See inline comments. On Mon, Jan 29, 2018 at 4:37 PM, Alexander Kolbasov <ak...@cloudera.com> wrote:
> I am wondering what is the relationship between "users" as defined in > Sentry and users as defined in Unix or LDAP or Active Directory. > > Should it be allowed to assign permissions to a user that doesn't exist? > Should there be any validation if users? Should these be treated together > or independently? > *I don't think Sentry checks if the user exists on Unix or any other user management system when it is requested to add in the Sentry server. In my opinion, It is good to keep it this way as Sentry is just a server which keeps metadata of privileges to roles, users or groups no matter where those users or groups live. It's up to the client (who crequests permissions) to validate those users or group exist on its system.* > > Also, there is discussion about adding permissions not to roles but to > users directly. How is it different from adding permissions not to roles > but to groups directly? > So far Sentry used role-based model - do we want to change it to > entity-based model? > *Linux has a limitation of the number of users and groups it supports. It's around 64k users or groups in a 2.4 kernel (seems the 2.6 kernel has 4 billion limitation). Anyway, current Sentry users has experienced this group limitation when trying to create roles that map to 1 single group that map to 1 single user to give that user a special privilege on 1 single database. These current systems might already have lots of groups to manage Linux permissions, so having the same mapping of 1 user -> 1 group is not enough for them.* *One solution could be just granting users to roles (by skipping groups) to avoid creating unecessary groups. This approach could solve the Linux limitation problem.* *Regarding the entity-based model, there is more scoping and research that needs to be done to see if user-level privileges (and possible group-level privileges) is necessary, perhaps to avoid the unecessary user-role-privilege mapping of thousand of roles? Hive supports user, group and role privileges syntaxes already, so it would be interesting to catch up with other Hive security projects that support that syntax as well. One more thing to note is that Sentry object ownership (which sets special privileges to Hive object owners) would require part of the user-level privileges mechanism to support it.* > > - Alex >
