[
https://issues.apache.org/jira/browse/SENTRY-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124447#comment-15124447
]
Sravya Tirukkovalur commented on SENTRY-1032:
---------------------------------------------
bq. I don't think we should use the term "grant" when talking about roles and
groups because it overloads the term with respect to privileges. Let's reserve
the term grant for privileges. If I say "grant x to y" and we respect the above
I know x is a privilege and y is a role. Less thinking involved.
Effectively to grant a user a privilege, we need to :
1. Find the role which has the required privileges (or create a role and grant
required privileges to it) and
2. Grant/Assign this role to the group which user belongs to.
So I do not think grant in the case of role is non intuitive. Although, I
prefer assign. As it goes well with saying assign the group "dept_A_engineers"
to role "PCI_compliant_access_role" for example.
bq. Groups are collections of users and roles are collections of groups.
Role can be thought as a collection of groups, but in which case the opposite
is also true: Group is a collection of roles. It is a many to many relationship.
bq. I'm interested in your point that "groups come first". Can you describe
that workflow?
Groups usually come from Active Directory, so user:group mappings happen first
and they are pretty much setup just once in a company when a new employee
joins. Roles are specific to data access rules. Some groups in the company can
have powers to see sensitive data and some might not. So assigning a role to a
group happens next once they figure out which groups can access what.
> Rename shell command group/role shell commands and implement with solr shell
> ----------------------------------------------------------------------------
>
> Key: SENTRY-1032
> URL: https://issues.apache.org/jira/browse/SENTRY-1032
> Project: Sentry
> Issue Type: Task
> Components: Service
> Affects Versions: 1.7.0
> Reporter: Gregory Chanan
> Assignee: Gregory Chanan
> Attachments: SENTRY-1032.patch
>
>
> --add_role_group is a bit confusing because the command is to add group to
> role (i.e. the objects are reversed). Let's change this before it is
> released and we need to support backwards compatibility.
> same for --delete_role_group.
> Also, these commands are not implemented with SentryShellSolr. Let's do that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
