Sasha, I have looked into how to complete the user-based privilege for a while, and can commit to implement it. I can work with Kalyan to create a design doc for user-based privilege.
Thanks, Lina On Thu, Jan 25, 2018 at 1:35 PM, Na Li <lina...@cloudera.com> wrote: > Sasha, > > The current user-based privilege missed some items: > > > - Sentry policy has two service API: SentryPolicyService and > SentryGenericPolicyService. > The current implementation does not support user-based privilege for > SentryGenericPolicyService > - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The patch > is available for review. > - Name Node need change to generate ACL using user privilege. > - The full snapshot update only contains authorization to roles > mapping and role to group mapping. *Need to add role to user > mapping in* SentryStore.retrieveFullRoleImageCore > - The delta updates are taken from table SENTRY_PERM_CHANGE, which > does not distinguish group based permission or user based permission. No > change is needed > - The user changes to a role is not included when sending delta > update from Sentry to NN. *Need to add AddUsers and DropUsers > in TRoleChanges*. > - Sentry only create ACL for group with ACL type > as AclEntryType.GROUP. *Need to add code to create ACL with type > as *AclEntryType.USER > - SentryINodeAttributesProvider.checkPermission > -> FSPermissionChecker.checkPermission -> > SentryINodeAttributesProvider.getAclFeature > -> SentryAuthorizationInfo.getAclEntries -> SentryPermissions. > constructAclEntry > - SentryStore.grantOptionCheck() has to be changed to find user > level privilege. > > Thanks, > > Lina > > On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena <sergio.p...@cloudera.com> > wrote: > >> There is a section on the Wiki about roadmap ideas and JIRAs already >> created: >> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+ >> Roadmap+and+ideas >> >> I'm interested in having user-level privileges and special user privileges >> for objects owners. >> >> I got this from the linked above: >> SENTRY-1073 User who creates a table should be granted all privileges on >> it by default >> SENTRY-1068 Allow user who created a table to have "with grant" over >> that >> table by default >> Creator of a table should have ownership of it (all privileges) >> Allow privileges to be granted to users directly >> >> We should start planning the next Sentry 2.1 release based on the desired >> features. What about >> having 2 or 3 features on Sentry 2.1? >> >> I vote for: >> - user-level privileges (currently grant user to role is only supported) >> - default user privileges for objects owners >> >> Should we start a vote for new features for 2.1? >> >> - Sergio >> >> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda < >> kkal...@cloudera.com> wrote: >> >> > I would like to add something here. >> > >> > >> > 1. Current support for user-based-privileges allows admin to grant a >> > role to user. Ideally, user-based-privileges feature should be >> allowing >> > administrator to grant privileges to individual users directly. >> > - I'm working on this to come up with a scope doc. >> > 2. Currently sentry stores only grant privileges. This is not >> > flexible. Let's say an administrator wants to grant role with select >> on >> > the >> > all tables in a database except for couple to them, he needs to >> > individual >> > select privileges for each table. >> > 1. Implementation should let you add a grant privilege on database >> > and revokes privileges on the tables with in that database, >> > 2. This needs new look into privilege model that sentry currently >> > has. >> > >> > >> > -Kalyan >> > >> > >> > -Kalyan >> > >> > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov < >> ak...@cloudera.com> >> > wrote: >> > >> > > Good point. There is some support for user-level privileges in 2.0 >> > already >> > > - do you think that it is not sufficient and is missing some parts? >> > > >> > > Is there anyone reading this who participated in the user-level >> > privileges >> > > in Sentry work done earlier? Is there any design doc for this? >> > > >> > > - Alex >> > > >> > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> wrote: >> > > >> > > > Sasha, >> > > > >> > > > It would be nice to have more features for sentry. >> > > > >> > > > For example, make user-based privileges working. So user can assign >> > user >> > > > directly to a role instead of through group. >> > > > >> > > > Lina >> > > > >> > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov < >> > ak...@cloudera.com >> > > > >> > > > wrote: >> > > > >> > > > > Now that we have Sentry 2.0 release, I think it is a good time to >> > step >> > > > back >> > > > > from fixing bugs and immediate problems and start discussions on >> > > roadmap >> > > > > for Sentry going forward. Do we want to just keep it as is and >> > improve >> > > > > things here and there or we want to add new features? >> > > > > >> > > > > What do people think? >> > > > > >> > > > > - Alex >> > > > > >> > > > >> > > >> > >> > >