A single configuration parameter, `hawq_acl_type` determines whether HAWQ defers all policy management to Ranger via the plug-in service, or whether HAWQ handles authorization natively using catalog tables. By default, HAWQ uses SQL commands to create all access policies, and the policy information is stored in catalog tables. When you enable Ranger integration for policy management, any authorization policies that you have configured in HAWQ using SQL no longer apply to your installation; you must create new policies using the Ranger interface. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html). -The Ranger plug-in service caches Ranger policies locally on each HAWQ node to avoid unnecessary round trips between the HAWQ node and the Ranger Policy Manager server. You can use the configuration parameter `that` to control how frequently the plug-in service contacts the Ranger Policy Manager to refresh cached policies. See [Changing the Frequency of Policy Caching](ranger-integration-config.html#caching). +The Ranger plug-in service caches Ranger policies locally on each HAWQ node to avoid unnecessary round trips between the HAWQ node and the Ranger Policy Manager server. You can use the configuration property `ranger.plugin.hawq.policy.pollIntervalMs` to control how frequently the plug-in service contacts the Ranger Policy Manager to refresh cached policies. See [Changing the Frequency of Policy Caching](ranger-integration-config.html#caching). ## Limitations of Ranger Policy Management Neither Kerberos authentication nor SSL encryption is supported between a HAWQ node and the Ranger plug-in service, or between the plug-in service and the Ranger Policy Manager.
incubator-hawq-docs git commit: policy doc - unique ids for sections
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration 0b8a4dbb5 -> 68c25b5b7 policy doc - unique ids for sections Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/68c25b5b Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/68c25b5b Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/68c25b5b Branch: refs/heads/feature/ranger-integration Commit: 68c25b5b77649ba8c8d24d55d2e3b6b1dca2a7a8 Parents: 0b8a4db Author: Lisa OwenAuthored: Wed Mar 29 16:35:44 2017 -0700 Committer: Lisa Owen Committed: Wed Mar 29 16:35:44 2017 -0700 -- markdown/ranger/ranger-policy-creation.html.md.erb | 8 1 file changed, 4 insertions(+), 4 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/68c25b5b/markdown/ranger/ranger-policy-creation.html.md.erb -- diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb index 9523c77..c66f5ba 100644 --- a/markdown/ranger/ranger-policy-creation.html.md.erb +++ b/markdown/ranger/ranger-policy-creation.html.md.erb @@ -105,7 +105,7 @@ Ranger evaluates policies from most to least restrictive, searching for a policy Refer to the [Ranger User Guide ??apache or hortonworks??](https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_User_Guide/bk_Ranger_User_Guide-20160301.pdf) and [Deny-conditions and excludes in Ranger policies](https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies) for detailed information on the Ranger Admin UI and Ranger policy evaluation. -## HAWQ Policy Definition +## HAWQ Policy Definition When configuring a HAWQ-Ranger authorization policy, you: @@ -162,7 +162,7 @@ You may identify one or more users and/or groups to which to provide or deny acc | User | \ | The user(s) to which you want to provide or deny access. All users sync'd from \ or explicitly registered via the Ranger Admin UI are available in the picklist. | - Identifying Permissions + Identifying Permissions You can assign users/groups the following permissions when allowing or denying access to specific HAWQ resources: @@ -196,7 +196,7 @@ It may take a collection of policies to provide access to a specific HAWQ databa MORE HERE -### Wildcarding in HAWQ Policies +### Wildcarding in HAWQ Policies When defining a HAWQ policy, wildcarding (`*`) a leaf node resource will scope the policy at two levels: @@ -349,7 +349,7 @@ specifying these permissions: | create | CREATE TABLE ... TABLESPACE | GRANT CREATE ON \ TO \ | -### Policies for Protocol Operations +### Policies for Protocol Operations ??gpfdist(s) and http protocols - hawq-native or ranger? super-user?
