Hi Bhooshan, Jira Sentry-711 is for adding user level privileges, I assume that is the user/group based access control that you are talking about? If so, this is on Sentry roadmap. Thanks!
Best, Hao On Tue, Mar 22, 2016 at 2:16 PM, Bhooshan Mogal <[email protected]> wrote: > Thanks Hao! > > Yes, that seems like a viable work-around until Sentry supports user/group > based access control. Is that on the roadmap any time soon? > > - > Bhooshan > > On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <[email protected]> wrote: > > > Hi Bhooshan, > > > > Thanks a lot for sharing this interesting question. Based on my > > understanding, you can create a new role for holding all privileges > > (privileges > > to read, write and administer that entity) you want to grant to that > user. > > And grant that role to the user. You do not need to grant privileges to > all > > his roles. The relationship of role and users is once user has certain > > role, he can have all the privileges of the role that are asscociated > with. > > Thanks! > > > > Best, > > Hao > > > > On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal < > [email protected] > > > > > wrote: > > > > > Hi Folks, > > > > > > I have the following use-case and wanted to hear the community's > thoughts > > > on whether its already possible with Apache Sentry or even if we should > > add > > > such a feature in future: > > > > > > When a principal creates an entity in my system (and he is authorized > to > > do > > > so), I want to make him the owner of that entity. In other words, I > want > > to > > > grant him privileges to read, write and administer that entity, if if > the > > > authorization check for the create operation succeeds, and creation is > > > successful. > > > > > > The problem with this today is that to check if he is authorized, I > pass > > in > > > a user name. To grant him all the privileges if the operation was > > > successful, I need to grant it to a role in Sentry. I know there has > been > > > discussion about have user/group level access control in Sentry, but > > until > > > that happens, I am unclear about how I should map that user name to a > > role, > > > given that a single user may have multiple roles. > > > > > > In the worst case, I could grant privileges to all his roles, but seems > > > like this could open up a security loophole? I had some initial ideas > > about > > > perhaps something like a default role for a user, but I'm not sure if > > > Sentry supports that model. > > > > > > Appreciate any thoughts on this use case, > > > - > > > Bhooshan > > > > > > > > > -- > Bhooshan >
