Re: [PR] [#4587] docs: Refactor the security document and add authorization push-down page [gravitino]

Thu, 22 Aug 2024 02:15:01 -0700 


jerqi commented on code in PR #4624:
URL: https://github.com/apache/gravitino/pull/4624#discussion_r1726673544


##########
docs/security/access-control.md:
##########
@@ -20,24 +42,90 @@ Gravitino doesn't support metadata authentication. It means 
that Gravitino won't
 
 :::
 
-
 ## Concept
 
+### Authorization
+
+Gravitino also provides a set of authorization frameworks to interact with 
different underlying data source
+authorization systems (e.g., MySQL's own permission management and the Apache 
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+More information you can see [Authorization push 
down](authorization-pushdown.md).
+
+### Authentication
+
+As mentioned above, Gravitino uses Ownership to control the rights of 
resources in the management category and uses Role to control the permissions 
of operations in the operation category,
+so when a user performs a specific operation on a specified resource,
+Gravitino will perform a composite authentication on the Ownership and Role to 
which the resource belongs.
+When a user has more than one Role, Gravitino will use the user's current Role 
for authentication, and the user can switch the current Role to access 
different resources.
+
+#### Permission fuzzy matching
+
+Gravitino uses the resource's ENTITY ID (long type) to preserve permission 
relationships.
+So Gravitino can't directly support fuzzy matching of resource names (string 
type), such as wildcards like (*) and (%).
+Gravitino uses the resource parent node to express support for all resource 
(*) wildcards for child resources, for example,
+if we need to set read permissions for all table resources, we can set it to 
`{catalog1.schema1, READ_TABLE_PRIVILEGE}`,
+which stands for having access to `catalog1.schema1.*` read access to all 
tables.
+
+### Storage of authority data

Review Comment:
   This is the implement of user system.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to