Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
11 changed files
with
574 additions
and
383 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
--- | ||
title: Introducing HAWQ Authorization | ||
--- | ||
|
||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one | ||
or more contributor license agreements. See the NOTICE file | ||
distributed with this work for additional information | ||
regarding copyright ownership. The ASF licenses this file | ||
to you under the Apache License, Version 2.0 (the | ||
"License"); you may not use this file except in compliance | ||
with the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, | ||
software distributed under the License is distributed on an | ||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
KIND, either express or implied. See the License for the | ||
specific language governing permissions and limitations | ||
under the License. | ||
--> | ||
|
||
Native HAWQ authorization provides SQL standard authorization at the database and table level for specific users/roles using the `GRANT` and `REVOKE` SQL commands. HAWQ integration with Ranger provides policy-based authorization, enabling you to identify the conditions under which a user and/or group can access individual HAWQ resources, including the operations permitted on those resources. | ||
|
||
Native HAWQ and Ranger authorization are mutually exclusive. | ||
|
||
Native HAWQ and Ranger authorization share `pg_hba.conf`-based user authentication. Native HAWQ authorization is used for certain database operations, even when Ranger is enabled. Additionally, HAWQ always verifies superuser privileges. | ||
|
||
|
||
## <a id="pghbaconf"></a> pg_hba.conf | ||
The `pg_hba.conf` file on the HAWQ master node identifies the users you permit to access the HAWQ cluster, and the hosts from which the access may be initiated. This authentication is the first line of defense for both HAWQ-Native and HAWQ-Ranger authorization. | ||
|
||
|
||
## <a id="alwaysnative"></a> HAWQ Native Authorization | ||
HAWQ *always* employs its native authorization for operations on its catalog. HAWQ also uses only native authorization for the following HAWQ operations, *even when Ranger is enabled*. These operations are available to superusers and may be available those non-admin users to which access was specifically configured: | ||
|
||
- operations on HAWQ catalog | ||
- `CREATE CAST` command when function is NULL | ||
- `CREATE DATABASE`, `DROP DATABASE`, `createdb`, `dropdb` | ||
- `hawq filespace` management tool | ||
- `CREATE`, `DROP`, or `ALTER` commands for resource queues | ||
- `CREATE ROLE`, `DROP ROLE`, `SET ROLE`, `createuser`, `dropuser` | ||
- `CREATE TABLESPACE`, `DROP TABLESPACE` (Ranger does manage authorization for creating tables and indexes _within_ an existing tablespace.) | ||
- HAWQ catalog-related built-in functions such as pg\_logdir\_ls, pg\_ls\_dir, pg\_read\_file, pg\_reload\_conf, pg\_rotate\_logfile, pg\_signal\_backend, pg\_start\_backup, pg\_stat\_file, pg\_stat\_get\_activity, pg\_stat\_get\_backend\_activity\_start, pg\_stat\_get\_backend\_activity, pg\_stat\_get\_backend\_client\_addr, pg\_stat\_get\_backend\_client\_port, pg\_stat\_get\_backend\_start, pg\_stat\_get\_backend\_waiting, pg\_stop\_backup, pg\_switch\_xlog, and pg\_stat\_reset. | ||
|
||
|
||
The following SQL operations do not require any authorization checks: | ||
|
||
- `DEALLOCATE` | ||
- `SET`, `RESET` | ||
|
||
|
||
## <a id="rangersuperuser"></a> Ranger Authorization | ||
When Ranger authorization is enabled, HAWQ uses Ranger policies to determine access to all user database objects, apart from the operations listed above. HAWQ denies a user operation if no policy exists to provide the necessary permissions for the requesting user to access the specific resource(s). | ||
|
||
In cases where an operation requires super-user privileges, HAWQ first performs a super-user check, and then requests the Ranger policy check. Operations that require super-user checks include: | ||
|
||
- `CREATE`, `DROP`, or `ALTER` commands that involve a foreign-data wrapper | ||
- `CREATE LANGUAGE` and `DROP LANGUAGE` for non-built-in languages | ||
- `CREATE FUNCTION` command for untrusted languages | ||
- `CREATE EXTERNAL TABLE` commands that include the `EXECUTE` clause | ||
- `CREATE OPERATOR CLASS` command | ||
- `COPY` command. Using `COPY` is always limited to the super-user. When Ranger policy management is enabled, the super-user must have `SELECT` or `INSERT` privileges on a table in order to `COPY` from or to that table. | ||
|
||
|
||
## <a id="authalgorithm"></a> Access Check Summary | ||
|
||
When determining if a database operation is supported for a specific user, HAWQ: | ||
|
||
1. Confirms user access allowed by pg_hba.conf file. | ||
2. Determines if the operation requires superuser access, and if so, verifies the requesting user has such privileges. | ||
3. Determines if the operation requires native HAWQ authorization. | ||
4. Determines if Ranger authorization for HAWQ is enabled. | ||
4. Performs a HAWQ Native authorization check if required or if Ranger is not enabled **OR** Performs a HAWQ Ranger policy check. |
BIN
+32 KB
markdown/images/resource-perms.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
BIN
+98.7 KB
markdown/images/schema-policy.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
BIN
+101 KB
markdown/images/table-policy.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
BIN
+101 KB
markdown/images/testdb-policy.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
title: Using MADLib with Ranger Authorization | ||
--- | ||
|
||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one | ||
or more contributor license agreements. See the NOTICE file | ||
distributed with this work for additional information | ||
regarding copyright ownership. The ASF licenses this file | ||
to you under the Apache License, Version 2.0 (the | ||
"License"); you may not use this file except in compliance | ||
with the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, | ||
software distributed under the License is distributed on an | ||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
KIND, either express or implied. See the License for the | ||
specific language governing permissions and limitations | ||
under the License. | ||
--> | ||
|
||
|
||
You can use MADlib, an open source library for in-database analytics, with your HAWQ installation. MADlib functions typically operate on source, output, and model tables. When Ranger is enabled for HAWQ authorization, you will need to provide access to all MADLib-related databases, schemas, tables, and functions to the appropriate users. | ||
|
||
Consider the following when setting up HAWQ policies for MADlib access: | ||
|
||
- Assign `temp` permission to the database on which users will run MADlib functions. | ||
- MADlib users often share their output tables. If this is the case in your deployment, create a shared schema dedicated to output tables, assigning `usage-schema` and `create` privileges for all MADlib users to this shared schema. | ||
- Assign `create-schema` database permission to those MADlib users that do not choose to share their output tables. | ||
|
||
- `madlib` Schema-Level Permissions | ||
- Assign `usage-schema` and `create` privileges to the `madlib` schema. | ||
- Assign `execute` permissions on all functions within the `madlib` schema, including any functions called within. | ||
- Assign `insert` and `select` permissions to all tables within the `madlib` schema. | ||
- Assign the `usage-schema` and `create` permissions for the current schema, and any schema in which the source, output, and model tables may reside. | ||
|
||
- Function-Specific Permissions | ||
- Assign `insert` and `select` permissions for the source, output, and model tables. | ||
- Assign `insert` and `select` permissions for the output \_summary and \__group tables. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.