[
https://issues.apache.org/jira/browse/SENTRY-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124476#comment-15124476
]
Gregory Chanan commented on SENTRY-1032:
----------------------------------------
bq. So I do not think grant in the case of role is non intuitive. Although, I
prefer assign. As it goes well with saying assign the group "dept_A_engineers"
to role "PCI_compliant_access_role" for example.
Well, grant isn't currently used in the generic context to talk about
roles/groups, so I'm not arguing something different here. Agreed on your
second point about assign.
bq. Role can be thought as a collection of groups, but in which case the
opposite is also true: Group is a collection of roles. It is a many to many
relationship.
Sure, although you could make the same argument about users and groups and I've
never heard anyone say "add group to user". I wouldn't say a group is a
collection of roles. I'd phrase it as a group _has a_ collection of roles and
it _is_ a collection of users. If we accept that people say "add group to
user" we are using the term add as in both a _has a_ and _is a_ context.
That's why I preferred using a different term.
{quote}Groups usually come from Active Directory, so user:group mappings happen
first and they are pretty much setup just once in a company when a new employee
joins. Roles are specific to data access rules. Some groups in the company can
have powers to see sensitive data and some might not. So assigning a role to a
group happens next once they figure out which groups can access what.{quote}
That makes sense. In this case, I'd propose we go with "assign group to role"
so group comes first.
> Rename shell command group/role shell commands and implement with solr shell
> ----------------------------------------------------------------------------
>
> Key: SENTRY-1032
> URL: https://issues.apache.org/jira/browse/SENTRY-1032
> Project: Sentry
> Issue Type: Task
> Components: Service
> Affects Versions: 1.7.0
> Reporter: Gregory Chanan
> Assignee: Gregory Chanan
> Attachments: SENTRY-1032.patch
>
>
> --add_role_group is a bit confusing because the command is to add group to
> role (i.e. the objects are reversed). Let's change this before it is
> released and we need to support backwards compatibility.
> same for --delete_role_group.
> Also, these commands are not implemented with SentryShellSolr. Let's do that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
