Looks like we have a consensus of doing user-level privileges improvements for 2.1. Let's see whether anyone wants to add more content.
On Thu, Jan 25, 2018 at 11:38 AM, Na Li <lina...@cloudera.com> wrote: > Sasha, > > I have looked into how to complete the user-based privilege for a while, > and can commit to implement it. I can work with Kalyan to create a design > doc for user-based privilege. > > Thanks, > > Lina > > On Thu, Jan 25, 2018 at 1:35 PM, Na Li <lina...@cloudera.com> wrote: > > > Sasha, > > > > The current user-based privilege missed some items: > > > > > > - Sentry policy has two service API: SentryPolicyService and > SentryGenericPolicyService. > > The current implementation does not support user-based privilege for > > SentryGenericPolicyService > > - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The patch > > is available for review. > > - Name Node need change to generate ACL using user privilege. > > - The full snapshot update only contains authorization to roles > > mapping and role to group mapping. *Need to add role to user > > mapping in* SentryStore.retrieveFullRoleImageCore > > - The delta updates are taken from table SENTRY_PERM_CHANGE, which > > does not distinguish group based permission or user based > permission. No > > change is needed > > - The user changes to a role is not included when sending delta > > update from Sentry to NN. *Need to add AddUsers and DropUsers > > in TRoleChanges*. > > - Sentry only create ACL for group with ACL type > > as AclEntryType.GROUP. *Need to add code to create ACL with type > > as *AclEntryType.USER > > - SentryINodeAttributesProvider.checkPermission > > -> FSPermissionChecker.checkPermission -> > > SentryINodeAttributesProvider.getAclFeature > > -> SentryAuthorizationInfo.getAclEntries -> SentryPermissions. > > constructAclEntry > > - SentryStore.grantOptionCheck() has to be changed to find user > > level privilege. > > > > Thanks, > > > > Lina > > > > On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena <sergio.p...@cloudera.com> > > wrote: > > > >> There is a section on the Wiki about roadmap ideas and JIRAs already > >> created: > >> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+ > >> Roadmap+and+ideas > >> > >> I'm interested in having user-level privileges and special user > privileges > >> for objects owners. > >> > >> I got this from the linked above: > >> SENTRY-1073 User who creates a table should be granted all privileges > on > >> it by default > >> SENTRY-1068 Allow user who created a table to have "with grant" over > >> that > >> table by default > >> Creator of a table should have ownership of it (all privileges) > >> Allow privileges to be granted to users directly > >> > >> We should start planning the next Sentry 2.1 release based on the > desired > >> features. What about > >> having 2 or 3 features on Sentry 2.1? > >> > >> I vote for: > >> - user-level privileges (currently grant user to role is only supported) > >> - default user privileges for objects owners > >> > >> Should we start a vote for new features for 2.1? > >> > >> - Sergio > >> > >> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda < > >> kkal...@cloudera.com> wrote: > >> > >> > I would like to add something here. > >> > > >> > > >> > 1. Current support for user-based-privileges allows admin to grant > a > >> > role to user. Ideally, user-based-privileges feature should be > >> allowing > >> > administrator to grant privileges to individual users directly. > >> > - I'm working on this to come up with a scope doc. > >> > 2. Currently sentry stores only grant privileges. This is not > >> > flexible. Let's say an administrator wants to grant role with > select > >> on > >> > the > >> > all tables in a database except for couple to them, he needs to > >> > individual > >> > select privileges for each table. > >> > 1. Implementation should let you add a grant privilege on > database > >> > and revokes privileges on the tables with in that database, > >> > 2. This needs new look into privilege model that sentry > currently > >> > has. > >> > > >> > > >> > -Kalyan > >> > > >> > > >> > -Kalyan > >> > > >> > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov < > >> ak...@cloudera.com> > >> > wrote: > >> > > >> > > Good point. There is some support for user-level privileges in 2.0 > >> > already > >> > > - do you think that it is not sufficient and is missing some parts? > >> > > > >> > > Is there anyone reading this who participated in the user-level > >> > privileges > >> > > in Sentry work done earlier? Is there any design doc for this? > >> > > > >> > > - Alex > >> > > > >> > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> > wrote: > >> > > > >> > > > Sasha, > >> > > > > >> > > > It would be nice to have more features for sentry. > >> > > > > >> > > > For example, make user-based privileges working. So user can > assign > >> > user > >> > > > directly to a role instead of through group. > >> > > > > >> > > > Lina > >> > > > > >> > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov < > >> > ak...@cloudera.com > >> > > > > >> > > > wrote: > >> > > > > >> > > > > Now that we have Sentry 2.0 release, I think it is a good time > to > >> > step > >> > > > back > >> > > > > from fixing bugs and immediate problems and start discussions on > >> > > roadmap > >> > > > > for Sentry going forward. Do we want to just keep it as is and > >> > improve > >> > > > > things here and there or we want to add new features? > >> > > > > > >> > > > > What do people think? > >> > > > > > >> > > > > - Alex > >> > > > > > >> > > > > >> > > > >> > > >> > > > > >