Uploaded image for project: 'Apache HAWQ'
  1. Apache HAWQ
  2. HAWQ-256 Integrate Security with Apache Ranger
  3. HAWQ-1279

Force to recompute namespace_path when enable_ranger

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: backlog
    • Component/s: PXF, Security
    • Labels:
      None

      Description

      namespace_path is cached in each psql session and the cache invalidation is triggered by Grant/Revoke SQL.

      When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a ack-check request sending.

      Example:

      // create table t(i int); => failed
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}]
      
      // grant usage and create permissions to public schema in ranger and try again => failed again
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      // why not send a request for USAGE??
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hongxu ma Hongxu Ma
                Reporter:
                hongxu ma Hongxu Ma
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: