You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by yo...@apache.org on 2017/04/25 00:04:18 UTC
[25/50] [abbrv] incubator-hawq-docs git commit: restructure example
scenario (closes #114)
restructure example scenario (closes #114)
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/227bc09c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/227bc09c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/227bc09c
Branch: refs/heads/master
Commit: 227bc09cfeabcfdbaf5c54d4029b742d0252f314
Parents: 51428eb
Author: Lisa Owen <lo...@pivotal.io>
Authored: Tue Apr 4 12:22:24 2017 -0700
Committer: David Yozie <yo...@apache.org>
Committed: Tue Apr 4 12:22:24 2017 -0700
----------------------------------------------------------------------
.../ranger/ranger-policy-creation.html.md.erb | 58 ++++++++------------
1 file changed, 23 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/227bc09c/markdown/ranger/ranger-policy-creation.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb
index a0e0869..5bd12b4 100644
--- a/markdown/ranger/ranger-policy-creation.html.md.erb
+++ b/markdown/ranger/ranger-policy-creation.html.md.erb
@@ -119,24 +119,14 @@ Refer to the [Ranger User Guide](https://cwiki.apache.org/confluence/display/RAN
## <a id="excreatepolicies"></a>Example Scenario: Creating HAWQ Policies
-In this example scenario:
-
-Step 1:
+When you enable Ranger authorization for HAWQ with the default service definition in place, the configured policies assign the `gpadmin` administrative HAWQ user all permissions on all database objects. Other HAWQ users have no privileges, *even for the objects that they own*. In this example scenario:
- Your HAWQ cluster includes a HAWQ user named `hawquser1` who has default privileges on a database named `testdb`.
- `hawquser1` creates `table99` in the `public` schema of `testdb` and inserts data into this table.
-
-Step 2:
-
-- You enable Ranger authorization.
-
-Step 3:
-
+- You enable Ranger authorization for HAWQ.
- You create the HAWQ policies necessary to restore `hawquser1` access to the database `testdb` and the table `table99`.
-### <a id="exstep1"></a>Step 1: Creating HAWQ User and Database
-
-Create the HAWQ user and database resources:
+Perform the following steps to set up the example scenario:
1. Create OS user `hawquser1` and assign a password:
@@ -172,7 +162,7 @@ Create the HAWQ user and database resources:
gpadmin@master$ hawq stop cluster --reload
```
-6. `hawquser1` creates `table99` in `public` schema of `testdb` database:
+5. `hawquser1` creates `table99` in `public` schema of `testdb` database:
``` shell
hawquser1@hawq-node$ psql -d testdb
@@ -191,22 +181,20 @@ Create the HAWQ user and database resources:
...
```
-### <a id="exstep2"></a>Step 2: Enabling Ranger Authorization for HAWQ
+6. You enable Ranger authorization for HAWQ.
-When you enable Ranger authorization for HAWQ with the default service definition in place, the configured policies assign the `gpadmin` administrative HAWQ user all permissions on all database objects. Other HAWQ users have no privileges, *even for the objects they own*.
+ When you enable Ranger authorization for HAWQ with the default service definition in place, the configured policies assign the `gpadmin` administrative HAWQ user all permissions on all database objects. Other HAWQ users have no privileges, *even for the objects that they own*.
-When `hawquser1` attempts to connect to `testdb` after Ranger authorization for HAWQ is enabled:
+7. `hawquser1` attempts to connect to `testdb` after Ranger authorization for HAWQ is enabled:
-``` shell
-hawquser1@hawq-node$ psql -d testdb
-psql: FATAL: permission denied for database "testdb2"
-DETAIL: User does not have CONNECT privilege.
-```
-
-Notice that `hawquser1` no longer has permission to access `testdb` after Ranger authorization for HAWQ is enabled.
+ ``` shell
+ hawquser1@hawq-node$ psql -d testdb
+ psql: FATAL: permission denied for database "testdb"
+ DETAIL: User does not have CONNECT privilege.
+ ```
+ Notice that `hawquser1` no longer has permission to access `testdb` after Ranger authorization for HAWQ is enabled.
-### <a id="exstep3"></a>Step 3: Creating HAWQ Policies to Restore Access
Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table99`:
@@ -218,7 +206,7 @@ Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table9
The **List of Policies: hawq** page identifies all currently defined HAWQ policies. These policies provide all permissions on all HAWQ database resources only to the `gpadmin` user.
-3. Create a policy for `hawquser1` that provides `CONNECT` privilege to the `testdb` database.
+4. Create a policy for `hawquser1` that provides `CONNECT` privilege to the `testdb` database.
Click the **Add New Policy** button and enter the following information in the **Policy Details** and **Allow Conditions** fields:
@@ -226,9 +214,9 @@ Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table9
Notice that both the `schema` and `table` field values are set to `*` in this policy. Wild-carding both of these fields is **required** when defining a database-level policy.
-6. Save the policy named `testdb-connect`.
+5. Save the policy named `testdb-connect`.
-4. Verify that `hawquser1` can now connect to `testdb`:
+6. Verify that `hawquser1` can now connect to `testdb`:
``` shell
hawquser1@hawq-node$ psql -d testdb
@@ -238,7 +226,7 @@ Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table9
testdb=>
```
-5. `hawquser1` attempts to select from `table99`:
+7. `hawquser1` attempts to select from `table99`:
``` sql
testdb=> SELECT * FROM table99;
@@ -247,7 +235,7 @@ Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table9
Connect privilege to the `testdb` database is not sufficient for `hawquser1` to access `table99`. The WARNING message indicates that `hawquser1` is missing privileges for the `public` schema.
-6. Create a policy for `hawquser1` that provides `USAGE` privileges on the `testdb` database `public` schema.
+8. Create a policy for `hawquser1` that provides `USAGE` privileges on the `testdb` database `public` schema.
Click the **Add New Policy** button and enter the following information in the **Policy Details** and **Allow Conditions** fields:
@@ -255,9 +243,9 @@ Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table9
Notice that the `table` field value is set to `*` in this policy and that you assign the schema-level `usage-schema` and `create` permissions. The `usage-schema` permission allows `hawquser1` to use the `public` schema. The `create` permission allows `hawquser1` to create objects in this schema.
-6. Save the policy named `testdb-public`.
+9. Save the policy named `testdb-public`.
-7. `hawquser1` again attempts to select from `table99`:
+10. `hawquser1` again attempts to select from `table99`:
``` sql
testdb=> SELECT * FROM table99;
@@ -266,15 +254,15 @@ Create the policies(s) that restore `hawquser1`'s access to `testdb` and `table9
Access to the `testdb` database and `public` schema is still not sufficient for `hawquser1` to select the data in `table99`. You must explicitly configure access to this table.
-8. Create a policy for `hawquser1` that provides `SELECT` permission on the table named `table99`.
+11. Create a policy for `hawquser1` that provides `SELECT` permission on the table named `table99`.
Click the **Add New Policy** button and enter the following information in the **Policy Details** and **Allow Conditions** fields:
-6. Save the policy named `testdb-public-table99`.
+12. Save the policy named `testdb-public-table99`.
-7. `hawquser1` again attempts to select from `table99`:
+13. `hawquser1` again attempts to select from `table99`:
``` sql
testdb=> SELECT * FROM table99;