Thanks for bringing this up Greg! So here is what I understand: There are three options for naming the process of setting group:role mapping:
1. Add role to group 2. Grant role to group 3. Assign role to group Most popular database systems like Oracle[1], Postgres[2] support "grant" role to group. And even Hive, Impala support "grant". I too think grant voids the += issue. Although assign sounds better in some aspects like we will have unique terms for each operation, IMO grant is the best for the mentioned reasons. [1]: http://www.techonthenet.com/oracle/roles.php [2]: http://www.postgresql.org/docs/9.0/static/role-membership.html On Fri, Jan 29, 2016 at 4:33 PM, Gregory Chanan <[email protected]> wrote: > Over in https://issues.apache.org/jira/browse/SENTRY-1032 we've been going > back on forth on how to name the process of associating a role and group. > > The generic client and the original shell code use "add role to group". > This immediately struck me as sounding funny, because if you view roles and > groups as somewhat symmetric to groups and users (this is how they are > specified in the file-based model with local groups, i.e. groups are made > up of users and roles are made up of groups and you would typically say > "add user to group" not "add group to user". In other words, it wasn't > clear to me which of {roles,groups} should be added to the other. > > So I looked at what wikipedia had to say about this ( > https://en.wikipedia.org/wiki/Role-based_access_control). Here's the > quote: > Role assignment: A subject can exercise a permission only if the subject > has selected or been assigned a role. > > I think we can agree that "select" is not a good term, because of its use > in the database model. > > "Assign" seems promising, although it has the downside in programming of > not being additive (i.e. it means '=' not '+='). But in this context it > definitely means '+=' (assigning a role to a group doesn't imply the group > drops all their other roles). > > "Grant" is another option that voids the += issue, although it's nice that > it is used in the singular context of granting a privilege to a role. > > I'm slightly in favor of using "assign" because then we have unique terms > for each step, i.e.: > - add user to a group > - assign role to a group > - grant privilege to a role > > Opinions? > -- Sravya Tirukkovalur
