Over in https://issues.apache.org/jira/browse/SENTRY-1032 we've been going
back on forth on how to name the process of associating a role and group.
The generic client and the original shell code use "add role to group".
This immediately struck me as sounding funny, because if you view roles and
groups as somewhat symmetric to groups and users (this is how they are
specified in the file-based model with local groups, i.e. groups are made
up of users and roles are made up of groups and you would typically say
"add user to group" not "add group to user". In other words, it wasn't
clear to me which of {roles,groups} should be added to the other.
So I looked at what wikipedia had to say about this (
https://en.wikipedia.org/wiki/Role-based_access_control). Here's the quote:
Role assignment: A subject can exercise a permission only if the subject
has selected or been assigned a role.
I think we can agree that "select" is not a good term, because of its use
in the database model.
"Assign" seems promising, although it has the downside in programming of
not being additive (i.e. it means '=' not '+='). But in this context it
definitely means '+=' (assigning a role to a group doesn't imply the group
drops all their other roles).
"Grant" is another option that voids the += issue, although it's nice that
it is used in the singular context of granting a privilege to a role.
I'm slightly in favor of using "assign" because then we have unique terms
for each step, i.e.:
- add user to a group
- assign role to a group
- grant privilege to a role
Opinions?
