Hi Anne,
Thanks for review the design.
For the user privilege and group privilege, they are isolated. Any user's
privilege = group privilege + user privilege. If user privilege is revoked,
user still has the group privilege.
Currently, I won’t implement the feature grant user to privilege, the first
step will be grant user to role.
After implementation, the getPrivilege process will be as following:
1. backend.getPrivilege
2. get all roles for user = getRolesForUser + getRolesForGroup
3. get privileges for all roles
For the backward compatibility, I think there is no need to translate the user
privilege to group privilege, just treat user has no privilege.
Best regards,
Colin Ma(Ma Jun Jie)
-----Original Message-----
From: Anne Yu [mailto:[email protected]]
Sent: Tuesday, January 12, 2016 8:02 AM
To: [email protected]
Subject: Re: Grant user to role
Hi Colin,
Some design question regarding this feature:
Say if user has both group and user level select on table privileges. After
revoke user level privilege, will group level privilege still apply to the
user, can user select form table? Or after revoke group privilege, will user
level privilege still be valid? Here also need to consider situations when user
belongs to multiple groups.
How to handle backward compatibility? That is, if user has user level
privilege, backward sentry to an older version, how to translate it to group
level privilege or just treat user has no privileges?
Thanks,
Anne
On Wed, Jan 6, 2016 at 9:55 PM, Ma, Junjie <[email protected]> wrote:
> Hi,
>
> Currently, sentry only support grant group to role, there should be a
> reasonable feature to grant user to role. This is also the gap between
> Hive and Sentry, for Hive, the following command is supported:
> GRANT role_name TO USER user
> I think it's an useful feature for authorization, and the SENTRY-711
> is created for this. You can get the design doc, patch, review board's
> link in this JIRA.
> Feel free for any comments, thanks.
>
> Best regards,
>
> Colin Ma(Ma Jun Jie)
>
>
--
Thanks,
Anne
