Data Model level is better than Cube level. How about to leave extend point there for people who want to keep Cube Level ACL?
Best Regards! --------------------- Luke Han On Tue, Aug 15, 2017 at 5:30 PM, Li Yang <liy...@apache.org> wrote: > So we can still control who can (or cannot) access a cube by defining ACL > on tables, right? > > On Mon, Aug 7, 2017 at 2:26 PM, ShaoFeng Shi <shaofeng...@apache.org> > wrote: > > > It makes sense for me. Will the Cube ACL info be migrated (from Cube to > > Table) when it is done? > > > > 2017-08-07 10:37 GMT+08:00 hongbin ma <mahong...@apache.org>: > > > > > Current ACL design is based on very early versions where kylin merely > had > > > simple concepts like projects and cubes. > > > With the advent of Kylin v2.0, and several new concepts like Data > Model ( > > > http://kylin.apache.org/docs/gettingstarted/concepts.html) and Query > > > Pushdown (KYLIN-2515), the original cube-centric ACL design is becoming > > > outdated. The reasons are two-fold: 1. cubes are no longer the only > > > entities we want to take control within each projects. 2. Cube-level > ACL > > > cannot protect underlying tables from being queries by unwanted users. > > > > > > In fact, cubes is merely a special kind of index on the original table. > > > It's not straightforward to apply ACL on indexes rather than original > > > tables. That said, we need table-level ACL instead of cube-level ACL. > We > > > have elaborated the detailed plans in KYLIN-2760 and KYLIN-2761. Please > > > comment on those issues or reply this email if you have any concerns. > > > > > > -- > > > Regards, > > > > > > *Bin Mahone | 马洪宾* > > > > > > > > > > > -- > > Best regards, > > > > Shaofeng Shi 史少锋 > > >
