I think we are looking for a clear attitude here. Leaving an extension point is the same to say "cube level ACL shall be kept in design". Because we still have to think about how the extension point works with project/model ACL etc. So it does not simply anything.
On Tue, Aug 15, 2017 at 11:59 PM, Luke Han <[email protected]> wrote: > Data Model level is better than Cube level. > > How about to leave extend point there for people who want to keep Cube > Level ACL? > > > > > Best Regards! > --------------------- > > Luke Han > > On Tue, Aug 15, 2017 at 5:30 PM, Li Yang <[email protected]> wrote: > > > So we can still control who can (or cannot) access a cube by defining ACL > > on tables, right? > > > > On Mon, Aug 7, 2017 at 2:26 PM, ShaoFeng Shi <[email protected]> > > wrote: > > > > > It makes sense for me. Will the Cube ACL info be migrated (from Cube to > > > Table) when it is done? > > > > > > 2017-08-07 10:37 GMT+08:00 hongbin ma <[email protected]>: > > > > > > > Current ACL design is based on very early versions where kylin merely > > had > > > > simple concepts like projects and cubes. > > > > With the advent of Kylin v2.0, and several new concepts like Data > > Model ( > > > > http://kylin.apache.org/docs/gettingstarted/concepts.html) and Query > > > > Pushdown (KYLIN-2515), the original cube-centric ACL design is > becoming > > > > outdated. The reasons are two-fold: 1. cubes are no longer the only > > > > entities we want to take control within each projects. 2. Cube-level > > ACL > > > > cannot protect underlying tables from being queries by unwanted > users. > > > > > > > > In fact, cubes is merely a special kind of index on the original > table. > > > > It's not straightforward to apply ACL on indexes rather than original > > > > tables. That said, we need table-level ACL instead of cube-level ACL. > > We > > > > have elaborated the detailed plans in KYLIN-2760 and KYLIN-2761. > Please > > > > comment on those issues or reply this email if you have any concerns. > > > > > > > > -- > > > > Regards, > > > > > > > > *Bin Mahone | 马洪宾* > > > > > > > > > > > > > > > > -- > > > Best regards, > > > > > > Shaofeng Shi 史少锋 > > > > > >
