jerryshao commented on code in PR #4496: URL: https://github.com/apache/gravitino/pull/4496#discussion_r1715129500
########## docs/security/access-control.md: ########## @@ -0,0 +1,671 @@ +--- +title: "Access Control" +slug: /security/access-control +keyword: security +license: "This software is licensed under the Apache License version 2." +--- + +## Overview + +Gravitino adopts RBAC and DAC. + +Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users or groups. + +Discretionary Access Control(DAC): Each metadata object has an owner, who can in turn grant access to that object. + +:::info + +Gravitino only supports authorization and doesn't support metadata authentication. + +::: + + +## Concept + +### Role + +A metadata object to which privileges can be granted. Roles are in turn assigned to users or groups. + +### Privilege + +A defined level of access to an object. Multiple distinct privileges may be used to control the granularity of access granted. + +### User + +A user identity recognized by Gravitino. External user system instead of Gravitino manages users. + +### Group + +A group identity recognized by Gravitino. External user system instead of Gravitino manages groups. + +### Metadata objects + +Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`, `TABLE`, +`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object is combined by a `type` and a +comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1" with type +"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA", a `TABLE` +object has a name "catalog1.schema1.table1" with type "TABLE". + +### Securable objects + +A metadata object to which access can be granted. Unless allowed by a grant, access is denied. + +Every securable object resides within a logical container in a hierarchy of containers. + +The top container is the metalake. You can understand that metalake a customer organization. + +Catalogs are under the metalake. Catalogs represent different kinds of data sources. + +Gravitino supports Hive, Iceberg, MySQL, PostgreSQL, Hadoop, and Kafka catalogs. + +Schemas are under the catalog. + +There are tables, topics, or filesets under the schema. Review Comment: I suggest you write an image about the hierarchical structure of metadata objects here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
