[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[janebeckman <gi...@git.apache.org>]

GitHub user janebeckman opened a pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105

    Reconcile Feature/ranger integration branches

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/janebeckman/incubator-hawq-docs feature/ranger-integration

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-hawq-docs/pull/105.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #105
    
----
commit d9beb05e9a627891f80a550956a5850709bc43bd
Author: Jane Beckman <jb...@pivotal.io>
Date:   2017-03-28T22:32:45Z

    Expanding info on Ranger config

commit 589e7e5511aecb0c20903ef5cef076d72a4398d3
Author: Jane Beckman <jb...@pivotal.io>
Date:   2017-03-29T18:57:19Z

    Merge branch 'feature/ranger-integration' of https://github.com/apache/incubator-hawq-docs into feature/ranger-integration
    Update with latest on branch.

commit 863d1030cc9376f11887eca89b37365977bf9548
Author: Jane Beckman <jb...@pivotal.io>
Date:   2017-03-29T21:11:46Z

    Remove link to removed section

commit f02d8abc125a0b24df554a33ea3ffea303575ec0
Author: Jane Beckman <jb...@pivotal.io>
Date:   2017-03-29T22:38:37Z

    Grammar fix

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108954206
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    +
    +9.  Now return to the Service Manager and click the Edit icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, you may need to edit your Ranger connection in  `pg_hba.conf,` perform 
    +  ``` bash
    +   hawq restart cluster
    +   ```
    +  and re-test the connection.
     
     
     ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management
     
    -The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`) all privileges to all objects. 
    +The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically `gpadmin`) all privileges to all objects. 
     
    -**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service policies defined, other HAWQ users will have no privileges, even for HAWQ objects (databases, tables) that they own.
    -
    -1. Select the **HAWQ** Service, and then select the **Configs** tab.
    +Once the connection between HAWQ and Ranger is configured, you can either set up policies for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. 
    --- End diff --
    
    I'm not sure it should be a warning, per se.  I think what should be called out here is that if they had created any additional authorizations using `GRANT` commands, they will no longer apply after enabling ranger, and HAWQ goes back to its initial state of gpadmin-only access.  


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108953203
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    +
    +9.  Now return to the Service Manager and click the Edit icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, you may need to edit your Ranger connection in  `pg_hba.conf,` perform 
    +  ``` bash
    +   hawq restart cluster
    +   ```
    --- End diff --
    
    Need to add a shell prompt here.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108952712
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    --- End diff --
    
    Let's remove this step - it isn't necessary for validating connectivity.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108952534
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    --- End diff --
    
    A direct URL would be good if that can be generalized.  Otherwise this should probably be broken into multiple steps (there's a lot of UI control going on).  Ideally I don't want us to go too far into navigating the ranger UI itself, except as it relates to our plugl-in.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108807397
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -30,9 +30,14 @@ The Ranger Administrative UI is installed when you install HDP. You configure th
     
     Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in.  
     
    -In order to use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After you have registered the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must use the Ranger interface to create all security policies to manage access to HAWQ resources. Ranger is pre-populated only with several policies to allow `gpadmin` superuser access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger.
    +To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. 
    +
    +The `hawq_acl_type` configuration parameter allows you to shift between managing access policies through the HAWQ native interface or the Ranger policy manager. Ranger is initially started started with the `hawq_acl_type` parameter set to `standalone.` After configuring Ranger access policies, you set the `hawq_acl_type` configuration parameter to `ranger` to enable Ranger policy management. 
    +
    +Once HAWQ Ranger is enabled, access to HAWQ resources is controlled by security policies on Ranger. Access policies must be explicitly set for all groups and users, as Ranger has no knowledge of any access policies set up in the HAWQ native interface and its default is to disallow access. When first integrated, Ranger is only pre-populated with policies that allow `gpadmin` superuser access to default resources. When Ranger is enabled, you cannot manage HAWQ access  through its native interface. 
    --- End diff --
    
    "When Ranger authorization for HAWQ is enabled,"  
    
    i think the original text that was in place here looks good.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108954400
  
    --- Diff: markdown/ranger/ranger-overview.html.md.erb ---
    @@ -27,11 +27,11 @@ HAWQ supports using Apache Ranger for authorizing user access to HAWQ resources.
     ## <a id="arch"></a>Policy Management Architecture
     Each HAWQ installation includes a Ranger plug-in service to support Ranger Policy management. The Ranger plug-in service implements the Ranger REST API to bridge all requests between the Ranger Policy Manager and a HAWQ instance. 
     