incubator-hawq-docs git commit: move create cast w/o function to hawq-native list
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration 847a79955 -> 6ef62dabf move create cast w/o function to hawq-native list Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/6ef62dab Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/6ef62dab Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/6ef62dab Branch: refs/heads/feature/ranger-integration Commit: 6ef62dabf59900aee5a12f2d683840e006c1d183 Parents: 847a799 Author: Lisa OwenAuthored: Wed Mar 29 13:53:20 2017 -0700 Committer: Lisa Owen Committed: Wed Mar 29 13:53:30 2017 -0700 -- markdown/ranger/ranger-policy-creation.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/6ef62dab/markdown/ranger/ranger-policy-creation.html.md.erb -- diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb index f3b73f6..9523c77 100644 --- a/markdown/ranger/ranger-policy-creation.html.md.erb +++ b/markdown/ranger/ranger-policy-creation.html.md.erb @@ -54,6 +54,7 @@ HAWQ *always* employs its native authorization for operations on its catalog. HA - operations on HAWQ catalog - HAWQ catalog-related built-in functions +- `CREATE CAST` command when function is NULL - `CREATE DATABASE`, `DROP DATABASE`, `createdb`, `dropdb` - `hawq filespace` - `CREATE`, `DROP`, or `ALTER` commands for resource queues @@ -71,7 +72,6 @@ When Ranger is enabled, HAWQ-Ranger authorization is employed for access to user In cases where an operation requires super-user privileges, HAWQ first performs a super-user check, then requests the Ranger access check. Those operations requiring super-user checks include: -- `CREATE CAST` command when function is NULL - `CREATE`, `DROP`, or `ALTER` commands that involve a foreign-data wrapper - `CREATE LANGUAGE`, `DROP LANGUAGE` for non-built-in languages - `CREATE FUNCTION` command for untrusted languages.
incubator-hawq-docs git commit: hawq state ref page - add ranger status to info
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration d981a9596 -> a886ae32c hawq state ref page - add ranger status to info Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/a886ae32 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/a886ae32 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/a886ae32 Branch: refs/heads/feature/ranger-integration Commit: a886ae32c93c1130fd1611254ddd656c3dd783ff Parents: d981a95 Author: Lisa OwenAuthored: Tue Mar 28 16:04:50 2017 -0700 Committer: Lisa Owen Committed: Tue Mar 28 16:04:50 2017 -0700 -- markdown/reference/cli/admin_utilities/hawqstate.html.md.erb | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/a886ae32/markdown/reference/cli/admin_utilities/hawqstate.html.md.erb -- diff --git a/markdown/reference/cli/admin_utilities/hawqstate.html.md.erb b/markdown/reference/cli/admin_utilities/hawqstate.html.md.erb index e56ecd1..a8c505f 100644 --- a/markdown/reference/cli/admin_utilities/hawqstate.html.md.erb +++ b/markdown/reference/cli/admin_utilities/hawqstate.html.md.erb @@ -43,6 +43,7 @@ The `hawq state` utility displays information about a running HAWQ instance. A H - Master and segment configuration information (hosts, data directories, etc.). - The ports used by the system. - Whether a standby master is present, and if it is active. +- Whether Ranger authorization is enabled for HAWQ, and if so, the status of the HAWQ Ranger Plug-in Service. ## Options
incubator-hawq-docs git commit: initial checkin of policy doc; includes referenced img
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration 70693401a -> d981a9596 initial checkin of policy doc; includes referenced img Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/d981a959 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/d981a959 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/d981a959 Branch: refs/heads/feature/ranger-integration Commit: d981a95960b1b06879aa1e47e6e394d0ed40352b Parents: 7069340 Author: Lisa OwenAuthored: Tue Mar 28 15:48:44 2017 -0700 Committer: Lisa Owen Committed: Tue Mar 28 15:48:44 2017 -0700 -- markdown/images/hawqpolicydetails.png | Bin 0 -> 165359 bytes .../ranger/ranger-policy-creation.html.md.erb | 486 +++ 2 files changed, 486 insertions(+) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/d981a959/markdown/images/hawqpolicydetails.png -- diff --git a/markdown/images/hawqpolicydetails.png b/markdown/images/hawqpolicydetails.png new file mode 100644 index 000..4c7945f Binary files /dev/null and b/markdown/images/hawqpolicydetails.png differ http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/d981a959/markdown/ranger/ranger-policy-creation.html.md.erb -- diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb index 16573fb..f3b73f6 100644 --- a/markdown/ranger/ranger-policy-creation.html.md.erb +++ b/markdown/ranger/ranger-policy-creation.html.md.erb @@ -20,3 +20,489 @@ KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> + +Ranger secures your Hadoop services, providing a centralized console to manage user access to the data in your HAWQ cluster. + +Native HAWQ authorization provides SQL standard authorization at the database and table level for specific users/roles using `GRANT` and `REVOKE` SQL commands. HAWQ integration with Ranger provides policy-based authorization, enabling you to identify the conditions under which a user and/or group can access individual HAWQ resources, including the operations permitted on those resources. + +**Note**: The HAWQ `GRANT` and `REVOKE` operations are not permitted when Ranger authorization is enabled