Sasha,
The current user-based privilege missed some items:
- Sentry policy has two service API: SentryPolicyService
and SentryGenericPolicyService. The current implementation does not support
user-based privilege for SentryGenericPolicyService
- SENTRY-2091: User-based Privilege is broken by SENTRY-769. The patch
is available for review.
- Name Node need change to generate ACL using user privilege.
- The full snapshot update only contains authorization to roles
mapping and role to group mapping. *Need to add role to user mapping
in* SentryStore.retrieveFullRoleImageCore
- The delta updates are taken from table SENTRY_PERM_CHANGE, which
does not distinguish group based permission or user based permission. No
change is needed
- The user changes to a role is not included when sending delta
update from Sentry to NN. *Need to add AddUsers and DropUsers
in TRoleChanges*.
- Sentry only create ACL for group with ACL type
as AclEntryType.GROUP. *Need to add code to create ACL with type as *
AclEntryType.USER
- SentryINodeAttributesProvider.checkPermission
-> FSPermissionChecker.checkPermission
-> SentryINodeAttributesProvider.getAclFeature
-> SentryAuthorizationInfo.getAclEntries
-> SentryPermissions.constructAclEntry
- SentryStore.grantOptionCheck() has to be changed to find user level
privilege.
Thanks,
Lina
On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena <sergio.p...@cloudera.com>
wrote:
> There is a section on the Wiki about roadmap ideas and JIRAs already
> created:
> https://cwiki.apache.org/confluence/display/SENTRY/
> Sentry+Roadmap+and+ideas
>
> I'm interested in having user-level privileges and special user privileges
> for objects owners.
>
> I got this from the linked above:
> SENTRY-1073 User who creates a table should be granted all privileges on
> it by default
> SENTRY-1068 Allow user who created a table to have "with grant" over that
> table by default
> Creator of a table should have ownership of it (all privileges)
> Allow privileges to be granted to users directly
>
> We should start planning the next Sentry 2.1 release based on the desired
> features. What about
> having 2 or 3 features on Sentry 2.1?
>
> I vote for:
> - user-level privileges (currently grant user to role is only supported)
> - default user privileges for objects owners
>
> Should we start a vote for new features for 2.1?
>
> - Sergio
>
> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda <
> kkal...@cloudera.com> wrote:
>
> > I would like to add something here.
> >
> >
> > 1. Current support for user-based-privileges allows admin to grant a
> > role to user. Ideally, user-based-privileges feature should be
> allowing
> > administrator to grant privileges to individual users directly.
> > - I'm working on this to come up with a scope doc.
> > 2. Currently sentry stores only grant privileges. This is not
> > flexible. Let's say an administrator wants to grant role with select
> on
> > the
> > all tables in a database except for couple to them, he needs to
> > individual
> > select privileges for each table.
> > 1. Implementation should let you add a grant privilege on database
> > and revokes privileges on the tables with in that database,
> > 2. This needs new look into privilege model that sentry currently
> > has.
> >
> >
> > -Kalyan
> >
> >
> > -Kalyan
> >
> > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov <ak...@cloudera.com
> >
> > wrote:
> >
> > > Good point. There is some support for user-level privileges in 2.0
> > already
> > > - do you think that it is not sufficient and is missing some parts?
> > >
> > > Is there anyone reading this who participated in the user-level
> > privileges
> > > in Sentry work done earlier? Is there any design doc for this?
> > >
> > > - Alex
> > >
> > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> wrote:
> > >
> > > > Sasha,
> > > >
> > > > It would be nice to have more features for sentry.
> > > >
> > > > For example, make user-based privileges working. So user can assign
> > user
> > > > directly to a role instead of through group.
> > > >
> > > > Lina
> > > >
> > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov <
> > ak...@cloudera.com
> > > >
> > > > wrote:
> > > >
> > > > > Now that we have Sentry 2.0 release, I think it is a good time to
> > step
> > > > back
> > > > > from fixing bugs and immediate problems and start discussions on
> > > roadmap
> > > > > for Sentry going forward. Do we want to just keep it as is and
> > improve
> > > > > things here and there or we want to add new features?
> > > > >
> > > > > What do people think?
> > > > >
> > > > > - Alex
> > > > >
> > > >
> > >
> >
>
