So we have this interactive Sentry shell that is lying around in a branch (akolb-ha-cli). I think that it would be useful to make it generally available in master - are there any opinions about that?
On Wed, Dec 14, 2016 at 9:42 PM Alexander Kolbasov <ak...@cloudera.com> wrote: > On Dec 14, 2016, at 8:46 PM, Lenni Kuff <lsk...@cloudera.com> wrote: > > Thanks for kicking this off Sasha. IMO, a robust Sentry CLI seems super > important for the project - especially as Sentry support for more > components comes online. It also helps to allow 3rd party integration with > Sentry. > > > I would like to understand this use case a bit better. Do you have some > specific examples in mind? What I discovered while working on CLI > interfaces is that the current code assumes that it is dealing with a > “well-behaving” client where the good behavior isn’t well defined. Just > obeying the Thrift protocol is triggering various interesting issues (which > should be fixed IMO). So for applications the API was never thrift but a > some Java interfaces. Once you start dealing with CLIs (and with 3rd party > integrations) it is really important to define what exactly is the API - is > it defined at the Thrift level or at Java interface level. > > Is there a design document / JIRA / other material to review on the new > CLI? > > > There isn’t. So far I implemented two Sentry CLIs - one classical > command-line which is super useful for me (as a developer) and which is > written in GO and allows easy access to the Thrift protocol itself. Another > one (interactive CLI) I wrote mostly to demonstrate client failover for > Sentry HA but it is full featured (although it only supports Hive model for > now)- you can do all CRUD operations on roles/privileges/groups and *it > goes through the same Java code path as all other clients*. My goal was to > write the smallest amount of code and have a fully working (and useful) > version quickly. If there is an interest to open this up to a wider > audience, we may start a discussion on the design choices, e.t.c. > > Given SentryShell is has been in development for this same purpose > (and has already been released), it would be good to understand the delta > between the two and motivation for adding a new CLI vs updating > SentryShell. > > > I am curious whether anyone has any experience using the SentryShell. I > only could find this documentation: > https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Simple+Shell. > While I was looking at the implementation of the SentryShell there is very > little code that I actually used for the interactive shell, so there isn’t > much intersection. Of course, if we decide to productize the interactive > shell it makes a lot of sense to unify the two since they are doing, > essentially, the same thing. But for now their overall organization is > completely different. > > Is there a compelling reason to support both? Probably a good > to get other folks input from the community. > > > Not really. But I agree that it would be great to hear from people who > actually use it. That said, I do see an independent value in stand-alone > GO-based CLI that works directly over Thrift. > > > Thanks, > Lenni > > > Thanks for your input! > > - Alex. > > > On Wed, Dec 14, 2016 at 5:19 PM, Alexander Kolbasov <ak...@cloudera.com> > wrote: > > Inspired by SentryShell I wrote a prototype of interactive Sentry shell > where you have an open session and can issue CRUD commands for > roles/groups/privileges. I there any interest in making this integrated > into Sentry code base? > >
