mchades commented on code in PR #9035:
URL: https://github.com/apache/gravitino/pull/9035#discussion_r2510373222
##########
docs/security/access-control.md:
##########
@@ -1025,4 +1033,13 @@ The following table lists the required privileges for
each API.
| grant privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
| revoke privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
| set owner | The owner of the securable object
|
+| list tags | `APPLY_TAG` on the metalake, the owner
of the metalake, or the tag itself.
|
+| create tag | `CREATE_TAG` on the metalake or the
owner of the metalake.
|
+| get tag | `APPLY_TAG` on the metalake or tag, the
owner of the metalake, or the tag itself.
|
+| alter tag | Must be the owner of the metalake or the
tag.
|
+| delete tag | Must be the owner of the metalake or the
tag.
|
Review Comment:
Does this mean that the tag also has an independent owner?
##########
docs/security/access-control.md:
##########
@@ -1025,4 +1033,13 @@ The following table lists the required privileges for
each API.
| grant privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
| revoke privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
| set owner | The owner of the securable object
|
+| list tags | `APPLY_TAG` on the metalake, the owner
of the metalake, or the tag itself.
|
Review Comment:
Does this mean that users who do not meet specific conditions will encounter
a permission deny error when calling listTags? Or does it mean that all users
can `listTags`, but tags will be filtered based on user permissions?
##########
docs/security/access-control.md:
##########
@@ -264,6 +265,13 @@ DENY `WRITE_FILESET` won‘t deny the `READ_FILESET`
operation if the user has t
| CREATE_MODEL_VERSION | Metalake, Catalog, Schema, Model | Create a model
version |
| USE_MODEL | Metalake, Catalog, Schema, Model | View the metadata
of the model and download all the model versions |
+### Tag privileges
+
+| Name | Supports Securable Object | Operation |
+|------------|---------------------------|--------------|
+| CREATE_TAG | Metalake | Create a tag |
+| APPLY_TAG | Metalake, Tag | Apply a tag |
Review Comment:
What does "Apply a tag" mean? Does it include all tag operations except
"Create a tag"? I think it's not appropriate to simply use "Apply a tag"; a
more detailed description is needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
