Hi all, The blog is published on the Apache Sentry blog now.
Thanks! On Mon, Dec 2, 2013 at 2:04 PM, Sravya Tirukkovalur <[email protected]>wrote: > Thank you Greg for reviewing! > > Responses inline. > > > On Mon, Dec 2, 2013 at 12:35 PM, Gregory Chanan <[email protected]>wrote: > >> Some comments below on the blog below -- I haven't watched the video yet. >> I think this is very good. >> >> >>> "Sentry currently uses a file-based policy provider. And, you can link >> a global policy file to multiple dependent per database policy files" >> I think some more exposition here would be useful -- users may not know >> what a policy provider is. Maybe something like: >> "Access control to Hive is currently defined by what Sentry calls policy >> providers. Sentry currently supports a file-based policy provider; see >> below for an example. A single global policy provider can be used to >> control access to an entire HiveServer2 instance, or multiple dependent >> per >> database policy providers can be linked to the global one." >> >> Sounds good, added more details on policy provider. > > >> >>> "Sentry provides authorization through a hook in HiveServer2" >> I'm not a hive expert -- will all hive users know what a "hook" is? Maybe >> you should define this as well. >> >> I do not think Hive hooks are any different from usual CS technique of > hooking. Can add a short description though if that helps. > > >> >>> "HadoopGroup mapping, which uses the underlying hadoop groups" >> Going from the picture, it's actually more complicated -- right? It will >> either use Shell groups or LDAP groups. Maybe a link here with some >> explanation: >> >> http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#Group_Mapping >> >> Reorganized the bullet points to make the point clear. Thanks for the > link, will add it to the blog. But the link says "the mapping of users to > groups is performed on the NameNode", this is not true incase of Sentry > with HiveServer2, as the lookup happens on HiveServer2 rather than > Namenode. So will have to point this out to avoid confusion. > > >>> "Next, lets look at how Sentry fits into the security landscape of >> Hive." >> I think this should be its own paragraph since it's only transition; >> doesn't really have anything to do with the previous paragraph. >> >> Done > >> >> >> On Sun, Dec 1, 2013 at 10:42 PM, Sravya Tirukkovalur <[email protected] >> >wrote: >> >> > Hi all, >> > >> > Hope you all had a great thanks giving weekend! >> > >> > I created a short demo on getting started with Sentry in Hive and would >> > like to post it to the Apache Sentry blog. >> > Here is the draft, and any suggestions greatly appreciated: >> > https://blogs.apache.org/preview/sentry/?previewEntry=getting_started >> > >> > FYI, I set the publish time as 12/05/13 9AM GMT. >> > >> > Thanks! >> > -- >> > Sravya Tirukkovalur >> > >> > > > > -- > Sravya Tirukkovalur > -- Sravya Tirukkovalur
