Looks like we have a consensus of doing user-level privileges improvements
for 2.1. Let's see whether anyone wants to add more content.

On Thu, Jan 25, 2018 at 11:38 AM, Na Li <lina...@cloudera.com> wrote:

> Sasha,
>
> I have looked into how to complete the user-based privilege for a while,
> and can commit to implement it. I can work with Kalyan to create a design
> doc for user-based privilege.
>
> Thanks,
>
> Lina
>
> On Thu, Jan 25, 2018 at 1:35 PM, Na Li <lina...@cloudera.com> wrote:
>
> > Sasha,
> >
> > The current user-based privilege missed some items:
> >
> >
> >    - Sentry policy has two service API: SentryPolicyService and
> SentryGenericPolicyService.
> >    The current implementation does not support user-based privilege for
> >    SentryGenericPolicyService
> >    - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The patch
> >    is available for review.
> >    - Name Node need change to generate ACL using user privilege.
> >       - The full snapshot update only contains authorization to roles
> >       mapping and role to group mapping. *Need to add role to user
> >       mapping in* SentryStore.retrieveFullRoleImageCore
> >       - The delta updates are taken from table SENTRY_PERM_CHANGE, which
> >       does not distinguish group based permission or user based
> permission. No
> >       change is needed
> >       - The user changes to a role is not included when sending delta
> >       update from Sentry to NN. *Need to add AddUsers and DropUsers
> >       in TRoleChanges*.
> >       - Sentry only create ACL for group with ACL type
> >       as AclEntryType.GROUP. *Need to add code to create ACL with type
> >       as *AclEntryType.USER
> >       - SentryINodeAttributesProvider.checkPermission
> >          -> FSPermissionChecker.checkPermission ->
> >          SentryINodeAttributesProvider.getAclFeature
> >          -> SentryAuthorizationInfo.getAclEntries -> SentryPermissions.
> >          constructAclEntry
> >       - SentryStore.grantOptionCheck() has to be changed to find user
> >    level privilege.
> >
> > Thanks,
> >
> > Lina
> >
> > On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena <sergio.p...@cloudera.com>
> > wrote:
> >
> >> There is a section on the Wiki about roadmap ideas and JIRAs already
> >> created:
> >> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+
> >> Roadmap+and+ideas
> >>
> >> I'm interested in having user-level privileges and special user
> privileges
> >> for objects owners.
> >>
> >> I got this from the linked above:
> >>   SENTRY-1073 User who creates a table should be granted all privileges
> on
> >> it by default
> >>   SENTRY-1068 Allow user who created a table to have "with grant" over
> >> that
> >> table by default
> >>   Creator of a table should have ownership of it (all privileges)
> >>   Allow privileges to be granted to users directly
> >>
> >> We should start planning the next Sentry 2.1 release based on the
> desired
> >> features. What about
> >> having 2 or 3 features on Sentry 2.1?
> >>
> >> I vote for:
> >> - user-level privileges (currently grant user to role is only supported)
> >> - default user privileges for objects owners
> >>
> >> Should we start a vote for new features for 2.1?
> >>
> >> - Sergio
> >>
> >> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda <
> >> kkal...@cloudera.com> wrote:
> >>
> >> > I would like to add something here.
> >> >
> >> >
> >> >    1. Current support for user-based-privileges allows admin to grant
> a
> >> >    role to user. Ideally, user-based-privileges feature should be
> >> allowing
> >> >    administrator to grant privileges to individual users directly.
> >> >       -  I'm working on this to come up with a scope doc.
> >> >       2. Currently sentry stores only grant privileges. This is not
> >> >    flexible. Let's say an administrator wants to grant role with
> select
> >> on
> >> > the
> >> >    all tables in a database except for couple to them, he needs to
> >> > individual
> >> >    select privileges for each table.
> >> >       1. Implementation should let you add a grant privilege on
> database
> >> >       and revokes privileges on the tables with in that database,
> >> >       2. This needs new look into privilege model that sentry
> currently
> >> > has.
> >> >
> >> >
> >> > -Kalyan
> >> >
> >> >
> >> > -Kalyan
> >> >
> >> > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov <
> >> ak...@cloudera.com>
> >> > wrote:
> >> >
> >> > > Good point. There is some support for user-level privileges in 2.0
> >> > already
> >> > > - do you think that it is not sufficient and is missing some parts?
> >> > >
> >> > > Is there anyone reading this who participated in the user-level
> >> > privileges
> >> > > in Sentry work done earlier? Is there any design doc for this?
> >> > >
> >> > > - Alex
> >> > >
> >> > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com>
> wrote:
> >> > >
> >> > > > Sasha,
> >> > > >
> >> > > > It would be nice to have more features for sentry.
> >> > > >
> >> > > > For example, make user-based privileges working. So user can
> assign
> >> > user
> >> > > > directly to a role instead of through group.
> >> > > >
> >> > > > Lina
> >> > > >
> >> > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov <
> >> > ak...@cloudera.com
> >> > > >
> >> > > > wrote:
> >> > > >
> >> > > > > Now that we have Sentry 2.0 release, I think it is a good time
> to
> >> > step
> >> > > > back
> >> > > > > from fixing bugs and immediate problems and start discussions on
> >> > > roadmap
> >> > > > > for Sentry going forward. Do we want to just keep it as is and
> >> > improve
> >> > > > > things here and there or we want to add new features?
> >> > > > >
> >> > > > > What do people think?
> >> > > > >
> >> > > > > - Alex
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
> >
>

Reply via email to