Stephen - can you formulate these in JIRAs so we can add these to the roadmap?
On Thu, Jan 25, 2018 at 12:31 PM, Stephen Moist <mo...@cloudera.com> wrote: > A few things come to mind. > > Improving and expanding on the capabilities of the Sentry CLI. It would > be good to see all the other services integrate with Sentry in a consistent > way. Along with be able to administer grants/roles/etc through a common > framework rather than say beeline. > > Improving documentation of Sentry’s integration, preferably with more > examples of how to configure services. > > Adding access control on database operations such as drop table, insert, > delete from, update, etc. > > I know for sure a feature we need is going to be tag based attribute > control for Hive. > > These last two ideas would need some reworking to make Sentry more > flexible to support these, and I’m willing to lead up the latter for tags. > > > On Jan 25, 2018, at 2:19 PM, Na Li <lina...@cloudera.com> wrote: > > > > https://issues.apache.org/jira/browse/SENTRY-2129 is create to track the > > development activities for user-based privilege. I will add more > sub-tasks > > to it > > > > On Thu, Jan 25, 2018 at 1:42 PM, Alexander Kolbasov <ak...@cloudera.com> > > wrote: > > > >> Agreed, making 2.1 with just user-level privileges improvements (plus > set > >> of accumulated bug fixes) sounds reasonable. > >> > >> On Thu, Jan 25, 2018 at 11:41 AM, Alexander Kolbasov < > ak...@cloudera.com> > >> wrote: > >> > >>> Looks like we have a consensus of doing user-level privileges > >> improvements > >>> for 2.1. Let's see whether anyone wants to add more content. > >>> > >>> On Thu, Jan 25, 2018 at 11:38 AM, Na Li <lina...@cloudera.com> wrote: > >>> > >>>> Sasha, > >>>> > >>>> I have looked into how to complete the user-based privilege for a > while, > >>>> and can commit to implement it. I can work with Kalyan to create a > >> design > >>>> doc for user-based privilege. > >>>> > >>>> Thanks, > >>>> > >>>> Lina > >>>> > >>>> On Thu, Jan 25, 2018 at 1:35 PM, Na Li <lina...@cloudera.com> wrote: > >>>> > >>>>> Sasha, > >>>>> > >>>>> The current user-based privilege missed some items: > >>>>> > >>>>> > >>>>> - Sentry policy has two service API: SentryPolicyService and > >>>> SentryGenericPolicyService. > >>>>> The current implementation does not support user-based privilege > >> for > >>>>> SentryGenericPolicyService > >>>>> - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The > >>>> patch > >>>>> is available for review. > >>>>> - Name Node need change to generate ACL using user privilege. > >>>>> - The full snapshot update only contains authorization to roles > >>>>> mapping and role to group mapping. *Need to add role to user > >>>>> mapping in* SentryStore.retrieveFullRoleImageCore > >>>>> - The delta updates are taken from table SENTRY_PERM_CHANGE, > >> which > >>>>> does not distinguish group based permission or user based > >>>> permission. No > >>>>> change is needed > >>>>> - The user changes to a role is not included when sending delta > >>>>> update from Sentry to NN. *Need to add AddUsers and DropUsers > >>>>> in TRoleChanges*. > >>>>> - Sentry only create ACL for group with ACL type > >>>>> as AclEntryType.GROUP. *Need to add code to create ACL with type > >>>>> as *AclEntryType.USER > >>>>> - SentryINodeAttributesProvider.checkPermission > >>>>> -> FSPermissionChecker.checkPermission -> > >>>>> SentryINodeAttributesProvider.getAclFeature > >>>>> -> SentryAuthorizationInfo.getAclEntries -> > >> SentryPermissions. > >>>>> constructAclEntry > >>>>> - SentryStore.grantOptionCheck() has to be changed to find user > >>>>> level privilege. > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Lina > >>>>> > >>>>> On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena < > >> sergio.p...