    -HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. See [Configuring HAWQ to use Ranger Policy Management](ranger-integration-config.html#enable). 
    +HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. 
     
    --- End diff --
    
    Per our discussion yesterday, let's reinstate the link in this sentence.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108808070
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    --- End diff --
    
    should we just identify the direct ranger URL here?
    
    in any case, could bold the specific ambari items you are talking about.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108807764
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -70,9 +75,25 @@ The following procedures describe each configuration activity.
         gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin
         ```
         
    +    ***Note*** You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. 
    +    
         When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`.
     
    -6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above:
    +6. Locate the `pg_hba.conf` file on the HAWQ master node:
    + 
    +    ``` bash
    +    $ hawq config --show hawq_master_directory
    +     GUC		: hawq_master_directory
    +     Value		: /data/hawq/master
    +     $ ls /data/hawq/master
    --- End diff --
    
     will listing the directory contents help the user?  i find it kind of distracting.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108807083
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -30,9 +30,14 @@ The Ranger Administrative UI is installed when you install HDP. You configure th
     
     Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in.  
     
    -In order to use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After you have registered the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must use the Ranger interface to create all security policies to manage access to HAWQ resources. Ranger is pre-populated only with several policies to allow `gpadmin` superuser access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger.
    +To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. 
    +
    +The `hawq_acl_type` configuration parameter allows you to shift between managing access policies through the HAWQ native interface or the Ranger policy manager. Ranger is initially started started with the `hawq_acl_type` parameter set to `standalone.` After configuring Ranger access policies, you set the `hawq_acl_type` configuration parameter to `ranger` to enable Ranger policy management. 
    +
    +Once HAWQ Ranger is enabled, access to HAWQ resources is controlled by security policies on Ranger. Access policies must be explicitly set for all groups and users, as Ranger has no knowledge of any access policies set up in the HAWQ native interface and its default is to disallow access. When first integrated, Ranger is only pre-populated with policies that allow `gpadmin` superuser access to default resources. When Ranger is enabled, you cannot manage HAWQ access  through its native interface. 
    +See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger.
     
    -The following procedures describe each configuration activity.
    +Perform the following procedures to configure your Ranger interface.
    --- End diff --
    
    to "register the HAWQ Ranger Plug-in Service and enable Ranger authorization for HAWQ."


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[janebeckman <gi...@git.apache.org>]

Github user janebeckman commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r109005017
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    +
    +9.  Now return to the Service Manager and click the Edit icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, you may need to edit your Ranger connection in  `pg_hba.conf,` perform 
    +  ``` bash
    --- End diff --
    
    Was copying something Vineet said. But I think that he corrected himself on that, recently. So changing to reload.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108808330
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    +
    +9.  Now return to the Service Manager and click the Edit icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, you may need to edit your Ranger connection in  `pg_hba.conf,` perform 
    +  ``` bash
    --- End diff --
    
    formatting issue and spelling error (successfully)
    
    also, when updating pg_hba.conf, should be able to do a reload (don't have to restart).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108807630
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -70,9 +75,25 @@ The following procedures describe each configuration activity.
         gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin
         ```
         
    +    ***Note*** You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. 
    +    
         When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`.
     
    -6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above:
    +6. Locate the `pg_hba.conf` file on the HAWQ master node:
    --- End diff --
    
    lets use the shell prompt and formatting like previous commands.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108809069
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    +
    +9.  Now return to the Service Manager and click the Edit icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, you may need to edit your Ranger connection in  `pg_hba.conf,` perform 
    +  ``` bash
    +   hawq restart cluster
    +   ```
    +  and re-test the connection.
     
     
     ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management
     
    -The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`) all privileges to all objects. 
    +The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically `gpadmin`) all privileges to all objects. 
     
    -**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service policies defined, other HAWQ users will have no privileges, even for HAWQ objects (databases, tables) that they own.
    -
    -1. Select the **HAWQ** Service, and then select the **Configs** tab.
    +Once the connection between HAWQ and Ranger is configured, you can either set up policies for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. 
    --- End diff --
    
    i don't think we want to imply it is ok to enable ranger with just the default policies in place.  maybe we want to enhance the warning.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108808162
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. 
    --- End diff --
    
    not sure why we want to have them look at the policies here?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[janebeckman <gi...@git.apache.org>]

Github user janebeckman closed the pull request at:

    https://github.com/apache/incubator-hawq-docs/pull/105


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108954571
  
    --- Diff: markdown/ranger/ranger-overview.html.md.erb ---
    @@ -27,11 +27,11 @@ HAWQ supports using Apache Ranger for authorizing user access to HAWQ resources.
     ## <a id="arch"></a>Policy Management Architecture
     Each HAWQ installation includes a Ranger plug-in service to support Ranger Policy management. The Ranger plug-in service implements the Ranger REST API to bridge all requests between the Ranger Policy Manager and a HAWQ instance. 
     
