Thanks Lina!
There is privilege type called 'URI'. More details can be found here http://www.cloudera.com/documentation/cdh/5-0-x/CDH5-Security-Guide/cdh5sg_sentry.html. Currently it causes us a lot of manual efforts to give URI permission of a HDFS location in Sentry before table owner can change table location. It is not acceptable because our pipeline is blocked every time. So we want to disable it by giving everybody URI permission. We don't use Sentry HDFS plug in and we disable HDFS sync. Instead we build our own service to apply table privileges to HDFS ACL. Inside our service before applying that privilege to HDFS, we check whether current user has r-w permission on that HDFS path. If not, we abort it. Do you think it is security concern? Xinli ________________________________ 发件人: Na Li <lina...@cloudera.com> 发送时间: 2018年3月11日 15:27 收件人: dev 抄送: iss...@sentry.apache.org 主题: Re: URI policies Xinli, Do you mean you disabled HDFS sync with sentry and manually create ACL at HDFS? If you enabled HDFS sync with sentry, sentry privileges will be sent to HDFS and will take effect. It would be security concern if you give all users root "/" permission. Thanks, Lina On Fri, Mar 9, 2018 at 3:20 PM, shang xinli <shangxi...@hotmail.com> wrote: > Hi all, > > > If all the tables data are stored in HDFS and have ACLs for each group > controlled, is it a still secure concern if I disable AuthorizableType.URI > permission check by giving all users root '/' permission? > > > > Xinli >
