Uploaded image for project: 'Apache HAWQ'
  1. Apache HAWQ
  2. HAWQ-256 Integrate Security with Apache Ranger
  3. HAWQ-1279

Force to recompute namespace_path when enable_ranger

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • backlog
    • PXF, Security
    • None

    Description

      namespace_path is cached in each psql session and the cache invalidation is triggered by Grant/Revoke SQL.

      When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a ack-check request sending.

      Example:

      // create table t(i int); => failed
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}]
      
      // grant usage and create permissions to public schema in ranger and try again => failed again
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
      // why not send a request for USAGE??
      

      Attachments

        Issue Links

          Activity

            People

              hongxu ma Hongxu Ma
              hongxu ma Hongxu Ma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: