Hi Bhooshan,

Jira Sentry-711 is for adding user level privileges, I assume that is the
user/group based access control that you are talking about? If so, this is
on Sentry roadmap.  Thanks!

Best,
Hao

On Tue, Mar 22, 2016 at 2:16 PM, Bhooshan Mogal <[email protected]>
wrote:

> Thanks Hao!
>
> Yes, that seems like a viable work-around until Sentry supports user/group
> based access control. Is that on the roadmap any time soon?
>
> -
> Bhooshan
>
> On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <[email protected]> wrote:
>
> > Hi Bhooshan,
> >
> > Thanks a lot for sharing this interesting question. Based on my
> > understanding, you can create a new role for holding all privileges
> > (privileges
> > to read, write and administer that entity) you want to grant to that
> user.
> > And grant that role to the user. You do not need to grant privileges to
> all
> > his roles. The relationship of role and users is once user has certain
> > role, he can have all the privileges of the role that are asscociated
> with.
> > Thanks!
> >
> > Best,
> > Hao
> >
> > On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <
> [email protected]
> > >
> > wrote:
> >
> > > Hi Folks,
> > >
> > > I have the following use-case and wanted to hear the community's
> thoughts
> > > on whether its already possible with Apache Sentry or even if we should
> > add
> > > such a feature in future:
> > >
> > > When a principal creates an entity in my system (and he is authorized
> to
> > do
> > > so), I want to make him the owner of that entity. In other words, I
> want
> > to
> > > grant him privileges to read, write and administer that entity, if if
> the
> > > authorization check for the create operation succeeds, and creation is
> > > successful.
> > >
> > > The problem with this today is that to check if he is authorized, I
> pass
> > in
> > > a user name. To grant him all the privileges if the operation was
> > > successful, I need to grant it to a role in Sentry. I know there has
> been
> > > discussion about have user/group level access control in Sentry, but
> > until
> > > that happens, I am unclear about how I should map that user name to a
> > role,
> > > given that a single user may have multiple roles.
> > >
> > > In the worst case, I could grant privileges to all his roles, but seems
> > > like this could open up a security loophole? I had some initial ideas
> > about
> > > perhaps something like a default role for a user, but I'm not sure if
> > > Sentry supports that model.
> > >
> > > Appreciate any thoughts on this use case,
> > > -
> > > Bhooshan
> > >
> >
>
>
>
> --
> Bhooshan
>

Reply via email to