yuqi1129 commented on code in PR #4496:
URL: https://github.com/apache/gravitino/pull/4496#discussion_r1716465225
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
Review Comment:
What's `GroupMappingService`?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
Review Comment:
So the table, topic and fileset will not automatically get the privileges?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
Review Comment:
Can you provide an example of metalake metadata objects?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
Review Comment:
"doesn't support metadata authentication"
Why do we mention `authentication` in the access control chapter?
Furthermore, I believe you need to add more words to make the sentence more
natural. for example
```
Gravitino only supports authorization for secureable objects, when it comes
to authentication. Gravitino doesn't support metadata authentication.
```
##########
docs/index.md:
##########
@@ -144,11 +144,17 @@ Gravitino provides a Flink connector to manage metadata
in a unified way. To use
Gravitino provides several ways to configure and manage the Gravitino server.
See:
-* [Security](./security.md): provides security configurations for Gravitino,
including HTTPS
- and OAuth2 configurations.
* [Gravitino metrics](./metrics.md): provides metrics configurations and
detailed a metrics list
of the Gravitino server.
+### Security
+
+Gravitino provides security configurations for Gravitino, including HTTPS,
authentication and access control configurations.
Review Comment:
for Gravitino server.
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
Review Comment:
Please format the markdown file here. I don't think it will look very well.
<img width="987" alt="image"
src="https://github.com/user-attachments/assets/1d12d2be-2ea9-4b36-9303-e58dd0ce870b";>
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
Review Comment:
What's the difference between `CreateFileset` and `WriteFileset`?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
+
+If securable metalake object denies to use the catalog, but securable catalog
allows to use the catalog, the user isn't able to use the catalog, too.
+
+
Review Comment:
I can't get what the picture means, could you add some description in the
picture?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
+
+If securable metalake object denies to use the catalog, but securable catalog
allows to use the catalog, the user isn't able to use the catalog, too.
+
+
+
+## Server Configuration
+
+If you want to enable the access control, you should enable the authorization.
+
+The related configuration is as follows.
+
+| Configuration item | Description
| Default value | Required | Since
Version |
+|------------------------------------------|-------------------------------------------------------|---------------|----------------------------------|---------------|
+| `gravitino.authorization.enable` | Enable the authorization
| false | No | 0.5.0
|
Review Comment:
`Enable the authorization` -> Whether Gravtino enable authorization or not
##########
docs/security/how-to-authenticate.md:
##########
@@ -0,0 +1,176 @@
+---
+title: "How to authenticate"
+slug: /security/how-to-authenticate
+keyword: security authentication oauth kerberos
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authentication
+
+Apache Gravitino supports three kinds of authentication mechanisms:
simple,OAuth and Kerberos.
+
+### Simple mode
+
+Simple mode is the default authentication option of the server.
+
+For the client side, if it doesn't set the authentication explicitly, it will
use anonymous to access the server.
+
+If the client sets the simple mode, it will use the environment variable
`GRAVITINO_USER` as the user.
Review Comment:
`GRAVITINO_USER` in the client-server....
##########
docs/security/how-to-authenticate.md:
##########
@@ -0,0 +1,176 @@
+---
+title: "How to authenticate"
+slug: /security/how-to-authenticate
+keyword: security authentication oauth kerberos
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authentication
+
+Apache Gravitino supports three kinds of authentication mechanisms:
simple,OAuth and Kerberos.
Review Comment:
Space before `OAuth`
##########
docs/security/how-to-authenticate.md:
##########
@@ -0,0 +1,176 @@
+---
+title: "How to authenticate"
+slug: /security/how-to-authenticate
+keyword: security authentication oauth kerberos
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authentication
+
+Apache Gravitino supports three kinds of authentication mechanisms:
simple,OAuth and Kerberos.
+
+### Simple mode
+
+Simple mode is the default authentication option of the server.
+
+For the client side, if it doesn't set the authentication explicitly, it will
use anonymous to access the server.
Review Comment:
if users do not set the authentication explicitly, they will use the simple
mode to access the Gravitino server and the corresponding user name is
`anonymous`.
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
Review Comment:
> For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
From this word, I only get the message that `deny` is prior to `allow`. How
to improve `the parent securable privilege will still take effect`?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
+
+If securable metalake object denies to use the catalog, but securable catalog
allows to use the catalog, the user isn't able to use the catalog, too.
+
+
+
+## Server Configuration
+
+If you want to enable the access control, you should enable the authorization.
+
+The related configuration is as follows.
+
+| Configuration item | Description
| Default value | Required | Since
Version |
+|------------------------------------------|-------------------------------------------------------|---------------|----------------------------------|---------------|
+| `gravitino.authorization.enable` | Enable the authorization
| false | No | 0.5.0
|
+| `gravitino.authorization.serviceAdmins` | The admins of Gravitino service,
is spitted by comma. | | Yes if enables the authorization | 0.5.0
|
Review Comment:
The default value is missing. moreover, you'd better to standardize the
sentence. the sentence `is splited by comma` has not subject.
##########
docs/security/how-to-authenticate.md:
##########
@@ -0,0 +1,176 @@
+---
+title: "How to authenticate"
+slug: /security/how-to-authenticate
+keyword: security authentication oauth kerberos
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authentication
+
+Apache Gravitino supports three kinds of authentication mechanisms:
simple,OAuth and Kerberos.
+
+### Simple mode
+
+Simple mode is the default authentication option of the server.
+
+For the client side, if it doesn't set the authentication explicitly, it will
use anonymous to access the server.
+
+If the client sets the simple mode, it will use the environment variable
`GRAVITINO_USER` as the user.
+
+If the environment variable `GRAVITINO_USER` isn't set, the client uses the
user of the machine that sends requests.
Review Comment:
What is the meaning of `user of the machine`? Is the user currently logged
into the client machine?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
+
+If securable metalake object denies to use the catalog, but securable catalog
allows to use the catalog, the user isn't able to use the catalog, too.
+
+
+
+## Server Configuration
+
+If you want to enable the access control, you should enable the authorization.
+
+The related configuration is as follows.
+
+| Configuration item | Description
| Default value | Required | Since
Version |
+|------------------------------------------|-------------------------------------------------------|---------------|----------------------------------|---------------|
+| `gravitino.authorization.enable` | Enable the authorization
| false | No | 0.5.0
|
+| `gravitino.authorization.serviceAdmins` | The admins of Gravitino service,
is spitted by comma. | | Yes if enables the authorization | 0.5.0
|
+
+
+## User Operation
+
+### Add a user
+
+The external systems like LDAP, Scim and etc manage the user.
Review Comment:
What is `Scim`?
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
Review Comment:
Besides, please refine the picture like
```
Role Table1 reviewer -> Role: Table1 reviewer
Role Fileset 3 scientist -> Role: Fileset3 scientist.
```
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
Review Comment:
I think you may need to add the following contents: Securable objects
consist of metadata object and a set of privileges for the securable objects.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
