I'm new to Hortonworks HDP; I have the following questions:
There are some users that if I don't create them, then even admin can't perform. For example, unless I create a user called hdfs in ambari, I won't be able to do a lot of the file/folder operations on HDFS. Should I create such users? Is this how others manage the cluster?
In Hive interface, I have to click on the 'Execute' button each time I want the query to be executed. Is there a keyboard shortcut for execute? For example in Oracle SQL developer, you press Ctrl+Enter to execute the query. That's what I'm looking for.
Ambari creates required users automatically. But you can set up LDAP if you have such need.
Ranger is also available in hortonworks, Using the Apache Ranger console, security can easily manage using policies for access to files, folders, databases, tables, or column. These policies can be set for individual users or groups and then enforced consistently across HDP stack.
Related
So here is what I need. I have two RDS instances setup in a specific way (Security Groups, Naming convention, Subnet, encryption, etc). I need empty replicas of this database in a new region as the data needs to be stored locally for each region. Also each database is accessed by it's root user using a randomly generated password, but ideally they should not be the same password accross region. Final requirement is that we would like all this to be scriptable (Cloud Formation or a series of AWS CLI calls. We can obvsiously generate the random password ourselves and insert into the script at some point)
So one option is to:
Create a read replica of the DB into a new region. (Setting everything appropiately)
Promote to regular DB.
Change it's master password.
Truncate all tables.
But I would like to know if there is an option to simply create (from zero) each DB in the new region with the new password, setup and everything and then simply run a script (SQL script) that generates the empty tables. This seems like the most script-friendly solution. My problem is that I don't know how I can authomatically generate a SQL script that is simpy a bunch of create for the tables with the exact same structure as the databases already running. Is there a way to do this? Or is my first option better (from a how-easy-it-is-to-script point of view?
I'm running a SAP HANA database in HDI container and created a corresponding HDI Container admin. I would like to be able to grant users (for support purpose) access not to the whole schema, but only to a few selected tables. How to do it? All examples I found online look like this - and grant access only to a whole schema
CREATE ROLE SCHEMA_NAME.ROLE_NAME NO GRANT TO CREATOR;
GRANT SELECT ON SCHEMA SCHEMA_NAME TO ROLE_NAME;
I know there is an option to use .hdbrole file during deployment, where also object privileges can be written up, but it seems I would have to run deployment each time whenever I need to create a new role. And I would like to create these roles right from the SQL console. Is it possible? And if yes, how to do it?
By running the CREATE ROLE and GRANT commands in the SQL console you create catalog/runtime roles.
These cannot be transported to any other container or DB but only live in this very instance of the database.
Now, that is usually not what you want to have when dealing with HDI containers or containerized applications in general.
Creating schema objects on the fly commonly leads to operational challenges (who has access to what, where, when, why, how?) and should rather be avoided.
But, sure, you can simply connect to the container with any user that has appropriate permissions and run those commands. That includes the usual GRANT SELECT on <table_name> TO <role>; it doesn't have to be the whole schema.
From what I read so far, the WL 6.1 documentation does not much care of this, and it's assumed that database user ID is SYSADM or something like that. Also, I did not see any explicit explanation what privileges the user ID must have.
While SYSADM is fine for development or staging environment, for production is desired to allow the DB user as less as possible, on the other hand I don't wish to get some exceptions related to weak permissions.
Is there any documentation or other source which explicitly mentions/explains what permissions DB2 user ID must have for Worklight 6.1 datasources?
UPDATE: My understanding is that for WL application work (not install) must be used a separate DB user (mostly for security reason, give as less as possible permissions in production). My question above refers to that "application" DB user. It's clear that create tables and schemas activity can do any DB ID, including SYSADM, which is overkill to further work.
I am asking about DB2 user which configured in WAS datasources, once someone else created DBs, schemas and tables.
The DB2 user used to connect to the datasources need not have any special privileges other than to be able to connect to the Worklight databases. The DB2 user that is used to actually create and initially populate the databases must have SYSADM or SYSCTRL privileges, but these are not needed once the database is set up.
There is more information in the documentation, here: Creating the DB2 databases
The documentation defines the privileges required for a user that can create the tables at install time, upgrade the tables for a new Worklight version and use them at runtime.
At runtime, you need, for each table created: SELECT, UPDATE, INSERT, DELETE. And you need to be able to select a SEQUENCE.
The list of tables and SEQUENCE for Worklight can be found in
/WorklightServer/databases/create-worklight-db2.sql and create--worklightreports-db2.sql
I would like to know how to create different (multiple) repositories in Pentaho Enterprise version.
Below are some points which I would like to add.
1. Different repositories for different users, so one user cant access the other users transformations and jobs.
2. One user cant access the DB connections of other users in different repositories.
My main concern is I want logic here is for security reasons. One user cant access or update other users created transformation.
Is this possible? Please help me on this.
Thanks for all in advance.
This is exactly how my repos are set up. I use database repos on PostgreSQL for all my users. To create a new repo, just click the green + button at the top right of the Repository Connection dialog.
To keep users out of each others sandboxes, I create a different schema for each user and assign DB permissions accordingly. Note, the schema has to be created before you create the repo. Of course I'm DB superuser so I can get into all their repos.
When you create a connection for a repo, go to the advanced tab and specify that user's schema in the 'Preferred schema name' box. Note, this connection will not appear in your list of connections stored in the repo; it's in the repositories.xml file in the .kettle directory. I also created a template xml file that I can tweak give out to anyone who comes on board as a developer. That way they only see their repo in the connection dialog, but my repositories.xml has all of their repos.
You can do this with file based repos as well, but of course you'd handle permissions through the file system rather than the DB.
It's also true that repos can have multiple users. I use this feature when members of the same group need to share transforms. For example the Data Warehouse group is all in one repo, but each has their own directory; the other group has their own repo, etc.
I am not sure ,that you can create multiple instatnce of same repository , but
i sugest you can use single repository with different user and with
different user level permissions
You concerns can be re-solved based on user level permission on repo
I know I can do it via ip:port/Reports
Properties -> Security -> New Role Assignment-> "User Name" -> "Roles"
However, I have many databases, each with a different users. So, I would like to automate the process and write an SQL script + double clicking a batch to do the process. I have tried doing insert to users table and userrole table, but it doesn't seem to work, so I suppose it's something about permission granting that I cannot see with my bare eyes... Any hint on what to include in the SQL script?
I would not recommend using SQL scripts to modify RS catalog. Schema is undocumented and is quite complicated.
You can use SOAP API calls from RS Scripting Host. Here is the pointer to sample script which assigns permissions http://msftrsprodsamples.codeplex.com/wikipage?title=SS2008%21Script%20Samples%20%28Reporting%20Services%29
Some information about scripting host http://technet.microsoft.com/en-us/library/ms162839.aspx
I also recommend using user groups instead of individual user accounts. It is easier to maintain in the long run.