Hi Hao, Apologies for the delayed response. I think SENTRY-711 is support for adding users to roles. What I was thinking of was more on the lines of granting/revoking privileges to users/groups (and not roles) -- so not RBAC.
Thanks, Bhooshan On Tue, Mar 22, 2016 at 3:39 PM, Hao Hao <[email protected]> wrote: > Hi Bhooshan, > > Jira Sentry-711 is for adding user level privileges, I assume that is the > user/group based access control that you are talking about? If so, this is > on Sentry roadmap. Thanks! > > Best, > Hao > > On Tue, Mar 22, 2016 at 2:16 PM, Bhooshan Mogal <[email protected]> > wrote: > > > Thanks Hao! > > > > Yes, that seems like a viable work-around until Sentry supports > user/group > > based access control. Is that on the roadmap any time soon? > > > > - > > Bhooshan > > > > On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <[email protected]> wrote: > > > > > Hi Bhooshan, > > > > > > Thanks a lot for sharing this interesting question. Based on my > > > understanding, you can create a new role for holding all privileges > > > (privileges > > > to read, write and administer that entity) you want to grant to that > > user. > > > And grant that role to the user. You do not need to grant privileges to > > all > > > his roles. The relationship of role and users is once user has certain > > > role, he can have all the privileges of the role that are asscociated > > with. > > > Thanks! > > > > > > Best, > > > Hao > > > > > > On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal < > > [email protected] > > > > > > > wrote: > > > > > > > Hi Folks, > > > > > > > > I have the following use-case and wanted to hear the community's > > thoughts > > > > on whether its already possible with Apache Sentry or even if we > should > > > add > > > > such a feature in future: > > > > > > > > When a principal creates an entity in my system (and he is authorized > > to > > > do > > > > so), I want to make him the owner of that entity. In other words, I > > want > > > to > > > > grant him privileges to read, write and administer that entity, if if > > the > > > > authorization check for the create operation succeeds, and creation > is > > > > successful. > > > > > > > > The problem with this today is that to check if he is authorized, I > > pass > > > in > > > > a user name. To grant him all the privileges if the operation was > > > > successful, I need to grant it to a role in Sentry. I know there has > > been > > > > discussion about have user/group level access control in Sentry, but > > > until > > > > that happens, I am unclear about how I should map that user name to a > > > role, > > > > given that a single user may have multiple roles. > > > > > > > > In the worst case, I could grant privileges to all his roles, but > seems > > > > like this could open up a security loophole? I had some initial ideas > > > about > > > > perhaps something like a default role for a user, but I'm not sure if > > > > Sentry supports that model. > > > > > > > > Appreciate any thoughts on this use case, > > > > - > > > > Bhooshan > > > > > > > > > > > > > > > -- > > Bhooshan > > > -- Bhooshan