for HAWQ; you must configure all user and object access through Ranger policies. + +You will configure HAWQ-Ranger authorization through the Ranger Administrative UI, which you can access at `http://:6080`. + + +## User/Role Mapping + +When configuring your HAWQ cluster, you identify the HAWQ database objects to which you want specific users to have access. This configuration is required for both HAWQ-Native and HAWQ-Ranger authorization. + +You create HAWQ users with the `createuser` command line utility or `CREATE ROLE` SQL command. These HAWQ users may or may not reflect an underlying operating system user. + +Ranger includes a `UserSync` process to synchronize users and groups on the \ . You can sync users and groups from the operating system (default), a file, or from LDAP/AD services. Once the sync source is identified, Ranger `UserSync` automatically detects new users provisioned on the \ . + +If your HAWQ cluster includes HAWQ-only roles (i.e. roles with no associated OS user), you must manually configure a Ranger user for each such role. You would use the Ranger Admin UI **Settings > Users/Groups** page for this purpose. + + + +## HAWQ Authorization + + +### pg_hba.conf +The `pg_hba.conf` file on the HAWQ master node identifies the users you permit to access the HAWQ cluster, and the hosts from which the access may be initiated. This authentication is the first line of defense for both HAWQ-Native and HAWQ-Ranger authorization. + + +### HAWQ-Native Authorization +HAWQ *always* employs its native authorization for operations on its catalog. HAWQ also uses only native authorization for the following HAWQ operations, *even when Ranger is enabled*. These operations are available to superusers and may be available those non-admin users to which access was specifically configured: + +- operations on HAWQ catalog +- HAWQ catalog-related built-in functions +- `CREATE DATABASE`, `DROP DATABASE`, `createdb`, `dropdb` +- `hawq filespace` +- `CREATE`, `DROP`, or `ALTER` commands for resource queues +- `CREATE ROLE`, `DROP ROLE`, `SET ROLE`, `createuser`, `dropuser` +- `CREATE TABLESPACE`, `DROP TABLESPACE` (Ranger does manage authorization for creating tables and
incubator-hawq-docs git commit: identify hawq service def in place after run enable script
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration 458524cc7 -> d84723fae identify hawq service def in place after run enable script Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/d84723fa Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/d84723fa Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/d84723fa Branch: refs/heads/feature/ranger-integration Commit: d84723fae8eec60ec62bf9f9cd0ddce61674cabd Parents: 458524c Author: Lisa OwenAuthored: Mon Mar 27 09:07:27 2017 -0700 Committer: Lisa Owen Committed: Mon Mar 27 09:07:27 2017 -0700 -- markdown/ranger/ranger-integration-config.html.md.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/d84723fa/markdown/ranger/ranger-integration-config.html.md.erb -- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index 2031fae..6a6a4b3 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -63,14 +63,14 @@ The following procedures describe each configuration activity. enable-ranger-plugin.sh -r : -u -p -h : -w -q ``` -Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh` script. For example: +Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh` script. Ensure \ identifies the fully qualified domain name of the HAWQ master node. For example: ``` bash gpadmin@master$ cd /usr/local/hawq/ranger/bin gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin ``` - -Ensure \ identifies the fully qualified domain name of the HAWQ master node. + +When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`. 6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \ on the \ . For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above:
incubator-hawq-docs git commit: add warning to enable/disable
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration b3511b36e -> 458524cc7 add warning to enable/disable Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/458524cc Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/458524cc Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/458524cc Branch: refs/heads/feature/ranger-integration Commit: 458524cc785c4668a90abdac3107f79b5966296c Parents: b3511b3 Author: Lisa OwenAuthored: Sat Mar 25 16:55:13 2017 -0700 Committer: Lisa Owen Committed: Sat Mar 25 16:55:13 2017 -0700 -- markdown/ranger/ranger-integration-config.html.md.erb | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/458524cc/markdown/ranger/ranger-integration-config.html.md.erb -- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index 34e1536..2031fae 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -87,7 +87,11 @@ The following procedures describe each configuration activity. 7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully. If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection. -## Step 2: Configure HAWQ to Use Ranger Policy Management +## Step 2: Configure HAWQ to Use Ranger Policy Management + +The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`) all privileges to all objects. + +**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service policies defined, other HAWQ users will have no privileges, even for HAWQ objects (databases, tables) that they own. 1. Select the **HAWQ** Service, and then select the **Configs** tab. 2. Select the **Advanced** tab, and then expand **Custom hawq-site**.
