Hi Bhooshan,

Thanks a lot for sharing this interesting question. Based on my
understanding, you can create a new role for holding all privileges (privileges
to read, write and administer that entity) you want to grant to that user.
And grant that role to the user. You do not need to grant privileges to all
his roles. The relationship of role and users is once user has certain
role, he can have all the privileges of the role that are asscociated with.
Thanks!

Best,
Hao

On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <[email protected]>
wrote:

> Hi Folks,
>
> I have the following use-case and wanted to hear the community's thoughts
> on whether its already possible with Apache Sentry or even if we should add
> such a feature in future:
>
> When a principal creates an entity in my system (and he is authorized to do
> so), I want to make him the owner of that entity. In other words, I want to
> grant him privileges to read, write and administer that entity, if if the
> authorization check for the create operation succeeds, and creation is
> successful.
>
> The problem with this today is that to check if he is authorized, I pass in
> a user name. To grant him all the privileges if the operation was
> successful, I need to grant it to a role in Sentry. I know there has been
> discussion about have user/group level access control in Sentry, but until
> that happens, I am unclear about how I should map that user name to a role,
> given that a single user may have multiple roles.
>
> In the worst case, I could grant privileges to all his roles, but seems
> like this could open up a security loophole? I had some initial ideas about
> perhaps something like a default role for a user, but I'm not sure if
> Sentry supports that model.
>
> Appreciate any thoughts on this use case,
> -
> Bhooshan
>

Reply via email to