https://issues.apache.org/jira/browse/SENTRY-2129 is create to track the development activities for user-based privilege. I will add more sub-tasks to it
On Thu, Jan 25, 2018 at 1:42 PM, Alexander Kolbasov <ak...@cloudera.com> wrote: > Agreed, making 2.1 with just user-level privileges improvements (plus set > of accumulated bug fixes) sounds reasonable. > > On Thu, Jan 25, 2018 at 11:41 AM, Alexander Kolbasov <ak...@cloudera.com> > wrote: > > > Looks like we have a consensus of doing user-level privileges > improvements > > for 2.1. Let's see whether anyone wants to add more content. > > > > On Thu, Jan 25, 2018 at 11:38 AM, Na Li <lina...@cloudera.com> wrote: > > > >> Sasha, > >> > >> I have looked into how to complete the user-based privilege for a while, > >> and can commit to implement it. I can work with Kalyan to create a > design > >> doc for user-based privilege. > >> > >> Thanks, > >> > >> Lina > >> > >> On Thu, Jan 25, 2018 at 1:35 PM, Na Li <lina...@cloudera.com> wrote: > >> > >> > Sasha, > >> > > >> > The current user-based privilege missed some items: > >> > > >> > > >> > - Sentry policy has two service API: SentryPolicyService and > >> SentryGenericPolicyService. > >> > The current implementation does not support user-based privilege > for > >> > SentryGenericPolicyService > >> > - SENTRY-2091: User-based Privilege is broken by SENTRY-769. The > >> patch > >> > is available for review. > >> > - Name Node need change to generate ACL using user privilege. > >> > - The full snapshot update only contains authorization to roles > >> > mapping and role to group mapping. *Need to add role to user > >> > mapping in* SentryStore.retrieveFullRoleImageCore > >> > - The delta updates are taken from table SENTRY_PERM_CHANGE, > which > >> > does not distinguish group based permission or user based > >> permission. No > >> > change is needed > >> > - The user changes to a role is not included when sending delta > >> > update from Sentry to NN. *Need to add AddUsers and DropUsers > >> > in TRoleChanges*. > >> > - Sentry only create ACL for group with ACL type > >> > as AclEntryType.GROUP. *Need to add code to create ACL with type > >> > as *AclEntryType.USER > >> > - SentryINodeAttributesProvider.checkPermission > >> > -> FSPermissionChecker.checkPermission -> > >> > SentryINodeAttributesProvider.getAclFeature > >> > -> SentryAuthorizationInfo.getAclEntries -> > SentryPermissions. > >> > constructAclEntry > >> > - SentryStore.grantOptionCheck() has to be changed to find user > >> > level privilege. > >> > > >> > Thanks, > >> > > >> > Lina > >> > > >> > On Thu, Jan 25, 2018 at 1:13 PM, Sergio Pena < > sergio.p...@cloudera.com> > >> > wrote: > >> > > >> >> There is a section on the Wiki about roadmap ideas and JIRAs already > >> >> created: > >> >> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+ > >> >> Roadmap+and+ideas > >> >> > >> >> I'm interested in having user-level privileges and special user > >> privileges > >> >> for objects owners. > >> >> > >> >> I got this from the linked above: > >> >> SENTRY-1073 User who creates a table should be granted all > >> privileges on > >> >> it by default > >> >> SENTRY-1068 Allow user who created a table to have "with grant" > over > >> >> that > >> >> table by default > >> >> Creator of a table should have ownership of it (all privileges) > >> >> Allow privileges to be granted to users directly > >> >> > >> >> We should start planning the next Sentry 2.1 release based on the > >> desired > >> >> features. What about > >> >> having 2 or 3 features on Sentry 2.1? > >> >> > >> >> I vote for: > >> >> - user-level privileges (currently grant user to role is only > >> supported) > >> >> - default user privileges for objects owners > >> >> > >> >> Should we start a vote for new features for 2.1? > >> >> > >> >> - Sergio > >> >> > >> >> On Thu, Jan 25, 2018 at 12:46 PM, Kalyan Kumar Kalvagadda < > >> >> kkal...@cloudera.com> wrote: > >> >> > >> >> > I would like to add something here. > >> >> > > >> >> > > >> >> > 1. Current support for user-based-privileges allows admin to > >> grant a > >> >> > role to user. Ideally, user-based-privileges feature should be > >> >> allowing > >> >> > administrator to grant privileges to individual users directly. > >> >> > - I'm working on this to come up with a scope doc. > >> >> > 2. Currently sentry stores only grant privileges. This is not > >> >> > flexible. Let's say an administrator wants to grant role with > >> select > >> >> on > >> >> > the > >> >> > all tables in a database except for couple to them, he needs to > >> >> > individual > >> >> > select privileges for each table. > >> >> > 1. Implementation should let you add a grant privilege on > >> database > >> >> > and revokes privileges on the tables with in that database, > >> >> > 2. This needs new look into privilege model that sentry > >> currently > >> >> > has. > >> >> > > >> >> > > >> >> > -Kalyan > >> >> > > >> >> > > >> >> > -Kalyan > >> >> > > >> >> > On Thu, Jan 25, 2018 at 12:16 PM, Alexander Kolbasov < > >> >> ak...@cloudera.com> > >> >> > wrote: > >> >> > > >> >> > > Good point. There is some support for user-level privileges in > 2.0 > >> >> > already > >> >> > > - do you think that it is not sufficient and is missing some > parts? > >> >> > > > >> >> > > Is there anyone reading this who participated in the user-level > >> >> > privileges > >> >> > > in Sentry work done earlier? Is there any design doc for this? > >> >> > > > >> >> > > - Alex > >> >> > > > >> >> > > On Thu, Jan 25, 2018 at 10:11 AM, Na Li <lina...@cloudera.com> > >> wrote: > >> >> > > > >> >> > > > Sasha, > >> >> > > > > >> >> > > > It would be nice to have more features for sentry. > >> >> > > > > >> >> > > > For example, make user-based privileges working. So user can > >> assign > >> >> > user > >> >> > > > directly to a role instead of through group. > >> >> > > > > >> >> > > > Lina > >> >> > > > > >> >> > > > On Thu, Jan 25, 2018 at 11:58 AM, Alexander Kolbasov < > >> >> > ak...@cloudera.com > >> >> > > > > >> >> > > > wrote: > >> >> > > > > >> >> > > > > Now that we have Sentry 2.0 release, I think it is a good > time > >> to > >> >> > step > >> >> > > > back > >> >> > > > > from fixing bugs and immediate problems and start discussions > >> on > >> >> > > roadmap > >> >> > > > > for Sentry going forward. Do we want to just keep it as is > and > >> >> > improve > >> >> > > > > things here and there or we want to add new features? > >> >> > > > > > >> >> > > > > What do people think? > >> >> > > > > > >> >> > > > > - Alex > >> >> > > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > > >> > > >> > > > > >
