Hi Folks,

I have the following use-case and wanted to hear the community's thoughts
on whether its already possible with Apache Sentry or even if we should add
such a feature in future:

When a principal creates an entity in my system (and he is authorized to do
so), I want to make him the owner of that entity. In other words, I want to
grant him privileges to read, write and administer that entity, if if the
authorization check for the create operation succeeds, and creation is
successful.

The problem with this today is that to check if he is authorized, I pass in
a user name. To grant him all the privileges if the operation was
successful, I need to grant it to a role in Sentry. I know there has been
discussion about have user/group level access control in Sentry, but until
that happens, I am unclear about how I should map that user name to a role,
given that a single user may have multiple roles.

In the worst case, I could grant privileges to all his roles, but seems
like this could open up a security loophole? I had some initial ideas about
perhaps something like a default role for a user, but I'm not sure if
Sentry supports that model.

Appreciate any thoughts on this use case,
-
Bhooshan

Reply via email to