Overview of HAWQ Authorization

Native HAWQ authorization provides SQL standard authorization at the database and table level for specific users/roles using the GRANT and REVOKE SQL commands. HAWQ integration with Ranger provides policy-based authorization, enabling you to identify the conditions under which a user and/or group can access individual HAWQ resources, including the operations permitted on those resources.

Native HAWQ and Ranger authorization are mutually exclusive.

Native HAWQ and Ranger authorization share pg_hba.conf-based user authentication. Native HAWQ authorization is used for certain database operations, even when Ranger is enabled. Additionally, HAWQ always verifies superuser privileges.

pg_hba.conf

The pg_hba.conf file on the HAWQ master node identifies the users you permit to access the HAWQ cluster, and the hosts from which the access may be initiated. This authentication is the first line of defense for both HAWQ-Native and HAWQ-Ranger authorization.

HAWQ Native Authorization

HAWQ always employs its native authorization for operations on its catalog. HAWQ also uses only native authorization for the following HAWQ operations, even when Ranger is enabled. These operations are available to superusers and may be available those non-admin users to which access was specifically configured:

  • operations on HAWQ catalog
  • CREATE CAST command when function is NULL
  • CREATE DATABASE, DROP DATABASE, createdb, dropdb
  • hawq filespace management tool
  • CREATE, DROP, or ALTER commands for resource queues
  • CREATE ROLE, DROP ROLE, SET ROLE, createuser, dropuser
  • CREATE TABLESPACE, DROP TABLESPACE (Ranger does manage authorization for creating tables and indexes within an existing tablespace.)
  • HAWQ catalog-related built-in functions such as pg_logdir_ls, pg_ls_dir, pg_read_file, pg_reload_conf, pg_rotate_logfile, pg_signal_backend, pg_start_backup, pg_stat_file, pg_stat_get_activity, pg_stat_get_backend_activity_start, pg_stat_get_backend_activity, pg_stat_get_backend_client_addr, pg_stat_get_backend_client_port, pg_stat_get_backend_start, pg_stat_get_backend_waiting, pg_stop_backup, pg_switch_xlog, and pg_stat_reset.

The following SQL operations do not require any authorization checks:

  • DEALLOCATE
  • SET, RESET

Ranger Authorization

When Ranger authorization is enabled, HAWQ uses Ranger policies to determine access to all user database objects, apart from the operations listed above. HAWQ denies a user operation if no policy exists to provide the necessary permissions for the requesting user to access the specific resource(s).

In cases where an operation requires super-user privileges, HAWQ first performs a super-user check, and then requests the Ranger policy check. Operations that require super-user checks include:

  • CREATE, DROP, or ALTER commands that involve a foreign-data wrapper
  • CREATE LANGUAGE and DROP LANGUAGE for non-built-in languages
  • CREATE FUNCTION command for untrusted languages
  • CREATE EXTERNAL TABLE commands that include the EXECUTE clause
  • CREATE OPERATOR CLASS command
  • COPY command. Using COPY is always limited to the super-user. When Ranger policy management is enabled, the super-user must have SELECT or INSERT privileges on a table in order to COPY from or to that table.

Access Check Summary

When determining if a database operation is supported for a specific user, HAWQ:

  1. Confirms user access allowed by pg_hba.conf file.
  2. Determines if the operation requires superuser access, and if so, verifies the requesting user has such privileges.
  3. Determines if the operation requires native HAWQ authorization.
  4. Determines if Ranger authorization for HAWQ is enabled.
  5. Performs a HAWQ Native authorization check if required or if Ranger is not enabled OR Performs a HAWQ Ranger policy check.