ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: [jira] [Comment Edited] (HAWQ-256) Integrate Security with Apache Ranger
Date Fri, 19 Aug 2016 17:42:10 GMT
Madhan, can you help me answer the question from the HAWQ team?

If I give User u1 permission to “Select” and “Delegated Admin” for a resource/table,
then can user u1 give someone else, e.g. u2 “Insert” permission for the resource? Or do
we restrict “Delegate” permission only to what the user has?

Thanks

Bosco


On 8/16/16, 1:52 AM, "Lili Ma (JIRA)" <jira@apache.org> wrote:

    
        [ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422443#comment-15422443
] 
    
    Lili Ma edited comment on HAWQ-256 at 8/16/16 8:51 AM:
    -------------------------------------------------------
    
    [~bosco] [~vineetgoel] [~lei_chang] [~hubertzhang] [~wenlin]
    Another thing we need to discuss is whether we support user send "GRANT" SQL besides setting
policy in Ranger.  If we also support Grant SQL, there is a minor difference between the "with
grant option" of Grant SQL and what inside Ranger UI.  We need to discuss it clear.
    
    Ranger has one button "Delegate Admin" when defining policy, this is different from what
HAWQ grant SQL specifies.
    That button in Ranger means the Ranger internal user has the privileges to operate the
given path/object and assign someone else the rights for the objects. That button has no influence
on Ranger external user, say, HAWQ internal user. For example, if we add a policy specifying
user A has the privileges to select a table T and click on the button and user A is Ranger
internal user, then user A has the right to log into Ranger and assign the insert/select privileges
for table T to user B.
    The grant SQL with grant option means that the to-be-granted user has the privilege to
grant certain privileges to other users. If the grant privilege specifies just select, then
user A can't grant insert privilege to user B. So this is minor different from what Ranger
has already provided.
    
    If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an action option to
the resource. Action option means for each action, it has an attribute which indicates whether
this action can be granted by the user.
    For example, admin grant two privileges:
    "grant select on t1 to u1"
    "grant insert on t1 to u1 with grant option"
    Then u1 grant privilege to u2
    "grant select on t1 to u2" result: failed!
    grant insert on t1 to u2" result: succeed!
    As a result, u2 can insert on t1, but it cannot select on t1.
    Correspondingly, in Ranger, we have the following policies(* means with grant privilege):
    t1 u1 insert*select
    t1 u2 insert
    
    So the conclusion is that we need double the privileges for defining "with grant option"
if we want to support Grant/Revoke SQL from HAWQ side.
    
    
    was (Author: lilima):
    [~bosco][~vineetgoel][~lei_chang][~hubertzhang][~wenlin]
    Another thing we need to discuss is whether we support user send "GRANT" SQL besides setting
policy in Ranger.  If we also support Grant SQL, there is a minor difference between the "with
grant option" of Grant SQL and what inside Ranger UI.  We need to discuss it clear.
    
    Ranger has one button "Delegate Admin" when defining policy, this is different from what
HAWQ grant SQL specifies.
    That button in Ranger means the Ranger internal user has the privileges to operate the
given path/object and assign someone else the rights for the objects. That button has no influence
on Ranger external user, say, HAWQ internal user. For example, if we add a policy specifying
user A has the privileges to select a table T and click on the button and user A is Ranger
internal user, then user A has the right to log into Ranger and assign the insert/select privileges
for table T to user B.
    The grant SQL with grant option means that the to-be-granted user has the privilege to
grant certain privileges to other users. If the grant privilege specifies just select, then
user A can't grant insert privilege to user B. So this is minor different from what Ranger
has already provided.
    
    If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an action option to
the resource. Action option means for each action, it has an attribute which indicates whether
this action can be granted by the user.
    For example, admin grant two privileges:
    "grant select on t1 to u1"
    "grant insert on t1 to u1 with grant option"
    Then u1 grant privilege to u2
    "grant select on t1 to u2" result: failed!
    grant insert on t1 to u2" result: succeed!
    As a result, u2 can insert on t1, but it cannot select on t1.
    Correspondingly, in Ranger, we have the following policies(* means with grant privilege):
    t1 u1 insert*select
    t1 u2 insert
    
    So the conclusion is that we need double the privileges for defining "with grant option"
if we want to support Grant/Revoke SQL from HAWQ side.
    
    > Integrate Security with Apache Ranger
    > -------------------------------------
    >
    >                 Key: HAWQ-256
    >                 URL: https://issues.apache.org/jira/browse/HAWQ-256
    >             Project: Apache HAWQ
    >          Issue Type: New Feature
    >          Components: PXF, Security
    >            Reporter: Michael Andre Pearce (IG)
    >            Assignee: Lili Ma
    >             Fix For: backlog
    >
    >         Attachments: HAWQRangerSupportDesign.pdf
    >
    >
    > Integrate security with Apache Ranger for a unified Hadoop security solution. 
    
    
    
    --
    This message was sent by Atlassian JIRA
    (v6.3.4#6332)
    



Mime
View raw message