[
https://issues.apache.org/jira/browse/SENTRY-2129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2129:
--------------------------
Description:
It’s standard in traditional database security to allow both groups and users
to be assigned to roles. And hive supports to grant role to user.
So the following command should be supported in sentry:
GRANT role_name TO USER user
The feature implemented in SENTRY-711 is not complete. We complete this feature
The current user-based privilege missed some items:
* Sentry policy has two service API: SentryPolicyService and
SentryGenericPolicyService. The current implementation does not support
user-based privilege for SentryGenericPolicyService
* {color:#5c5c5c}Fix bug. SENTRY-2091: User-based Privilege is broken by
SENTRY-769. The patch is available for review.{color}
* {color:#5c5c5c}Name Node need change to generate ACL using user
privilege.{color}
** The full snapshot update only contains authorization to roles mapping and
role to group mapping. *Need to add role to user mapping in*
SentryStore.retrieveFullRoleImageCore
** The delta updates are taken from table SENTRY_PERM_CHANGE, which does not
distinguish group based permission or user based permission. No change is needed
** The user changes to a role is not included when sending delta update from
Sentry to NN. *Need to add AddUsers and DropUsers in TRoleChanges*.
** Sentry only create ACL for group with ACL type as AclEntryType.GROUP. *Need
to add code to create ACL with type as* AclEntryType.USER
*** SentryINodeAttributesProvider.checkPermission ->
FSPermissionChecker.checkPermission ->
SentryINodeAttributesProvider.getAclFeature ->
SentryAuthorizationInfo.getAclEntries -> SentryPermissions.constructAclEntry
* {color:#5c5c5c}SentryStore.grantOptionCheck() has to be changed to find user
level privilege. {color}
was:
It’s standard in traditional database security to allow both groups and users
to be assigned to roles. And hive supports to grant role to user.
So the following command should be supported in sentry:
GRANT role_name TO USER user
The feature implemented in SENTRY-711 is not complete. We complete this feature
> User based privilege
> --------------------
>
> Key: SENTRY-2129
> URL: https://issues.apache.org/jira/browse/SENTRY-2129
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Na Li
> Assignee: Na Li
> Priority: Major
>
> It’s standard in traditional database security to allow both groups and users
> to be assigned to roles. And hive supports to grant role to user.
> So the following command should be supported in sentry:
> GRANT role_name TO USER user
> The feature implemented in SENTRY-711 is not complete. We complete this
> feature
>
> The current user-based privilege missed some items:
>
> * Sentry policy has two service API: SentryPolicyService and
> SentryGenericPolicyService. The current implementation does not support
> user-based privilege for SentryGenericPolicyService
> * {color:#5c5c5c}Fix bug. SENTRY-2091: User-based Privilege is broken by
> SENTRY-769. The patch is available for review.{color}
> * {color:#5c5c5c}Name Node need change to generate ACL using user
> privilege.{color}
> ** The full snapshot update only contains authorization to roles mapping and
> role to group mapping. *Need to add role to user mapping in*
> SentryStore.retrieveFullRoleImageCore
> ** The delta updates are taken from table SENTRY_PERM_CHANGE, which does not
> distinguish group based permission or user based permission. No change is
> needed
> ** The user changes to a role is not included when sending delta update from
> Sentry to NN. *Need to add AddUsers and DropUsers in TRoleChanges*.
> ** Sentry only create ACL for group with ACL type as AclEntryType.GROUP.
> *Need to add code to create ACL with type as* AclEntryType.USER
> *** SentryINodeAttributesProvider.checkPermission ->
> FSPermissionChecker.checkPermission ->
> SentryINodeAttributesProvider.getAclFeature ->
> SentryAuthorizationInfo.getAclEntries -> SentryPermissions.constructAclEntry
> * {color:#5c5c5c}SentryStore.grantOptionCheck() has to be changed to find
> user level privilege. {color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
