You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Lili Ma (JIRA)" <ji...@apache.org> on 2016/09/01 09:45:20 UTC

[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables

    [ https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15454926#comment-15454926 ] 

Lili Ma commented on HAWQ-1036:
-------------------------------

Hello, I think passing down user identity is a quite important area. 
I have several questions about this:
1. If we pass the privilege check down to HDFS or Hive, what about the objects which doesn't map to data storage, for example, language, function, schema, etc? 
2. For table object, how can we map the privilege to storage if underlying storage is HDFS? For example, for table, we may have create/select/insert/update/delete(although HAWQ doesn't support update/delete now, it may support these features later), which for HDFS file, we only have create/read/write/append. How shall we map them? 
3. Do the privileges check in this way happen during query execution, I think  HAWQ-256 does this in planning period.
4. What if Ranger admin wants to assign table created by userA to userB?  Does he need to find out the underlying file folder and assign that folder privileges to userB? If yes, then he has to know the mapping between HAWQ table and HDFS files. Right?
5. Currently my understanding for PXF design is using a special user identity? What will happen after the change? Multiple users will have access to the external storage? What if we support S3 in the future? Need S3 give the privileges to all the users in HAWQ? 

Thanks
Lili


> Support user impersonation in PXF for external tables
> -----------------------------------------------------
>
>                 Key: HAWQ-1036
>                 URL: https://issues.apache.org/jira/browse/HAWQ-1036
>             Project: Apache HAWQ
>          Issue Type: New Feature
>          Components: PXF, Security
>            Reporter: Alastair "Bell" Turner
>            Assignee: Goden Yao
>            Priority: Critical
>             Fix For: backlog
>
>         Attachments: HAWQ_Impersonation_rationale.txt
>
>
> Currently HAWQ executes all queries as the user running the HAWQ process or the user running the PXF process, not as the user who issued the query via ODBC/JDBC/... This restricts the options available for integrating with existing security defined in HDFS, Hive, etc.
> Impersonation provides an alternative Ranger integration (as discussed in HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)