[
https://issues.apache.org/jira/browse/SENTRY-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Liam Sargent updated SENTRY-2189:
---------------------------------
Description:
Static (file-based) attribute provider for Sentry ABAC.
Attributes are string "tags" used to define a feature of the data which may
require additional access control steps for security and compliance.
Since Sentry already provides role-based access control, we must be able to
define actions to take on data objects based on attribute/role combinations.
For instance, a column marked with the attribute "Sensitive Data" may be
visible to someone with "ROLE_ADMIN", but needs to be NULLed for someone with
the the role "SALES", etc. This relationship can be modeled and effectively
leveraged at query time with a specialized bidirectional map object providing
low latency lookup between Attribute/Role and Object/Action, and vice versa.
Attribute/Role->Object/Action definitions will be provided as a JSON object, or
as JSON delta updates to existing definitions. This implementation will parse
the definitions into the specialized Java object to provide near-O(1) lookup
from Attribute/Role -> Object/Action, and from Object -> Attribute/Role
associations.
was:
Static (file-based) attribute provider for Sentry ABAC.
Attributes are string "tags" used to define a feature of the data which may
require additional access control steps for security and compliance.
Since Sentry already provides role-based access control, we must be able to
define actions to take on data objects based on attribute/role combinations.
For instance, a column marked with the attribute "Sensitive Data" may be
visible to someone with "ROLE_ADMIN", but needs to be NULLed for someone with
the the role "SALES", etc. This relationship can be modeled and effectively
leveraged at query time with a specialized Bidirectional map object providing
low latency lookup between Attribute/Role and Object/Action, and vice versa.
Attribute/Role->Object/Action definitions will be provided as a JSON object, or
as JSON delta updates to existing definitions. This implementation will parse
the definitions into the specialized Java object to provide near-O(1) lookup
from Attribute/Role -> Object/Action, and from Object -> Attribute/Role
associations.
> Static Attribute Ingestion
> --------------------------
>
> Key: SENTRY-2189
> URL: https://issues.apache.org/jira/browse/SENTRY-2189
> Project: Sentry
> Issue Type: New Feature
> Reporter: Liam Sargent
> Assignee: Liam Sargent
> Priority: Major
> Labels: ABAC
>
> Static (file-based) attribute provider for Sentry ABAC.
> Attributes are string "tags" used to define a feature of the data which may
> require additional access control steps for security and compliance.
> Since Sentry already provides role-based access control, we must be able to
> define actions to take on data objects based on attribute/role combinations.
> For instance, a column marked with the attribute "Sensitive Data" may be
> visible to someone with "ROLE_ADMIN", but needs to be NULLed for someone with
> the the role "SALES", etc. This relationship can be modeled and effectively
> leveraged at query time with a specialized bidirectional map object providing
> low latency lookup between Attribute/Role and Object/Action, and vice versa.
> Attribute/Role->Object/Action definitions will be provided as a JSON object,
> or as JSON delta updates to existing definitions. This implementation will
> parse the definitions into the specialized Java object to provide near-O(1)
> lookup from Attribute/Role -> Object/Action, and from Object ->
> Attribute/Role associations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
