HAWQ Resources and Permissions

The HAWQ Ranger policy editor always displays the complete list of HAWQ permissions. This list is not filtered by the operations that are actually supported by the resource(s) you have selected.

The following table identifies the specific permissions supported by each HAWQ resource.

Permissions Supported by each HAWQ Resource

Policies for Database Operations

The database operations governed by HAWQ-Ranger authorization are those that you perform at the purely database-level. These operations include connecting to the database, creating schemas, and creating temporary tables and sequences. Use the following HAWQ Ranger Policy Details to assign permissions for these operations:

ResourceValueDescription
database<db-name>The database to which you want to provide access
schemaMust specify
tableMust specify

specifying the permissions you wish to assign:

PermissionAllows SQL CommandsEquivalent GRANT Command
connectCONNECTGRANT CONNECT ON DATABASE <db-name> TO <user-name>
create-schemaCREATE SCHEMAGRANT CREATE ON DATABASE <db-name> TO <user-name>
tempCREATE TEMP TABLE

CREATE TEMP SEQUENCE

GRANT TEMP ON DATABASE <db-name> TO <user-name>

Policies for Schema Operations

You perform many HAWQ operations within the scope of a specific database and schema, including creating/dropping/altering database objects. These operations will require permission to use the specified schema.

The HAWQ schema named public is the default schema. When HAWQ-Native authorization is in effect, users are automatically granted access to this schema. When Ranger is enabled, users must be explicitly assigned the usage-schema permission to the public schema.

Use these HAWQ Ranger Policy Details to assign permission for schema-related operations:

ResourceValueDescription
database<db-name>The database to which you want to provide access
schema<schema-name>The schema in which you want to provide access
table | sequence | function*No table/sequence/function

specifying these permissions:

PermissionAllows SQL CommandsEquivalent GRANT Command
usage-schemaMANYGRANT USAGE ON SCHEMA <schema-name> TO <user-name>
createALTER/CREATE AGGREGATE, ALTER TABLE, CREATE [EXTERNAL] TABLE, CREATE FUNCTION, CREATE OPERATOR, CREATE OPERATOR CLASS (superuser only), CREATE SEQUENCE, CREATE VIEW, CREATE TYPE, SELECT INTOGRANT CREATE ON SCHEMA <schema-name> TO <user-name>

Policies for Table Operations

You can insert data into and select a table within schemas in which you have usage-schema permissions. Use the following HAWQ Ranger Policy Details to assign permission for these operations:

ResourceValueDescription
database<db-name>The database to which you want to provide access
schema<schema-name>The schema in which you want to provide access
table<table-name>The table to which you want to provide access

specifying the permissions you wish to assign:

PermissionAllows SQL CommandsEquivalent GRANT Command
selectANALYZE, COPY INTO, SELECT, VACUUM ANALYZEGRANT SELECT ON TABLE <table-name> TO <user-name>
insertCOPY FROM, INSERTGRANT INSERT ON TABLE <table-name> TO <user-name>

Policies for Sequence Operations

You can use and select sequences and update sequence values in schemas in which you have usage-schema permissions. You can also use the nextval() and setval() HAWQ built-in functions to return and set sequence values. Use the following HAWQ Ranger Policy Details to assign permission for these operations:

ResourceValueDescription
database<db-name>The database to which you want to provide access
schema<schema-name>The schema in which you want to provide access
sequence<sequence-name>The sequence to which you want to provide access

specifying the permissions you wish to assign:

PermissionAllows SQL Commands, built-in functionsEquivalent GRANT Command
selectSELECT <sequence-name>GRANT SELECT ON SEQUENCE <sequence-name> TO <user-name>
usage, updatenextval()GRANT USAGE, UPDATE ON SEQUENCE <sequence-name> TO <user-name>
updatesetval()GRANT UPDATE ON SEQUENCE <sequence-name> TO <user-name>

Policies for Function Operations

You can execute user-defined functions in schemas in which you have usage-schema permissions. Use the following HAWQ Ranger Policy Details to assign permission for this operation:

ResourceValueDescription
database<db-name>The database to which you want to provide access
schema<schema-name>The schema in which you want to provide access
function<function-name>The user-defined function to which you want to provide access

specifying the permissions you wish to assign:

PermissionAllows SQL CommandsEquivalent GRANT Command
executeSELECT <function-name>()GRANT EXECUTE ON FUNCTION <function-name> TO <user-name>

Note: Functions typically access database objects such as tables, views, sequences, etc and other functions. When setting up your HAWQ policies, ensure you have also provided access to all database resources referenced within the function (recursively).

Policies for Language Operations

Only super-users may register and drop languages for a specific database. These operations are governed by HAWQ-Native authorization.

You may choose to permit users to use a specific language to create user-defined functions. Use these HAWQ Ranger Policy Details to assign such permission:

ResourceValueDescription
database<db-name>The database to which you want to provide access
language<language-name>The language to which you want to provide access (plpgsql, sql, other languages explicitly registered in the database)

specifying these permissions:

PermissionAllows SQL CommandsEquivalent GRANT Command
usageCREATE FUNCTION … LANGUAGE <language-name>GRANT USAGE ON LANGUAGE<language-name> TO <user-name>

Policies for Tablespace Operations

Only super-users may create and drop tablespaces. These operations are governed by HAWQ-Native authorization.

You may choose to allow specific users to create tables within an existing tablespace. Use these HAWQ Ranger Policy Details to assign such permissions:

ResourceValueDescription
tablespace<tablespace-name>The tablespace to which you want to provide access

specifying these permissions:

PermissionAllows SQL CommandsEquivalent GRANT Command
createCREATE TABLE … TABLESPACEGRANT CREATE ON <tablespace-name> TO <user-name>

Policies for Protocol Operations

You may choose to permit access to the pxf, gpfdist, and/or http protocols to create readable and writable external tables. Use the following HAWQ Ranger Policy Details to assign permission for these operations:

ResourceValueDescription
protocol<protocol-name>The protocol to which you want to provide access (pxf, gpfdist, http)

specifying the permissions you wish to assign:

PermissionAllows SQL CommandsEquivalent GRANT Command
selectCREATE READABLE EXTERNAL TABLEGRANT SELECT ON PROTOCOL <protocol-name> TO <user-name>
insertCREATE WRITABLE EXTERNAL TABLEGRANT INSERT ON PROTOCOL <protocol-name> TO <user-name>