jerqi commented on code in PR #4496:
URL: https://github.com/apache/gravitino/pull/4496#discussion_r1717863468
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
+
+If securable metalake object denies to use the catalog, but securable catalog
allows to use the catalog, the user isn't able to use the catalog, too.
+
+
+
+## Server Configuration
+
+If you want to enable the access control, you should enable the authorization.
+
+The related configuration is as follows.
+
+| Configuration item | Description
| Default value | Required | Since
Version |
+|------------------------------------------|-------------------------------------------------------|---------------|----------------------------------|---------------|
+| `gravitino.authorization.enable` | Enable the authorization
| false | No | 0.5.0
|
Review Comment:
Done.
##########
docs/security/access-control.md:
##########
@@ -0,0 +1,659 @@
+---
+title: "Access Control"
+slug: /security/access-control
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Gravitino adopts RBAC and DAC.
+
+Role-based Access Control (RBAC): Access privileges are assigned to roles,
which are in turn assigned to users or groups.
+
+Discretionary Access Control(DAC): Each metadata object has an owner, who can
in turn grant access to that object.
+
+:::info
+
+Gravitino only supports authorization and doesn't support metadata
authentication.
+
+:::
+
+
+## Concept
+
+### Role
+
+A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+
+### Privilege
+
+A defined level of access to an object. Multiple distinct privileges may be
used to control the granularity of access granted.
+
+### User
+
+A user identity recognized by Gravitino. External user system instead of
Gravitino manages users.
+
+### Group
+
+A group identity recognized by Gravitino. External user system instead of
Gravitino manages groups.
+
+### Metadata objects
+
+Metadata objects are managed in Gravitino, such as `CATALOG`, `SCHEMA`,
`TABLE`,
+`COLUMN`, `FILESET`, `TOPIC`, `COLUMN`, `ROLE`, `METALAKE`. A metadata object
is combined by a `type` and a
+comma-separated `name`. For example, a `CATAGLOG` object has a name "catalog1"
with type
+"CATALOG", a `SCHEMA` object has a name "catalog1.schema1" with type "SCHEMA",
a `TABLE`
+object has a name "catalog1.schema1.table1" with type "TABLE".
+
+### Securable objects
+
+A metadata object to which access can be granted. Unless allowed by a grant,
access is denied.
+
+Every securable object resides within a logical container in a hierarchy of
containers.
+
+The top container is the metalake. You can understand that metalake a customer
organization.
+
+Catalogs are under the metalake. Catalogs represent different kinds of data
sources.
+
+Schemas are under the catalog.
+
+There are tables, topics, or filesets under the schema.
+
+
+
+The relationship of the concepts is as below.
+
+
+
+
+### Ownership
+
+Every metadata object has an owner. The owner could be a user or group.
+
+The owner have all the privileges of the metadata object.
+
+The owner could be transferred to another user or group.
+
+## The types of roles
+
+### Service Admin
+
+Service admin is only used for managing the metalakes. Usually, this role is
for the maintainer of the service.
+
+### Custom Roles
+
+You can also create a dedicated role for your business by API or the client.
+
+## The types of privileges
+
+### User privileges
+
+| Name | Supports Securable Object | Operation |
+|-------------|---------------------------|---------------------|
+| ManageUsers | Metalake | Add or remove users |
+
+
+### Group privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|----------------------|
+| ManageGroups | Metalake | Add or remove groups |
+
+### Role privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|---------------|
+| CreateRole | Metalake | Create a role |
+
+### Permission privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|------------------------|
+| ManageGrants | Metalake | grant or revoke a role |
+
+### Catalog privileges
+
+| Name | Supports Securable Object | Operation |
+|---------------|---------------------------|------------------|
+| CreateCatalog | Metalake | Create a catalog |
+| UseCatalog | Metalake, Catalog | |
+
+:::info
+
+`USE_CATALOG` is needed for a user to interact with any object within the
catalog.
+
+For example, to select data from a table, users need to have the SELECT_TABLE
privilege on that table and
+`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA`
privileges on its parent schema.
+
+:::
+
+
+### Schema privileges
+
+| Name | Supports Securable Object | Operation |
+|--------------|---------------------------|-----------------|
+| CreateSchema | Metalake, Catalog | Create a schema |
+| UseSchema | Metalake, Catalog, Schema | Use a schema |
+
+:::info
+
+`UseSchema`is needed for a user to interact with any object within the schema.
+
+For example, to select data from a table, users need to have the
`SELECT_TABLE` privilege on that table
+and `USE SCHEMA` privileges on its parent schema.
+
+:::
+
+### Table privileges
+
+| Name | Supports Securable Object | Operation
|
+|-------------|-----------------------------------|------------------------------------------------|
+| CreateTable | Metalake, Catalog, Schema | Create a table
|
+| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL
`UPDATE`,`DELETE`,`INSERT` a table |
+| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data
from a table |
+
+### Topic privileges
+
+| Name | Supports Securable Object | Operation
|
+|--------------|----------------------------------|-------------------------------------------|
+| CreateTopic | Metalake, Catalog, Schema | Create a topic
|
+| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including
alter a topic) |
+| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic
|
+
+### Fileset privileges
+
+| Name | Supports Securable Object | Operation
|
+|---------------|------------------------------------|---------------------------------------------|
+| CreateFileset | Metalake, Catalog, Schema | Create a fileset
|
+| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset
(including alter a fileset) |
+| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset
|
+
+## Inheritance Model
+
+Securable objects in Gravitino are hierarchical and privileges are inherited
downward.
+
+This means that granting a privilege on a metalake, catalog or schema
automatically grants
+the privilege to all current and future objects within the metalake, catalog
or schema.
+
+For example, if you give a use that `SELECT_TABLE` privilege on a catalog,
then that the user
+will be able to select(read) all tables in that catalog.
+
+## Privilege Condition
+
+The privilege supports two condition: `allow` and `deny`. `allow` means that
you are able to use the privilege,
+
+`deny` means that you aren't able to use the privilege.
+
+`deny` condition is prior to `allow` condition. If a role has the `allow`
condition and `deny` condition at the same time.
+The user won't be able to use the privilege.
+
+If parent securable object has the same privilege name with different
condition, the parent securable privilege will still take effect.
+
+For example, securable metalake object allows to use the catalog, but
securable catalog denies to use the catalog, the user isn't able to use the
catalog.
+
+If securable metalake object denies to use the catalog, but securable catalog
allows to use the catalog, the user isn't able to use the catalog, too.
+
+
+
+## Server Configuration
+
+If you want to enable the access control, you should enable the authorization.
+
+The related configuration is as follows.
+
+| Configuration item | Description
| Default value | Required | Since
Version |
+|------------------------------------------|-------------------------------------------------------|---------------|----------------------------------|---------------|
+| `gravitino.authorization.enable` | Enable the authorization
| false | No | 0.5.0
|
+| `gravitino.authorization.serviceAdmins` | The admins of Gravitino service,
is spitted by comma. | | Yes if enables the authorization | 0.5.0
|
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
