Uploaded image for project: 'Apache HAWQ'
  1. Apache HAWQ
  2. HAWQ-24

Support superuser to GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE

    XMLWordPrintableJSON

    Details

    • Type: Wish
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: backlog
    • Component/s: DDL, Storage
    • Labels:
      None

      Description

      It raises error "Cannot support GRANT/REVOKE on TABLESPACE statement" while following the HAWQ guide (http://hawq.docs.pivotal.io/docs-gpdb/admin_guide/ddl/ddl-tablespace.html) to GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE.

      gpadmin=# GRANT CREATE ON TABLESPACE fstbs TO tstuser;
      ERROR:  Cannot support GRANT/REVOKE on TABLESPACE statement
      

      As a consequence, with the user as SUPERUSER is possible to create tables on top of the tablespace, but with a user as NOSUPERUSER its not possible:

      tstuser=> CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
      NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 'col01' as the Greenplum Database data distribution key for this table.
      HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make sure column(s) chosen are the optimal data distribution key to minimize skew.
      ERROR:  permission denied for tablespace fstbs
      
      gpadmin=# alter user tstuser with superuser;
      ALTER ROLE
      
      [gpadmin@ai2hdm1 ~]$ psql -d tstuser -U tstuser
      Password for user tstuser: 
      psql (8.2.15)
      Type "help" for help.
      
      tstuser=# CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
      NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 'col01' as the Greenplum Database data distribution key for this table.
      HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make sure column(s) chosen are the optimal data distribution key to minimize skew.
      CREATE TABLE
      

      Due to security consideration, it is not acceptable for some HAWQ users to always use SUPERUSER to create TABLESPACE. Thus, we need to support:
      1. Superuser can GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE.
      2. Non-supuser can create TABLESPACE once it is granted with creation privilege.
      3. Non-superuser to GRANT/REVOKE CREATION privilege on TABLESPACE to other users.

        Attachments

          Activity

            People

            • Assignee:
              lei_chang Lei Chang
              Reporter:
              huor Ruilong Huo
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: