> On Dec 14, 2016, at 8:46 PM, Lenni Kuff <lsk...@cloudera.com> wrote:
> 
> Thanks for kicking this off Sasha. IMO, a robust Sentry CLI seems super
> important for the project - especially as Sentry support for more
> components comes online. It also helps to allow 3rd party integration with
> Sentry.

I would like to understand this use case a bit better. Do you have some 
specific examples in mind? What I discovered while working on CLI interfaces is 
that the current code assumes that it is dealing with a “well-behaving” client 
where the good behavior isn’t well defined. Just obeying the Thrift protocol is 
triggering various interesting issues (which should be fixed IMO). So for 
applications the API was never thrift but a some Java interfaces. Once you 
start dealing with CLIs (and with 3rd party integrations) it is really 
important to define what exactly is the API - is it defined at the Thrift level 
or at Java interface level.

> Is there a design document / JIRA / other material to review on the new
> CLI?

There isn’t. So far I implemented two Sentry CLIs - one classical command-line 
which is super useful for me (as a developer) and which is written in GO and 
allows easy access to the Thrift protocol itself. Another one (interactive CLI) 
 I wrote mostly to demonstrate client failover for Sentry HA but it is full 
featured (although it only supports Hive model for now)- you can do all CRUD 
operations on roles/privileges/groups and *it goes through the same Java code 
path as all other clients*. My goal was to write the smallest amount of code 
and have a fully working (and useful) version quickly. If there is an interest 
to open this up to a wider audience, we may start a discussion on the design 
choices, e.t.c.

> Given SentryShell is has been in development for this same purpose
> (and has already been released), it would be good to understand the delta
> between the two and motivation for adding a new CLI vs updating
> SentryShell.

I am curious whether anyone has any experience using the SentryShell. I only 
could find this documentation: 
https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Simple+Shell 
<https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Simple+Shell>. While 
I was looking at the implementation of the SentryShell there is very little 
code that I actually used for the interactive shell, so there isn’t much 
intersection. Of course, if we decide to productize the interactive shell it 
makes a lot of sense to unify the two since they are doing, essentially, the 
same thing. But for now their overall organization is completely different.

> Is there a compelling reason to support both? Probably a good
> to get other folks input from the community.

Not really. But I agree that it would be great to hear from people who actually 
use it. That said, I do see an independent value in stand-alone GO-based CLI 
that works directly over Thrift.

> 
> Thanks,
> Lenni

Thanks for your input!

- Alex.

> 
> On Wed, Dec 14, 2016 at 5:19 PM, Alexander Kolbasov <ak...@cloudera.com>
> wrote:
> 
>> Inspired by SentryShell I wrote a prototype of interactive Sentry shell
>> where you have an open session and can issue CRUD commands for
>> roles/groups/privileges. I there any interest in making this integrated
>> into Sentry code base?
>> 

Reply via email to