You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Kyle R Dunn (JIRA)" <ji...@apache.org> on 2017/02/07 18:07:41 UTC

[jira] [Commented] (HAWQ-256) Integrate Security with Apache Ranger

    [ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856444#comment-15856444 ] 

Kyle R Dunn commented on HAWQ-256:
----------------------------------

[~Lili Ma] - here's some input for you
*1)  Why do they want to use Ranger?  What are the scenario and use cases?*
Ranger provides the missing (and very important) functionality for synchronizing roles and groups from a identity management provider (like LDAP) into HAWQ. Without this capability, roles must be provisioned manually or something like pg-ldap-sync must be used, neither are very enterprise-friendly or "baked" solutions. 

*2)  Which version of Ranger do they want to use?  Is the version 0.6+ acceptable (shipped in HDP 2.5+) ?*
I think any version is a good starting point, in my opinion, it is best we stay aligned with what is available the current GA HDP GA.

*3)  What are the specific HAWQ objects they want to manage in Ranger, for example, Database/Tablespace/Schema/Table/Sequence/Language/Function/Protocol? Is there anything else?*
In my mind, support for schema, table, sequence, function, protocol are more important. Then prioritize database, tablespace - those seem to the more "advanced" usage (compared to the former) for most SQL on Hadoop installations I've seen.

*4)  What kind of tables do they want to manage? Heap (catalog) table, or data table on HDFS?*
Data tables. My opinion, catalog should only be managed by a local superuser.

*5)  Do they want to restrict superuser privileges? If yes, what kind of privileges do they want to restrict, including catalog table or just the table on HDFS?*
I've not seen this requirement, except with PL/x function creation / invocation. 

*6)  Do they want to use Ambari to deploy HAWQ and Ranger?*
Whenever possible, yes.

*7) Do they have requirements for integration with user management tool such as LDAP?*
Absolutely, this is the main motivator from my perspective.

*8) Do they have a need to switch back and forth from Ranger? Say, setting Ranger on, and then setting off (using HAWQ native authorization)?*
Hard to say here. If it is possible for HAWQ to reach some un-usable state as a result of have Ranger on, then yes, otherwise, it seems unlikely this would be a common activity.

*9) Are they ok with the solution that we put system catalog/function/owner check in HAWQ?
    --- There are a lot of catalog information check(for example, pg_catalog, information_schema, etc) and system embedded function(for example, count, charne, etc) check in a simple SQL command such as “analyze” and “\d”, which will consume a lot of communication cost with Ranger if we process it in Ranger. Also, the embedded catalog/function may not include so much sensitive data.
   --- HAWQ does owner check under some cases. For example, only the owner who creates the table can drop it. Are the customer OK with that we keep the owner check in HAWQ?*
This makes sense to me. Having admin functions only available via a local account but auditable by Ranger is likely a fair tradeoff here. 

*10) Are they ok with the solution that once Ranger is configured, we will forbid GRANT/REVOKE command in HAWQ?*
This seems to be the correct behavior to avoid inconsistencies.

*11) Are they ok with the solution that HAWQ handles the privileges check for drop table/create database?*
This comes back to the third question - I think it makes sense, others may have a different opinion.

*12) Are they ok with the solution that configuring an extra GUC in Ambari side for indicating Ranger on/off?*
Not sure here. If Ranger thinks it's managing HAWQ, HAWQ should not be allowed to be "off" in Ambari. For the "disable Ranger" mode in HAWQ, maybe it should be command line only, as it would likely be only for troubleshooting / temporary usage.

*13) Are they OK if we don’t provide High Availability with HAWQ Ranger Plugin Service (RPS) in the first (beta) release?*
I think this is ok. Right now, it is not easy (or maybe even possible) to have high availability with HAWQ+LDAP, so this is still at parity with current functionality. 


Hope this helps.

> Integrate Security with Apache Ranger
> -------------------------------------
>
>                 Key: HAWQ-256
>                 URL: https://issues.apache.org/jira/browse/HAWQ-256
>             Project: Apache HAWQ
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Michael Andre Pearce (IG)
>            Assignee: Lili Ma
>             Fix For: backlog
>
>         Attachments: HAWQRangerSupportDesign.pdf, HAWQRangerSupportDesign_v0.2.pdf, HAWQRangerSupportDesign_v0.3.pdf
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)