    -HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. See [Configuring HAWQ to use Ranger Policy Management](ranger-integration-config.html#enable). 
    +HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. 
     
     A single configuration parameter, `hawq_acl_type` determines whether HAWQ defers all policy management to Ranger via the plug-in service, or whether HAWQ handles authorization natively using catalog tables. By default, HAWQ uses SQL commands to create all access policies, and the policy information is stored in catalog tables.  When you enable Ranger integration for policy management, any authorization policies that you have configured in HAWQ using SQL no longer apply to your installation; you must create new policies using the Ranger interface. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html)
     
    -The Ranger plug-in service caches Ranger policies locally on each HAWQ node to avoid unnecessary round trips between the HAWQ node and the Ranger Policy Manager server. You can use the configuration parameter `that` to control how frequently the plug-in service contacts the Ranger Policy Manager to refresh cached policies. See [Changing the Frequency of Policy Caching](ranger-integration-config.html#caching).
    +The Ranger plug-in service caches Ranger policies locally on each HAWQ node to avoid unnecessary round trips between the HAWQ node and the Ranger Policy Manager server. You can use the configuration parameter `that` to control how frequently the plug-in service contacts the Ranger Policy Manager to refresh cached policies.
     
    --- End diff --
    
    Let's keep this link as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[janebeckman <gi...@git.apache.org>]

Github user janebeckman commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r109002711
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. 
    --- End diff --
    
    Something like "Open http://<fully-qualified domain name>:6080/ in your browser to access the Ranger UI"? Or leave for now and close the pull request and revisit?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108951788
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -70,9 +75,25 @@ The following procedures describe each configuration activity.
         gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin
         ```
         
    +    ***Note*** You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. 
    +    
         When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`.
     
    -6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above:
    +6. Locate the `pg_hba.conf` file on the HAWQ master node:
    --- End diff --
    
    Yes - `gpadmin@master$` here


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[dyozie <gi...@git.apache.org>]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108951165
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -30,9 +30,14 @@ The Ranger Administrative UI is installed when you install HDP. You configure th
     
     Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in.  
     
    -In order to use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After you have registered the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must use the Ranger interface to create all security policies to manage access to HAWQ resources. Ranger is pre-populated only with several policies to allow `gpadmin` superuser access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger.
    +To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. 
    +
    +The `hawq_acl_type` configuration parameter allows you to shift between managing access policies through the HAWQ native interface or the Ranger policy manager. Ranger is initially started started with the `hawq_acl_type` parameter set to `standalone.` After configuring Ranger access policies, you set the `hawq_acl_type` configuration parameter to `ranger` to enable Ranger policy management. 
    +
    +Once HAWQ Ranger is enabled, access to HAWQ resources is controlled by security policies on Ranger. Access policies must be explicitly set for all groups and users, as Ranger has no knowledge of any access policies set up in the HAWQ native interface and its default is to disallow access. When first integrated, Ranger is only pre-populated with policies that allow `gpadmin` superuser access to default resources. When Ranger is enabled, you cannot manage HAWQ access  through its native interface. 
    --- End diff --
    
    I agree - let's not get into too much detail here.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...

[lisakowen <gi...@git.apache.org>]

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108806756
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -30,9 +30,14 @@ The Ranger Administrative UI is installed when you install HDP. You configure th
     
     Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in.  
     
    -In order to use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After you have registered the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must use the Ranger interface to create all security policies to manage access to HAWQ resources. Ranger is pre-populated only with several policies to allow `gpadmin` superuser access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger.
    +To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. 
    +
    +The `hawq_acl_type` configuration parameter allows you to shift between managing access policies through the HAWQ native interface or the Ranger policy manager. Ranger is initially started started with the `hawq_acl_type` parameter set to `standalone.` After configuring Ranger access policies, you set the `hawq_acl_type` configuration parameter to `ranger` to enable Ranger policy management. 
    --- End diff --
    
    as this is an intro, something like "the hawq_acl_type server configuration parameter controls the mode of authorization in place for hawq.  hawq uses native authorization by default. you can enable ranger authorization with this parameter."  i don't think you need to get into the values here.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---