You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Lili Ma (JIRA)" <ji...@apache.org> on 2016/07/14 07:20:20 UTC
[jira] [Comment Edited] (HAWQ-256) Integrate Security with Apache
Ranger
[ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15376472#comment-15376472 ]
Lili Ma edited comment on HAWQ-256 at 7/14/16 7:19 AM:
-------------------------------------------------------
[~bosco] Thanks for your answer :)
1. Yes, it's good for Ranger to import user list from component. Why I expose this question is that I noticed that Ranger has provided a function "Add New User" under tab "Settings/Users/Groups". Does it mean Ranger also supports creating user in Ranger itself?
2. Grant privilege from just one side is relatively easy and clear. What we need to discuss is which side we allow granting privilege, HAWQ, or Ranger? As you said, HAWQ side is a good choice since there's no change in admin behavior.
3. I also thinks it would be simple if we don't consider Ranger down or Ranger not exist problem. What about the scenarios that user don't intend to install Ranger? Are users are all fine with Ranger? Currently the ACL information is stored in HAWQ catalog. Shall we remove the catalog information if we provide Ranger support?
4. Yes, LDAP/AD is a potential good solution for us :)
5. So In Hive and HBase, the grant operations are all done in the database side instead of Ranger side. Right? In this page it seems that Ranger admin console also supports creating a new policy from UI? Please correct me if my understanding is wrong. https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide
Actually, we are investigating and aiming at drafting a design doc. Will attach the design doc to this JIRA once done.
was (Author: lilima):
[~bosco] Thanks for your answer :)
1. Yes, it's good for Ranger to import user list from component. Why I expose this question is that I noticed that Ranger has provided a function "Add New User" under tab "Settings/Users/Groups". Does it mean Ranger also supports creating user in Ranger itself?
2. Grant privilege from just one side is relatively easy and clear. What we need to discuss is which side we allow granting privilege, HAWQ, or Ranger? As you said, HAWQ side is a good choice since there's no change in admin behavior.
3. I also thinks it would be simple if we don't consider Ranger down or Ranger not exist problem. What about the scenarios that user don't intend to install Ranger? Are users are all fine with Ranger? Currently the ACL information is stored in HAWQ catalog. Shall we remove the catalog information if we provide Ranger support?
4. Yes, LDAP/AD is a potential good solution for us :)
5. So In Hive and HBase, the grant operations are all done in the database side instead of Ranger side. Right? In this page it seems that Ranger admin console also supports creating a new policy from UI? Please correct me if my understanding is wrong.
Actually, we are investigating and aiming at drafting a design doc. Will attach the design doc to this JIRA once done.
> Integrate Security with Apache Ranger
> -------------------------------------
>
> Key: HAWQ-256
> URL: https://issues.apache.org/jira/browse/HAWQ-256
> Project: Apache HAWQ
> Issue Type: New Feature
> Components: PXF, Security
> Reporter: Michael Andre Pearce (IG)
> Assignee: Lili Ma
> Fix For: backlog
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)