Agreed, making 2.1 with just user-level privileges improvements (plus set of accumulated bug fixes) sounds reasonable.
On Thu, Jan 25, 2018 at 11:41 AM, Alexander Kolbasov <ak...@cloudera.com> wrote: > Looks like we have a consensus of doing user-level privileges improvements > for 2.1. Let's see whether anyone wants to add more content. > > On Thu, Jan 25, 2018 at 11:38 AM, Na Li <lina...@cloudera.com> wrote: > >> Sasha, >> >> I have looked into how to complete the user-based privilege for a while, >> and can commit to implement it. I can work with Kalyan to create a design >> doc for user-based privilege. >> >> Thanks, >> >> Lina >> >> On Thu, Jan 25, 2018 at 1:35 PM, Na Li <lina...@cloudera.com> wrote: >> >> > Sasha, >> > >> > The current user-based privilege missed some items: >> > >> > >> > - Sentry policy has two service API: SentryPolicyService and >> SentryGenericPolicyService. >> > The current implementation does not support user-based privilege for >> > SentryGenericPolicyService >> > - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The >> patch >> > is available for review. >> > - Name Node need change to generate ACL using user privilege. >> > - The full snapshot update only contains authorization to roles >> > mapping and role to group mapping. *Need to add role to user >> > mapping in* SentryStore.retrieveFullRoleImageCore >> > - The delta updates are taken from table SENTRY_PERM_CHANGE, which >> > does not distinguish group based permission or user based >> permission. No >> > change is needed >> > - The user changes to a role is not included when sending delta >> > update from Sentry to NN. *Need to add AddUsers and DropUsers >> > in TRoleChanges*. >> > - Sentry only create ACL for group with ACL type >> > as AclEntryType.GROUP. *Need to add code to create ACL with type >> > as *AclEntryType.USER >> > - SentryINodeAttributesProvider.checkPermission >> > -> FSPermissionChecker.checkPermission -> >> > SentryINodeAttributesProvider.getAclFeature >> > -> SentryAuthorizationInfo.getAclEntries -> SentryPermissions. >> > constructAclEntry >> > - SentryStore.grantOptionCheck() has to be changed to find user >> > level privilege. >> > >> > Thanks, >> > >> > Lina >> > >> > On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena <sergio.p...@cloudera.com> >> > wrote: >> > >> >> There is a section on the Wiki about roadmap ideas and JIRAs already >> >> created: >> >> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+ >> >> Roadmap+and+ideas >> >> >> >> I'm interested in having user-level privileges and special user >> privileges >> >> for objects owners. >> >> >> >> I got this from the linked above: >> >> SENTRY-1073 User who creates a table should be granted all >> privileges on >> >> it by default >> >> SENTRY-1068 Allow user who created a table to have "with grant" over >> >> that >> >> table by default >> >> Creator of a table should have ownership of it (all privileges) >> >> Allow privileges to be granted to users directly >> >> >> >> We should start planning the next Sentry 2.1 release based on the >> desired >> >> features. What about >> >> having 2 or 3 features on Sentry 2.1? >> >> >> >> I vote for: >> >> - user-level privileges (currently grant user to role is only >> supported) >> >> - default user privileges for objects owners >> >> >> >> Should we start a vote for new features for 2.1? >> >> >> >> - Sergio >> >> >> >> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda < >> >> kkal...@cloudera.com> wrote: >> >> >> >> > I would like to add something here. >> >> > >> >> > >> >> > 1. Current support for user-based-privileges allows admin to >> grant a >> >> > role to user. Ideally, user-based-privileges feature should be >> >> allowing >> >> > administrator to grant privileges to individual users directly. >> >> > - I'm working on this to come up with a scope doc. >> >> > 2. Currently sentry stores only grant privileges. This is not >> >> > flexible. Let's say an administrator wants to grant role with >> select >> >> on >> >> > the >> >> > all tables in a database except for couple to them, he needs to >> >> > individual >> >> > select privileges for each table. >> >> > 1. Implementation should let you add a grant privilege on >> database >> >> > and revokes privileges on the tables with in that database, >> >> > 2. This needs new look into privilege model that sentry >> currently >> >> > has. >> >> > >> >> > >> >> > -Kalyan >> >> > >> >> > >> >> > -Kalyan >> >> > >> >> > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov < >> >> ak...@cloudera.com> >> >> > wrote: >> >> > >> >> > > Good point. There is some support for user-level privileges in 2.0 >> >> > already >> >> > > - do you think that it is not sufficient and is missing some parts? >> >> > > >> >> > > Is there anyone reading this who participated in the user-level >> >> > privileges >> >> > > in Sentry work done earlier? Is there any design doc for this? >> >> > > >> >> > > - Alex >> >> > > >> >> > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> >> wrote: >> >> > > >> >> > > > Sasha, >> >> > > > >> >> > > > It would be nice to have more features for sentry. >> >> > > > >> >> > > > For example, make user-based privileges working. So user can >> assign >> >> > user >> >> > > > directly to a role instead of through group. >> >> > > > >> >> > > > Lina >> >> > > > >> >> > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov < >> >> > ak...@cloudera.com >> >> > > > >> >> > > > wrote: >> >> > > > >> >> > > > > Now that we have Sentry 2.0 release, I think it is a good time >> to >> >> > step >> >> > > > back >> >> > > > > from fixing bugs and immediate problems and start discussions >> on >> >> > > roadmap >> >> > > > > for Sentry going forward. Do we want to just keep it as is and >> >> > improve >> >> > > > > things here and there or we want to add new features? >> >> > > > > >> >> > > > > What do people think? >> >> > > > > >> >> > > > > - Alex >> >> > > > > >> >> > > > >> >> > > >> >> > >> >> >> > >> > >> > >