incubator-hawq-docs git commit: move some config info from policy to integ doc
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration b479fcfe0 -> b3511b36e move some config info from policy to integ doc Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/b3511b36 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/b3511b36 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/b3511b36 Branch: refs/heads/feature/ranger-integration Commit: b3511b36e07c8053d16ba99efc666302335e06fb Parents: b479fcf Author: Lisa OwenAuthored: Sat Mar 25 16:41:35 2017 -0700 Committer: Lisa Owen Committed: Sat Mar 25 16:41:35 2017 -0700 -- markdown/ranger/ranger-integration-config.html.md.erb | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/b3511b36/markdown/ranger/ranger-integration-config.html.md.erb -- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index b0684ec..34e1536 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -19,7 +19,17 @@ software distributed under the License is distributed on an KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ---> +--> + +Your HAWQ 2.2.0 installation includes the following HAWQ-related Ranger components: + +- Ranger Administrative UI +- HAWQ Ranger Plug-in Service + +The Ranger Administrative UI is installed when you install HDP. You configure the Ranger service itself through Ambari. You configure HAWQ-Ranger authorization policies through the Ranger Administrative UI, which you can access at `http://:6080`. + +Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in. + In order to use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After you have installed the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. The following procedures describe each configuration activity.
incubator-hawq-docs git commit: add pg_hba.conf config for ranger node, formatting updates
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration 72203286c -> b479fcfe0 add pg_hba.conf config for ranger node, formatting updates Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/b479fcfe Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/b479fcfe Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/b479fcfe Branch: refs/heads/feature/ranger-integration Commit: b479fcfe0f156222ae3505cf8c2889346336f900 Parents: 7220328 Author: Lisa OwenAuthored: Sat Mar 25 15:39:34 2017 -0700 Committer: Lisa Owen Committed: Sat Mar 25 15:39:34 2017 -0700 -- .../ranger-integration-config.html.md.erb | 64 ++-- 1 file changed, 44 insertions(+), 20 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/b479fcfe/markdown/ranger/ranger-integration-config.html.md.erb -- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index afc78e8..b0684ec 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -25,33 +25,57 @@ In order to use Ranger for managing HAWQ authentication events, you must first i The following procedures describe each configuration activity. ## Step 1: Install Ranger Connectivity to HAWQ -1. `ssh` into the Ranger Administration host as a user with root privileges: -``` bash -$ ssh root@ -root@ranger-admin-host$ -``` -2. Create the directory for the HAWQ JAR files: +1. `ssh` into the Ranger Administration host as a user with root privileges: + ``` bash -root@ranger-admin-host$ cd /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/classes/ranger-plugins -root@ranger-admin-host$ mkdir hawq +$ ssh root@ +root@ranger-admin-node$ ``` -3. Copy the necessary HAWQ JAR files (`postgresql-9.1-901-1.jdbc4.jar` and `ranger-plugin-admin-2.2.0.0.jar`) from a HAWQ node to the new directory: +2. Create the directory for the HAWQ JAR files: + ``` bash -root@ranger-admin-host$ scp :/usr/local/hawq/ranger/lib/*.jar ./hawq +root@ranger-admin-node$ cd /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/classes/ranger-plugins +root@ranger-admin-node$ mkdir hawq ``` -4. Change the ownership of the new folder and JAR files to the `ranger` user: +3. Copy the necessary HAWQ JAR files (`postgresql-9.1-901-1.jdbc4.jar` and `ranger-plugin-admin-2.2.0.0.jar`) from the HAWQ master node to the new directory: + ``` bash -root@ranger-admin-host$ chown -R ranger:ranger hawq +root@ranger-admin-node$ scp :/usr/local/hawq/ranger/lib/*.jar ./hawq ``` -5. From a HAWQ node as the `gpadmin` user, execute the `enable-ranger-plugin.sh` script to configure connectivity to your HAWQ cluster. The command has the syntax: +4. Change the ownership of the new folder and JAR files to the `ranger` user: + ``` bash -/usr/local/hawq/ranger/bin/enable-ranger-plugin.sh -r : -u -p -h : -w -q +root@ranger-admin-node$ chown -R ranger:ranger hawq ``` - For example: - ``` bash - gpadmin@hawq-node$ /usr/local/hawq/ranger/bin/enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_host:5432 -w gpadmin -q gpadmin - ``` -6. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari and select the HAWQ service. Ensure that the Active Status is set to Enabled, and click `Test Connection`. You should receive a message that Ranger connected succesfully. If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI re-test the connection. +5. The `enable-ranger-plugin.sh` script configures Ranger connectivity to your HAWQ cluster. The command has the syntax: + +``` pre +enable-ranger-plugin.sh -r : -u -p -h : -w -q +``` + +Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh` script. For example: + +``` bash +gpadmin@master$ cd /usr/local/hawq/ranger/bin +gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin +``` + +Ensure \ identifies the fully qualified domain name of the HAWQ master node. + +6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \ on the \ . For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above: + +``` bash +host all gpadminranger_host/32 trust
