[jira] [Updated] (SENTRY-980) Allow connected users to perform operations typically reserved for admins.

[Ryan P (JIRA)]

     [ 
https://issues.apache.org/jira/browse/SENTRY-980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ryan P updated SENTRY-980:
--------------------------
    Description: 
As it stands only users that fall into one of the configured ADMIN_GROUPS can 
make calls such as list_sentry_roles_by_group. This can cause issues for 
applications such as Impala which have not been configured as an admin group. 

Technically it is a requirement for Impala to be granted these elevated 
privileges. There are however a few specific use cases where this is not 
acceptable. 

I propose that we loosen the requirements slightly to allow users configured in 
ALLOW_CONNECT to perform admin operations. This value should already only be 
used by services which implement Sentry, not as end users. 



  was:
As it stands only users that fall into one of the configured ADMIN_GROUPS can 
make calls such as list_sentry_roles_by_group. This can cause issues for 
applications such as Impala which have not been configured as a admin group. 

Technically it is a requirement for Impala to be granted these elevated 
privileges. There are however a few specific use cases where this is not 
acceptable. 

I propose that we loosen the requirements slightly to allow users configured in 
ALLOW_CONNECT to perform admin operations. This value should already only be 
used by services which implement Sentry, not as end users. 




> Allow connected users to perform operations typically reserved for admins. 
> ---------------------------------------------------------------------------
>
>                 Key: SENTRY-980
>                 URL: https://issues.apache.org/jira/browse/SENTRY-980
>             Project: Sentry
>          Issue Type: Improvement
>            Reporter: Ryan P
>            Priority: Minor
>
> As it stands only users that fall into one of the configured ADMIN_GROUPS can 
> make calls such as list_sentry_roles_by_group. This can cause issues for 
> applications such as Impala which have not been configured as an admin group. 
> Technically it is a requirement for Impala to be granted these elevated 
> privileges. There are however a few specific use cases where this is not 
> acceptable. 
> I propose that we loosen the requirements slightly to allow users configured 
> in ALLOW_CONNECT to perform admin operations. This value should already only 
> be used by services which implement Sentry, not as end users. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)