yuqi1129 commented on code in PR #4624:
URL: https://github.com/apache/gravitino/pull/4624#discussion_r1726696548
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
Review Comment:
> the following properties in the [Apache Hive catalog properties
Have you put the the following configurations to
`../apache-hive-catalog.md#catalog-properties`, If not, you may need to modify
the description.
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
+
+| Property Name | Description
| Default Value | Required | Since Version |
+|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|---------------|
+| `authorization-provider` | Providers to use to implement
authorization plugin such as `ranger`.
| (none) | No | 0.6.0
|
+| `authorization.ranger.admin.url` | The Apache Ranger web URIs.
| (none) | No | 0.6.0 |
+| `authorization.ranger.auth.type` | The Apache Ranger authentication type
`simple` or `kerberos`.
| `simple` | No | 0.6.0 |
+| `authorization.ranger.username` | The Apache Ranger admin web login
username (auth type=simple), or kerberos principal(auth type=kerberos), Need
have Ranger administrator permission. | (none) | No | 0.6.0
|
+| `authorization.ranger.password` | The Apache Ranger admin web login user
password (auth type=simple), or path of the keytab file(auth type=kerberos)
| (none) | No | 0.6.0 |
+| `authorization.ranger.service.name` | The Apache Ranger service name.
| (none) | No | 0.6.0 |
+
+Once you have used the correct configuration, you can perform authorization
operations by calling Gravitino's [authorization RESTful
API](https://datastrato.ai/docs/latest/api/rest/grant-roles-to-a-user).
Review Comment:
This is a dead link, besides, should we still use `datstrato` to display our
documents after Gravitiino was donated to ASF.
##########
docs/security/access-control.md:
##########
@@ -20,24 +42,90 @@ Gravitino doesn't support metadata authentication. It means
that Gravitino won't
:::
-
## Concept
+### Authorization
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+authorization systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+More information you can see [Authorization push
down](authorization-pushdown.md).
+
+### Authentication
+
+As mentioned above, Gravitino uses Ownership to control the rights of
resources in the management category and uses Role to control the permissions
of operations in the operation category,
+so when a user performs a specific operation on a specified resource,
+Gravitino will perform a composite authentication on the Ownership and Role to
which the resource belongs.
+When a user has more than one Role, Gravitino will use the user's current Role
for authentication, and the user can switch the current Role to access
different resources.
Review Comment:
This part seems to relate to authorization rather than authentication.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
