[ 
https://issues.apache.org/jira/browse/SENTRY-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16388085#comment-16388085
 ] 

Na Li edited comment on SENTRY-2140 at 3/6/18 4:49 PM:
-------------------------------------------------------

[~moist] Thanks for the design documentation.

1) Can you add more specific details on how ABAC work with Role Based Access 
Control? In my opinion, it happens at "Enforcement point for attribute 
privileges in Sentry bindings for Hive and Impala"

2) "Means for user to specify attribute privileges for roles (and users?)" It 
seems you only use attribute on table column, Can we use attribute on user and 
session? For example, can we grant access on accessing table column with PII 
only for user with clearance > 4, during working hour and user country matches 
the value of the "Country" column?

3) How is the info from "Attribute Ingestion" used in "Enforcement point for 
attribute privileges"? An example that shows the whole work flow would be very 
helpful.


was (Author: linaataustin):
[~moist] Thanks for the design documentation.

1) Can you add more specific details on how ABAC work with Role Based Access 
Control? In my opinion, it happens at "Enforcement point for attribute 
privileges in Sentry bindings for Hive and Impala"

2) "Means for user to specify attribute privileges for roles (and users?)" It 
seems you only use attribute on table column, Can we use attribute on user and 
session? For example, can we grant access on accessing table column with PII 
only during working hour and user country matches the value of the "Country" 
column?

3) How is the info from "Attribute Ingestion" used in "Enforcement point for 
attribute privileges"? An example that shows the whole work flow would be very 
helpful.

> Attribute based access control
> ------------------------------
>
>                 Key: SENTRY-2140
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2140
>             Project: Sentry
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Steve Moist
>            Priority: Major
>         Attachments: Sentry ABAC Proposal.pdf
>
>
> As a user, I want to have finer grain control over which users/roles can view 
> data in Hive.  Some information such as Social Security Number is considered 
> very confidential information.  I want to be able to tag columns in Hive with 
> "attributes" that prevent users/roles from not accessing or seeing the data.  
> For users/roles that have that attribute, they should be able to see that 
> information.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to