You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by zhangh43 <gi...@git.apache.org> on 2017/05/27 09:41:56 UTC

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

GitHub user zhangh43 opened a pull request:

    https://github.com/apache/incubator-hawq/pull/1245

    HAWQ-1476. Augment enable-ranger-plugin.sh to support kerberos.

    Now ranger can lookup hawq resource in kerberized environment. So we also need to change enable-ranger-plugin.sh to support automatically fill the authentication type and hawq kerberos service name fields


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/zhangh43/incubator-hawq hawq1476

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-hawq/pull/1245.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1245
    
----
commit fd79c3cccce3322e2d9cf8a58cebbbb755a1d8a0
Author: hubertzhang <hu...@apache.org>
Date:   2017-05-27T09:40:51Z

    HAWQ-1476. Augment enable-ranger-plugin.sh to support kerberos.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

Posted by ictmalili <gi...@git.apache.org>.

Github user ictmalili commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1245#discussion_r119541625
  
    --- Diff: ranger-plugin/scripts/enable-ranger-plugin.sh ---
    @@ -20,7 +20,7 @@
     #
     
     function usage() {
    -  echo "USAGE: enable-ranger-plugin.sh -r ranger_host:ranger_port -u ranger_user -p ranger_password [-h hawq_host:hawq_port] -w hawq_user -q hawq_password"
    +  echo "USAGE: enable-ranger-plugin.sh -r ranger_host:ranger_port -u ranger_user -p ranger_password [-h hawq_host:hawq_port -c hawq_kerberos_service_name] -w hawq_user -q hawq_password -t lookup_authentication_type"
       exit 1
     }
    --- End diff --
    
    I think "-t lookup_authentication_type" should be moved in front of "-c hawq_kerberos_service_name", and should also be marked as optional with default value "simple". 
    "-c hawq_kerberos_service_name" can be changed to "-s", since it indicates the service name.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

Posted by ictmalili <gi...@git.apache.org>.

Github user ictmalili commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1245#discussion_r119519516
  
    --- Diff: ranger-plugin/conf/ranger-servicedef-hawq.json ---
    @@ -244,7 +244,7 @@
           "name": "authentication",
           "type": "enum",
           "subType": "authType",
    -      "mandatory": false,
    +      "mandatory": true,
    --- End diff --
    
    Yes, we aim to update the connection to HAWQ using Kerberos when Kerberos authentication is set in pg_hba.conf. 
    Why don't Ambari change pg_hba.conf in HAWQ once Kerberos is setup? I think we need protect connection to HAWQ.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq issue #1245: HAWQ-1476. Augment enable-ranger-plugin.sh to su...

Posted by ictmalili <gi...@git.apache.org>.

Github user ictmalili commented on the issue:

    https://github.com/apache/incubator-hawq/pull/1245
  
    LGTM. +1


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

Posted by zhangh43 <gi...@git.apache.org>.

Github user zhangh43 closed the pull request at:

    https://github.com/apache/incubator-hawq/pull/1245


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

Posted by denalex <gi...@git.apache.org>.

Github user denalex commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1245#discussion_r119155000
  
    --- Diff: ranger-plugin/conf/ranger-servicedef-hawq.json ---
    @@ -244,7 +244,7 @@
           "name": "authentication",
           "type": "enum",
           "subType": "authType",
    -      "mandatory": false,
    +      "mandatory": true,
    --- End diff --
    
    are we doing this lookup-side Kerberos support in case where HAWQ authentication is set to Kerberos in pg_hba.conf ? This is not supported by default when we kerberize the cluster, so usually when the whole cluster (including HAWQ) is secured, password based connection to HAWQ will still work and kerberos-based connection will not be setup by default.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

Posted by denalex <gi...@git.apache.org>.

Github user denalex commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1245#discussion_r119684260
  
    --- Diff: ranger-plugin/conf/ranger-servicedef-hawq.json ---
    @@ -244,7 +244,7 @@
           "name": "authentication",
           "type": "enum",
           "subType": "authType",
    -      "mandatory": false,
    +      "mandatory": true,
    --- End diff --
    
    We have decided a while ago to not touch pg_hba.conf in Ambari, because users might have their own entries there and this is a very sensitive file. A viable approach might've been to manage all entries in pg_hba.conf via Ambari, but that required extra work.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1245: HAWQ-1476. Augment enable-ranger-plugin.s...

Posted by stanlyxiang <gi...@git.apache.org>.

Github user stanlyxiang commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1245#discussion_r118834619
  
    --- Diff: ranger-plugin/scripts/enable-ranger-plugin.sh ---
    @@ -20,7 +20,7 @@
     #
     
     function usage() {
    -  echo "USAGE: enable-ranger-plugin.sh -r ranger_host:ranger_port -u ranger_user -p ranger_password [-h hawq_host:hawq_port] -w hawq_user -q hawq_password"
    +  echo "USAGE: enable-ranger-plugin.sh -r ranger_host:ranger_port -u ranger_user -p ranger_password [-h hawq_host:hawq_port -c hawq_kerberos_service_name] -w hawq_user -q hawq_password -t lookup_authentication_type"
    --- End diff --
    
    since lookup_authentication_type will determine whether to have option "-c hawq_kerberos_service_name", I think it would be better to place option "lookup_authentication_type" before "-c hawq_kerberos_service_name".


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---