Thank you Mahdan, this seems to be a reasonable workaround in the absence of the core feature. ... View more

@Ramesh Mani @Madhan Neethiraj @Don Bosco Durai Our thinking is that if Ranger <--> HAWQ integration is enabled, all traditional privilege checking inside HAWQ that is managed via GRANT statements will be turned off to allow Ranger to be the single source of truth for authorization decisions. That will require that create/connect/usage operations for databases and schemas are authorized by Ranger as well, hence the need to define policies for resources on all levels of the resource hierarchy. If we use different permissions (like create-database), which resource will we define it on ? We can't define it on the table level. One hacky way to achieve what we need is to model database / schema twice -- once as a top-level resource without children so that we can define policies on it and once as a parent to serve as context for children. |-- database |-- db-parent ___|-- schema |-- db-parent ___|-- schema-parent ______|-- table In this way we can still define policies on database / schema / table resource types while being able to provide context for schema and table resources. This will be functional, but very confusing to users, with the first level drop down showing "database" and "db-parent" as options to navigate the further levels of resource hierarchy. So that's why I was wondering if there was an out-of-the-box way for doing so. ... View more