ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ramesh Mani <rm...@hortonworks.com>
Subject Re: [jira] [Comment Edited] (HAWQ-256) Integrate Security with Apache Ranger
Date Mon, 22 Aug 2016 22:18:53 GMT
Bosco,

Look at the documentation and trying it out, user u2 should be able to
give any permission.


* The ADMIN permission in Ranger is the equivalent to the WITH GRANT
OPTION in SQL standard-based authorization. However, the ADMIN permission
gives the grantee the ability to grant all permissions rather than just
the permissions possessed by the grantor. With SQL standard-based
authorization, the WITH GRANT OPTION applies only to permissions possessed
by the grantor.

Thanks,
Ramesh


On 8/19/16, 10:42 AM, "Don Bosco Durai" <bosco@apache.org> wrote:

>Madhan, can you help me answer the question from the HAWQ team?
>
>If I give User u1 permission to ³Select² and ³Delegated Admin² for a
>resource/table, then can user u1 give someone else, e.g. u2 ³Insert²
>permission for the resource? Or do we restrict ³Delegate² permission only
>to what the user has?
>
>Thanks
>
>Bosco
>
>
>On 8/16/16, 1:52 AM, "Lili Ma (JIRA)" <jira@apache.org> wrote:
>
>    
>        [ 
>https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plu
>gin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422443#comme
>nt-15422443 ] 
>    
>    Lili Ma edited comment on HAWQ-256 at 8/16/16 8:51 AM:
>    -------------------------------------------------------
>    
>    [~bosco] [~vineetgoel] [~lei_chang] [~hubertzhang] [~wenlin]
>    Another thing we need to discuss is whether we support user send
>"GRANT" SQL besides setting policy in Ranger.  If we also support Grant
>SQL, there is a minor difference between the "with grant option" of Grant
>SQL and what inside Ranger UI.  We need to discuss it clear.
>    
>    Ranger has one button "Delegate Admin" when defining policy, this is
>different from what HAWQ grant SQL specifies.
>    That button in Ranger means the Ranger internal user has the
>privileges to operate the given path/object and assign someone else the
>rights for the objects. That button has no influence on Ranger external
>user, say, HAWQ internal user. For example, if we add a policy specifying
>user A has the privileges to select a table T and click on the button and
>user A is Ranger internal user, then user A has the right to log into
>Ranger and assign the insert/select privileges for table T to user B.
>    The grant SQL with grant option means that the to-be-granted user has
>the privilege to grant certain privileges to other users. If the grant
>privilege specifies just select, then user A can't grant insert privilege
>to user B. So this is minor different from what Ranger has already
>provided.
>    
>    If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an
>action option to the resource. Action option means for each action, it
>has an attribute which indicates whether this action can be granted by
>the user.
>    For example, admin grant two privileges:
>    "grant select on t1 to u1"
>    "grant insert on t1 to u1 with grant option"
>    Then u1 grant privilege to u2
>    "grant select on t1 to u2" result: failed!
>    grant insert on t1 to u2" result: succeed!
>    As a result, u2 can insert on t1, but it cannot select on t1.
>    Correspondingly, in Ranger, we have the following policies(* means
>with grant privilege):
>    t1 u1 insert*select
>    t1 u2 insert
>    
>    So the conclusion is that we need double the privileges for defining
>"with grant option" if we want to support Grant/Revoke SQL from HAWQ side.
>    
>    
>    was (Author: lilima):
>    [~bosco][~vineetgoel][~lei_chang][~hubertzhang][~wenlin]
>    Another thing we need to discuss is whether we support user send
>"GRANT" SQL besides setting policy in Ranger.  If we also support Grant
>SQL, there is a minor difference between the "with grant option" of Grant
>SQL and what inside Ranger UI.  We need to discuss it clear.
>    
>    Ranger has one button "Delegate Admin" when defining policy, this is
>different from what HAWQ grant SQL specifies.
>    That button in Ranger means the Ranger internal user has the
>privileges to operate the given path/object and assign someone else the
>rights for the objects. That button has no influence on Ranger external
>user, say, HAWQ internal user. For example, if we add a policy specifying
>user A has the privileges to select a table T and click on the button and
>user A is Ranger internal user, then user A has the right to log into
>Ranger and assign the insert/select privileges for table T to user B.
>    The grant SQL with grant option means that the to-be-granted user has
>the privilege to grant certain privileges to other users. If the grant
>privilege specifies just select, then user A can't grant insert privilege
>to user B. So this is minor different from what Ranger has already
>provided.
>    
>    If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an
>action option to the resource. Action option means for each action, it
>has an attribute which indicates whether this action can be granted by
>the user.
>    For example, admin grant two privileges:
>    "grant select on t1 to u1"
>    "grant insert on t1 to u1 with grant option"
>    Then u1 grant privilege to u2
>    "grant select on t1 to u2" result: failed!
>    grant insert on t1 to u2" result: succeed!
>    As a result, u2 can insert on t1, but it cannot select on t1.
>    Correspondingly, in Ranger, we have the following policies(* means
>with grant privilege):
>    t1 u1 insert*select
>    t1 u2 insert
>    
>    So the conclusion is that we need double the privileges for defining
>"with grant option" if we want to support Grant/Revoke SQL from HAWQ side.
>    
>    > Integrate Security with Apache Ranger
>    > -------------------------------------
>    >
>    >                 Key: HAWQ-256
>    >                 URL: https://issues.apache.org/jira/browse/HAWQ-256
>    >             Project: Apache HAWQ
>    >          Issue Type: New Feature
>    >          Components: PXF, Security
>    >            Reporter: Michael Andre Pearce (IG)
>    >            Assignee: Lili Ma
>    >             Fix For: backlog
>    >
>    >         Attachments: HAWQRangerSupportDesign.pdf
>    >
>    >
>    > Integrate security with Apache Ranger for a unified Hadoop security
>solution. 
>    
>    
>    
>    --
>    This message was sent by Atlassian JIRA
>    (v6.3.4#6332)
>    
>
>
>


Mime
View raw message