incubator-hawq-docs git commit: add title: keyword to titles
Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration 0eb9661ad -> db0d4ca3e add title: keyword to titles Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/db0d4ca3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/db0d4ca3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/db0d4ca3 Branch: refs/heads/feature/ranger-integration Commit: db0d4ca3e70c9c972c68a92cad86072d14f154a4 Parents: 0eb9661 Author: Lisa OwenAuthored: Wed Mar 22 10:28:49 2017 -0700 Committer: Lisa Owen Committed: Wed Mar 22 10:28:49 2017 -0700 -- markdown/ranger/ranger-auditing.html.md.erb | 2 +- markdown/ranger/ranger-integration-config.html.md.erb | 4 ++-- markdown/ranger/ranger-overview.html.md.erb | 2 +- markdown/ranger/ranger-policy-creation.html.md.erb| 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/db0d4ca3/markdown/ranger/ranger-auditing.html.md.erb -- diff --git a/markdown/ranger/ranger-auditing.html.md.erb b/markdown/ranger/ranger-auditing.html.md.erb index 63d8db2..cc0cd14 100644 --- a/markdown/ranger/ranger-auditing.html.md.erb +++ b/markdown/ranger/ranger-auditing.html.md.erb @@ -1,5 +1,5 @@ --- -Auditing Authorization Events +title: Auditing Authorization Events ---
incubator-hawq-docs git commit: update step identifiers to b and c
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop 8a8bb7137 -> 5206950f4 update step identifiers to b and c Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/5206950f Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/5206950f Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/5206950f Branch: refs/heads/develop Commit: 5206950f474dfa4974e57a46abfb310a64900204 Parents: 8a8bb71 Author: Lisa OwenAuthored: Fri Mar 10 12:47:27 2017 -0800 Committer: Lisa Owen Committed: Fri Mar 10 13:33:05 2017 -0800 -- markdown/admin/ambari-admin.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/5206950f/markdown/admin/ambari-admin.html.md.erb -- diff --git a/markdown/admin/ambari-admin.html.md.erb b/markdown/admin/ambari-admin.html.md.erb index 901840a..ba69a7d 100644 --- a/markdown/admin/ambari-admin.html.md.erb +++ b/markdown/admin/ambari-admin.html.md.erb @@ -403,7 +403,7 @@ There may be circumstances, such as during dynamic cluster expansion, when you m gpadmin@master$ hawq config -c -v ``` -Perform Steps 2 and 3 for each configuration parameter you set or updated via Ambari. +Perform Steps b and c for each configuration parameter you set or updated via Ambari. 3. Reload the HAWQ configuration; this operation does not restart the cluster:
incubator-hawq-docs git commit: fix typeo
Repository: incubator-hawq-docs Updated Branches: refs/heads/develop c277b272d -> 31fa58542 fix typeo Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/31fa5854 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/31fa5854 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/31fa5854 Branch: refs/heads/develop Commit: 31fa5854202f2883c804c8ca295ecb10ab42581a Parents: c277b27 Author: Lisa OwenAuthored: Wed Feb 22 09:44:15 2017 -0800 Committer: Lisa Owen Committed: Wed Feb 22 09:47:07 2017 -0800 -- markdown/reference/cli/admin_utilities/hawqregister.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/31fa5854/markdown/reference/cli/admin_utilities/hawqregister.html.md.erb -- diff --git a/markdown/reference/cli/admin_utilities/hawqregister.html.md.erb b/markdown/reference/cli/admin_utilities/hawqregister.html.md.erb index a89d2e9..b5711f3 100644 --- a/markdown/reference/cli/admin_utilities/hawqregister.html.md.erb +++ b/markdown/reference/cli/admin_utilities/hawqregister.html.md.erb @@ -58,7 +58,7 @@ The client machine where `hawq register` is executed must meet the following con ## Description -`hawq register` is a utility that loads and registers existing data files or folders in HDFS into HAWQ internal tables, allowing HAWQ to directly read the data and use internal table processing for operations such as transactions and high perforance, without needing to load or copy it. Data from the file or directory specified by \ is loaded into the appropriate HAWQ table directory in HDFS and the utility updates the corresponding HAWQ metadata for the files. +`hawq register` is a utility that loads and registers existing data files or folders in HDFS into HAWQ internal tables, allowing HAWQ to directly read the data and use internal table processing for operations such as transactions and high performance, without needing to load or copy it. Data from the file or directory specified by \ is loaded into the appropriate HAWQ table directory in HDFS and the utility updates the corresponding HAWQ metadata for the files. You can use `hawq register` to: