Overview of HAWQ Authorization
Native HAWQ authorization provides SQL standard authorization at the database and table level for specific users/roles using the
REVOKE SQL commands. HAWQ integration with Ranger provides policy-based authorization, enabling you to identify the conditions under which a user and/or group can access individual HAWQ resources, including the operations permitted on those resources.
Native HAWQ and Ranger authorization are mutually exclusive.
Native HAWQ and Ranger authorization share
pg_hba.conf-based user authentication. Native HAWQ authorization is used for certain database operations, even when Ranger is enabled. Additionally, HAWQ always verifies superuser privileges.
pg_hba.conf file on the HAWQ master node identifies the users you permit to access the HAWQ cluster, and the hosts from which the access may be initiated. This authentication is the first line of defense for both HAWQ-Native and HAWQ-Ranger authorization.
HAWQ always employs its native authorization for operations on its catalog. HAWQ also uses only native authorization for the following HAWQ operations, even when Ranger is enabled. These operations are available to superusers and may be available those non-admin users to which access was specifically configured:
- operations on HAWQ catalog
CREATE CASTcommand when function is NULL
hawq filespacemanagement tool
ALTERcommands for resource queues
DROP TABLESPACE(Ranger does manage authorization for creating tables and indexes within an existing tablespace.)
- HAWQ catalog-related built-in functions such as pg_logdir_ls, pg_ls_dir, pg_read_file, pg_reload_conf, pg_rotate_logfile, pg_signal_backend, pg_start_backup, pg_stat_file, pg_stat_get_activity, pg_stat_get_backend_activity_start, pg_stat_get_backend_activity, pg_stat_get_backend_client_addr, pg_stat_get_backend_client_port, pg_stat_get_backend_start, pg_stat_get_backend_waiting, pg_stop_backup, pg_switch_xlog, and pg_stat_reset.
The following SQL operations do not require any authorization checks:
When Ranger authorization is enabled, HAWQ uses Ranger policies to determine access to all user database objects, apart from the operations listed above. HAWQ denies a user operation if no policy exists to provide the necessary permissions for the requesting user to access the specific resource(s).
In cases where an operation requires super-user privileges, HAWQ first performs a super-user check, and then requests the Ranger policy check. Operations that require super-user checks include:
ALTERcommands that involve a foreign-data wrapper
DROP LANGUAGEfor non-built-in languages
CREATE FUNCTIONcommand for untrusted languages
CREATE EXTERNAL TABLEcommands that include the
CREATE OPERATOR CLASScommand
COPYis always limited to the super-user. When Ranger policy management is enabled, the super-user must have
INSERTprivileges on a table in order to
COPYfrom or to that table.
When determining if a database operation is supported for a specific user, HAWQ:
- Confirms user access allowed by pg_hba.conf file.
- Determines if the operation requires superuser access, and if so, verifies the requesting user has such privileges.
- Determines if the operation requires native HAWQ authorization.
- Determines if Ranger authorization for HAWQ is enabled.
- Performs a HAWQ Native authorization check if required or if Ranger is not enabled OR Performs a HAWQ Ranger policy check.