techdocsmith commented on a change in pull request #11785:
URL: https://github.com/apache/druid/pull/11785#discussion_r725153148
##########
File path: docs/operations/security-user-auth.md
##########
@@ -50,6 +50,11 @@ In practice, most deployments will only need to define two
classes of users:
It is important to note that WRITE access to DATASOURCE grants a user broad
access. For instance, such users will have access to the Druid file system, S3
buckets, and credentials, among other things. As such, the ability to add and
manage datasources should be allocated selectively to administrators.
+> Note: `WRITE` permission on a resource does not include `READ` permission as
well.
+> For instance, a `DATASOURCE READ`-only user might be able to access an API
or a
+> system schema record that a `DATASOURCE WRITE`-only user would not have
access to.
+> If a user needs to have both `READ` and `WRITE` permissions on a resource,
+> grant them both explicitly.
Review comment:
```suggestion
`WRITE` permission on a resource does not include `READ` permission. You
must grant each permission
indivudually. For instance, a user with only `DATASOURCE READ` might have
access an API or a
system schema record that a user with `DATASOURCE WRITE` would not have
access to. If a user requires both `READ` and `WRITE` permissions on a
resource, you must grant them both explicitly.
```
I think this is not an admonition or note, but standard documentation about
the workings of `READ` vs `WRITE`. Suggested some stylistic changes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