@cloudera.com> > >>>>> wrote: > >>>>> > >>>>>> There is a section on the Wiki about roadmap ideas and JIRAs already > >>>>>> created: > >>>>>> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+ > >>>>>> Roadmap+and+ideas > >>>>>> > >>>>>> I'm interested in having user-level privileges and special user > >>>> privileges > >>>>>> for objects owners. > >>>>>> > >>>>>> I got this from the linked above: > >>>>>> SENTRY-1073 User who creates a table should be granted all > >>>> privileges on > >>>>>> it by default > >>>>>> SENTRY-1068 Allow user who created a table to have "with grant" > >> over > >>>>>> that > >>>>>> table by default > >>>>>> Creator of a table should have ownership of it (all privileges) > >>>>>> Allow privileges to be granted to users directly > >>>>>> > >>>>>> We should start planning the next Sentry 2.1 release based on the > >>>> desired > >>>>>> features. What about > >>>>>> having 2 or 3 features on Sentry 2.1? > >>>>>> > >>>>>> I vote for: > >>>>>> - user-level privileges (currently grant user to role is only > >>>> supported) > >>>>>> - default user privileges for objects owners > >>>>>> > >>>>>> Should we start a vote for new features for 2.1? > >>>>>> > >>>>>> - Sergio > >>>>>> > >>>>>> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda < > >>>>>> kkal...@cloudera.com> wrote: > >>>>>> > >>>>>>> I would like to add something here. > >>>>>>> > >>>>>>> > >>>>>>> 1. Current support for user-based-privileges allows admin to > >>>> grant a > >>>>>>> role to user. Ideally, user-based-privileges feature should be > >>>>>> allowing > >>>>>>> administrator to grant privileges to individual users directly. > >>>>>>> - I'm working on this to come up with a scope doc. > >>>>>>> 2. Currently sentry stores only grant privileges. This is not > >>>>>>> flexible. Let's say an administrator wants to grant role with > >>>> select > >>>>>> on > >>>>>>> the > >>>>>>> all tables in a database except for couple to them, he needs to > >>>>>>> individual > >>>>>>> select privileges for each table. > >>>>>>> 1. Implementation should let you add a grant privilege on > >>>> database > >>>>>>> and revokes privileges on the tables with in that database, > >>>>>>> 2. This needs new look into privilege model that sentry > >>>> currently > >>>>>>> has. > >>>>>>> > >>>>>>> > >>>>>>> -Kalyan > >>>>>>> > >>>>>>> > >>>>>>> -Kalyan > >>>>>>> > >>>>>>> On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov < > >>>>>> ak...@cloudera.com> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Good point. There is some support for user-level privileges in > >> 2.0 > >>>>>>> already > >>>>>>>> - do you think that it is not sufficient and is missing some > >> parts? > >>>>>>>> > >>>>>>>> Is there anyone reading this who participated in the user-level > >>>>>>> privileges > >>>>>>>> in Sentry work done earlier? Is there any design doc for this? > >>>>>>>> > >>>>>>>> - Alex > >>>>>>>> > >>>>>>>> On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> > >>>> wrote: > >>>>>>>> > >>>>>>>>> Sasha, > >>>>>>>>> > >>>>>>>>> It would be nice to have more features for sentry. > >>>>>>>>> > >>>>>>>>> For example, make user-based privileges working. So user can > >>>> assign > >>>>>>> user > >>>>>>>>> directly to a role instead of through group. > >>>>>>>>> > >>>>>>>>> Lina > >>>>>>>>> > >>>>>>>>> On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov < > >>>>>>> ak...@cloudera.com > >>>>>>>>> > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> Now that we have Sentry 2.0 release, I think it is a good > >> time > >>>> to > >>>>>>> step > >>>>>>>>> back > >>>>>>>>>> from fixing bugs and immediate problems and start discussions > >>>> on > >>>>>>>> roadmap > >>>>>>>>>> for Sentry going forward. Do we want to just keep it as is > >> and > >>>>>>> improve > >>>>>>>>>> things here and there or we want to add new features? > >>>>>>>>>> > >>>>>>>>>> What do people think? > >>>>>>>>>> > >>>>>>>>>> - Alex > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> > >>>> > >>> > >>> > >> > >