Hi Folks, I have the following use-case and wanted to hear the community's thoughts on whether its already possible with Apache Sentry or even if we should add such a feature in future:
When a principal creates an entity in my system (and he is authorized to do so), I want to make him the owner of that entity. In other words, I want to grant him privileges to read, write and administer that entity, if if the authorization check for the create operation succeeds, and creation is successful. The problem with this today is that to check if he is authorized, I pass in a user name. To grant him all the privileges if the operation was successful, I need to grant it to a role in Sentry. I know there has been discussion about have user/group level access control in Sentry, but until that happens, I am unclear about how I should map that user name to a role, given that a single user may have multiple roles. In the worst case, I could grant privileges to all his roles, but seems like this could open up a security loophole? I had some initial ideas about perhaps something like a default role for a user, but I'm not sure if Sentry supports that model. Appreciate any thoughts on this use case, - Bhooshan
