[jira] [Commented] (SQOOP-1834) SQOOP 2: RBAC pluggable framework

Wed, 14 Jan 2015 14:53:39 -0800 

    [ 
https://issues.apache.org/jira/browse/SQOOP-1834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14277838#comment-14277838
 ] 

Venkat Ranganathan commented on SQOOP-1834:
-------------------------------------------

I went through the high level design.  It is nicely laid out and well written.  
 Thanks for writing this. 

I also discussed this with the Apache Ranger ( Argus is now called Ranger) team 
members [~sneethiraj] and [~bosco].   

The current plugin approach is good for Ranger integration.  

I am not clear about the APIs yet:   For example, in the following code (from 
the design posted)
{code}
Override
public void createLinkPrivilige() throws SqoopAccessControlException {
    List<Principle> principles;
    principles.add(new Principle("Link", "Create"));
    principles.add(new Principle("Connector", "Use"));
    AuthorizationManager.getAuthenticationHandler.checkPrivileges(principles);
}
{code}
I see that we are defining a resource and an action on the resource and we call 
that a Principal (BTW, principle should be changed to principal in the 
document.  I don't think  "principle" was not the real meaning intended here).  
 I thought principals would be users and groups etc (as mentioned in the design 
also).   May be the API needs to be refactored?

>From the design we do allow local management of users/groups and/or roles, as 
>well as external management of the same.   That is good.

It looks like we are calling the rold id as -rid in some command line 
invocations and as role-id in others.  May be using consistent option name 
would help reduce confusion.

Good work!

> SQOOP 2: RBAC pluggable framework
> ---------------------------------
>
>                 Key: SQOOP-1834
>                 URL: https://issues.apache.org/jira/browse/SQOOP-1834
>             Project: Sqoop
>          Issue Type: Sub-task
>            Reporter: Richard
>            Assignee: Richard
>         Attachments: SQOOP-1834.1.patch, SQOOP-1834.patch
>
>
> Role based authorization will manager the access to the resources in Sqoop, 
> such as connections, links, jobs, submissions, and the modification types, 
> like create, update, delete, run.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to