Hi Hao,

Apologies for the delayed response. I think SENTRY-711 is support for
adding users to roles. What I was thinking of was more on the lines of
granting/revoking privileges to users/groups (and not roles) -- so not RBAC.

Thanks,
Bhooshan

On Tue, Mar 22, 2016 at 3:39 PM, Hao Hao <[email protected]> wrote:

> Hi Bhooshan,
>
> Jira Sentry-711 is for adding user level privileges, I assume that is the
> user/group based access control that you are talking about? If so, this is
> on Sentry roadmap.  Thanks!
>
> Best,
> Hao
>
> On Tue, Mar 22, 2016 at 2:16 PM, Bhooshan Mogal <[email protected]>
> wrote:
>
> > Thanks Hao!
> >
> > Yes, that seems like a viable work-around until Sentry supports
> user/group
> > based access control. Is that on the roadmap any time soon?
> >
> > -
> > Bhooshan
> >
> > On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <[email protected]> wrote:
> >
> > > Hi Bhooshan,
> > >
> > > Thanks a lot for sharing this interesting question. Based on my
> > > understanding, you can create a new role for holding all privileges
> > > (privileges
> > > to read, write and administer that entity) you want to grant to that
> > user.
> > > And grant that role to the user. You do not need to grant privileges to
> > all
> > > his roles. The relationship of role and users is once user has certain
> > > role, he can have all the privileges of the role that are asscociated
> > with.
> > > Thanks!
> > >
> > > Best,
> > > Hao
> > >
> > > On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <
> > [email protected]
> > > >
> > > wrote:
> > >
> > > > Hi Folks,
> > > >
> > > > I have the following use-case and wanted to hear the community's
> > thoughts
> > > > on whether its already possible with Apache Sentry or even if we
> should
> > > add
> > > > such a feature in future:
> > > >
> > > > When a principal creates an entity in my system (and he is authorized
> > to
> > > do
> > > > so), I want to make him the owner of that entity. In other words, I
> > want
> > > to
> > > > grant him privileges to read, write and administer that entity, if if
> > the
> > > > authorization check for the create operation succeeds, and creation
> is
> > > > successful.
> > > >
> > > > The problem with this today is that to check if he is authorized, I
> > pass
> > > in
> > > > a user name. To grant him all the privileges if the operation was
> > > > successful, I need to grant it to a role in Sentry. I know there has
> > been
> > > > discussion about have user/group level access control in Sentry, but
> > > until
> > > > that happens, I am unclear about how I should map that user name to a
> > > role,
> > > > given that a single user may have multiple roles.
> > > >
> > > > In the worst case, I could grant privileges to all his roles, but
> seems
> > > > like this could open up a security loophole? I had some initial ideas
> > > about
> > > > perhaps something like a default role for a user, but I'm not sure if
> > > > Sentry supports that model.
> > > >
> > > > Appreciate any thoughts on this use case,
> > > > -
> > > > Bhooshan
> > > >
> > >
> >
> >
> >
> > --
> > Bhooshan
> >
>



-- 
Bhooshan

Reply via email to