Lina - would it make sense to create uber-JIRA for ULP, mark it with "roadmap" keyword and start putting some of these as subtasks?
On Thu, Jan 25, 2018 at 11:35 AM, Na Li <lina...@cloudera.com> wrote: > Sasha, > > The current user-based privilege missed some items: > > > - Sentry policy has two service API: SentryPolicyService > and SentryGenericPolicyService. The current implementation does not > support > user-based privilege for SentryGenericPolicyService > - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The patch > is available for review. > - Name Node need change to generate ACL using user privilege. > - The full snapshot update only contains authorization to roles > mapping and role to group mapping. *Need to add role to user mapping > in* SentryStore.retrieveFullRoleImageCore > - The delta updates are taken from table SENTRY_PERM_CHANGE, which > does not distinguish group based permission or user based > permission. No > change is needed > - The user changes to a role is not included when sending delta > update from Sentry to NN. *Need to add AddUsers and DropUsers > in TRoleChanges*. > - Sentry only create ACL for group with ACL type > as AclEntryType.GROUP. *Need to add code to create ACL with type as * > AclEntryType.USER > - SentryINodeAttributesProvider.checkPermission > -> FSPermissionChecker.checkPermission > -> SentryINodeAttributesProvider.getAclFeature > -> SentryAuthorizationInfo.getAclEntries > -> SentryPermissions.constructAclEntry > - SentryStore.grantOptionCheck() has to be changed to find user level > privilege. > > Thanks, > > Lina > > On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena <sergio.p...@cloudera.com> > wrote: > > > There is a section on the Wiki about roadmap ideas and JIRAs already > > created: > > https://cwiki.apache.org/confluence/display/SENTRY/ > > Sentry+Roadmap+and+ideas > > > > I'm interested in having user-level privileges and special user > privileges > > for objects owners. > > > > I got this from the linked above: > > SENTRY-1073 User who creates a table should be granted all privileges > on > > it by default > > SENTRY-1068 Allow user who created a table to have "with grant" over > that > > table by default > > Creator of a table should have ownership of it (all privileges) > > Allow privileges to be granted to users directly > > > > We should start planning the next Sentry 2.1 release based on the desired > > features. What about > > having 2 or 3 features on Sentry 2.1? > > > > I vote for: > > - user-level privileges (currently grant user to role is only supported) > > - default user privileges for objects owners > > > > Should we start a vote for new features for 2.1? > > > > - Sergio > > > > On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda < > > kkal...@cloudera.com> wrote: > > > > > I would like to add something here. > > > > > > > > > 1. Current support for user-based-privileges allows admin to grant a > > > role to user. Ideally, user-based-privileges feature should be > > allowing > > > administrator to grant privileges to individual users directly. > > > - I'm working on this to come up with a scope doc. > > > 2. Currently sentry stores only grant privileges. This is not > > > flexible. Let's say an administrator wants to grant role with select > > on > > > the > > > all tables in a database except for couple to them, he needs to > > > individual > > > select privileges for each table. > > > 1. Implementation should let you add a grant privilege on > database > > > and revokes privileges on the tables with in that database, > > > 2. This needs new look into privilege model that sentry currently > > > has. > > > > > > > > > -Kalyan > > > > > > > > > -Kalyan > > > > > > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov < > ak...@cloudera.com > > > > > > wrote: > > > > > > > Good point. There is some support for user-level privileges in 2.0 > > > already > > > > - do you think that it is not sufficient and is missing some parts? > > > > > > > > Is there anyone reading this who participated in the user-level > > > privileges > > > > in Sentry work done earlier? Is there any design doc for this? > > > > > > > > - Alex > > > > > > > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> > wrote: > > > > > > > > > Sasha, > > > > > > > > > > It would be nice to have more features for sentry. > > > > > > > > > > For example, make user-based privileges working. So user can assign > > > user > > > > > directly to a role instead of through group. > > > > > > > > > > Lina > > > > > > > > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov < > > > ak...@cloudera.com > > > > > > > > > > wrote: > > > > > > > > > > > Now that we have Sentry 2.0 release, I think it is a good time to > > > step > > > > > back > > > > > > from fixing bugs and immediate problems and start discussions on > > > > roadmap > > > > > > for Sentry going forward. Do we want to just keep it as is and > > > improve > > > > > > things here and there or we want to add new features? > > > > > > > > > > > > What do people think? > > > > > > > > > > > > - Alex > > > > > > > > > > > > > > > > > > > > >