Re: Question about user-level privileges

2018-01-30 Thread Sergio Pena 
See inline comments.

On Mon, Jan 29, 2018 at 4:37 PM, Alexander Kolbasov 
wrote:

> I am wondering what is the relationship between "users" as defined in
> Sentry and users as defined in Unix or LDAP or Active Directory.
>
> Should it be allowed to assign permissions to a user that doesn't exist?
> Should there be any validation if users? Should these be treated together
> or independently?
>

*I don't think Sentry checks if the user exists on Unix or any other user
management system when it is requested to add in the Sentry server. In my
opinion, It is good to keep it this way as Sentry is just a server which
keeps metadata of privileges to roles, users or groups no matter where
those users or groups live. It's up to the client (who crequests
permissions) to validate those users or group exist on its system.*


>
> Also, there is discussion about adding permissions not to roles but to
> users directly. How is it different from adding permissions not to roles
> but to groups directly?


> So far Sentry used role-based model - do we want to change it to
> entity-based model?
>

*Linux has a limitation of the number of users and groups it supports. It's
around 64k users or groups in a 2.4 kernel (seems the 2.6 kernel has 4
billion limitation). Anyway, current Sentry users has experienced this
group limitation when trying to create roles that map to 1 single group
that map to 1 single user to give that user a special privilege on 1 single
database. These current systems might already have lots of groups to manage
Linux permissions, so having the same mapping of 1 user -> 1 group is not
enough for them.*

*One solution could be just granting users to roles (by skipping groups) to
avoid creating unecessary groups. This approach could solve the Linux
limitation problem.*

*Regarding the entity-based model, there is more scoping and research that
needs to be done to see if user-level privileges (and possible group-level
privileges) is necessary, perhaps to avoid the unecessary
user-role-privilege mapping of thousand of roles? Hive supports user, group
and role privileges syntaxes already, so it would be interesting to catch
up with other Hive security projects that support that syntax as well. One
more thing to note is that Sentry object ownership (which sets special
privileges to Hive object owners) would require part of the user-level
privileges mechanism to support it.*


>
> - Alex
>

Question about user-level privileges

2018-01-29 Thread Alexander Kolbasov 
I am wondering what is the relationship between "users" as defined in
Sentry and users as defined in Unix or LDAP or Active Directory.

Should it be allowed to assign permissions to a user that doesn't exist?
Should there be any validation if users? Should these be treated together
or independently?

Also, there is discussion about adding permissions not to roles but to
users directly. How is it different from adding permissions not to roles
but to groups directly?

So far Sentry used role-based model - do we want to change it to
entity-based model?

- Alex