[
https://issues.apache.org/jira/browse/SENTRY-2129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16343558#comment-16343558
]
Sergio Peña commented on SENTRY-2129:
-------------------------------------
If SENTRY-711 already supports GRANT USER TO ROLE, then do we need to
categorize this Jira as a new feature? If the feature is already supported,
then we just need to create jiras and patches to fix the gaps of it, don't we?
Btw, does GRANT USER TO ROLE need HDFS sync permissions for users? For what I
understand, this feature accepts a syntax to grant a specific user to a
specific role without using a group as an intermediate. This means that
privileges are still available for roles only (no users, no groups), and it
means that HDFS sync does not need to know anything about users but roles,
right?
Shouldn't we just create isolated JIRAs or fix the gaps for GRANT USER TO ROLE
support?
> User based privilege
> --------------------
>
> Key: SENTRY-2129
> URL: https://issues.apache.org/jira/browse/SENTRY-2129
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Na Li
> Assignee: Na Li
> Priority: Major
> Labels: roadmap
>
> It’s standard in traditional database security to allow both groups and users
> to be assigned to roles. And hive supports to grant role to user.
> So the following command should be supported in sentry:
> GRANT role_name TO USER user
> The feature implemented in SENTRY-711 is not complete. We complete this
> feature
>
> The current user-based privilege missed some items:
>
> * Sentry policy has two service API: SentryPolicyService and
> SentryGenericPolicyService. The current implementation does not support
> user-based privilege for SentryGenericPolicyService
> * {color:#5c5c5c}Fix bug. SENTRY-2091: User-based Privilege is broken by
> SENTRY-769. The patch is available for review.{color}
> * {color:#5c5c5c}Name Node need change to generate ACL using user
> privilege.{color}
> ** The full snapshot update only contains authorization to roles mapping and
> role to group mapping. *Need to add role to user mapping in*
> SentryStore.retrieveFullRoleImageCore
> ** The delta updates are taken from table SENTRY_PERM_CHANGE, which does not
> distinguish group based permission or user based permission. No change is
> needed
> ** The user changes to a role is not included when sending delta update from
> Sentry to NN. *Need to add AddUsers and DropUsers in TRoleChanges*.
> ** Sentry only create ACL for group with ACL type as AclEntryType.GROUP.
> *Need to add code to create ACL with type as* AclEntryType.USER
> *** SentryINodeAttributesProvider.checkPermission ->
> FSPermissionChecker.checkPermission ->
> SentryINodeAttributesProvider.getAclFeature ->
> SentryAuthorizationInfo.getAclEntries -> SentryPermissions.constructAclEntry
> * {color:#5c5c5c}SentryStore.grantOptionCheck() has to be changed to find
> user level privilege. {color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
