[
https://issues.apache.org/jira/browse/SENTRY-1079?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sravya Tirukkovalur updated SENTRY-1079:
----------------------------------------
Description:
This is important now that we have sentry shell, no not just super users like
"hive,impala,hue" connect but end users can also connect to sentry to
grant/revoke/list privileges.
One way to do it is:
1. If it is not part of allow.connect: Fill the requestorName field with the
user connecting. That way we restrict impersonation if the user is not part of
this super group. And hence we ignore the requestorName set by the client.
2. Rename allow.connect to super.users or something like that to make it clear
that these users can super privileges like impersonating other users.
> Sentry server should not require users to be in a static list "allow.connect"
> to be able to talk to sentry
> ----------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-1079
> URL: https://issues.apache.org/jira/browse/SENTRY-1079
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Sravya Tirukkovalur
> Assignee: Sravya Tirukkovalur
>
> This is important now that we have sentry shell, no not just super users like
> "hive,impala,hue" connect but end users can also connect to sentry to
> grant/revoke/list privileges.
> One way to do it is:
> 1. If it is not part of allow.connect: Fill the requestorName field with the
> user connecting. That way we restrict impersonation if the user is not part
> of this super group. And hence we ignore the requestorName set by the client.
> 2. Rename allow.connect to super.users or something like that to make it
> clear that these users can super privileges like impersonating other users.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
