[ 
https://issues.apache.org/jira/browse/SENTRY-2154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16398002#comment-16398002
 ] 

Na Li commented on SENTRY-2154:
-------------------------------

I prefer to add user and privilege mapping table. Using entity table is too 
general and may complicate the query. Besides, we have specific table like 
user, role, and group.

1) RBAC given a user, the path to get corresponding privileges
{code:java}
Privileges<-Roles<-Group<-User{code}
2) When user can be associated with role directly, the path to get 
corresponding privileges for a given user
{code:java}
Privileges<-Roles<-Group<-User
            ^              |
            |--------------|{code}
 3) When user can be associated with privileges directly, the path to get 
corresponding privileges for a given user
{code:java}
Privileges<-Roles<-Group<-User
       ^                   |
       |-------------------|{code}
DN will get referred collection using foreign key when corresponding function 
is called. I don't think it will be keep on getting linked collection non-stop.

Like Sergio mentioned: MSentryPrivilege refers to a list of MSentryRole, and 
MSentryRole refers to a list of MSentryPrivilege. There is no problem.

> Update schema to grant privileges to user
> -----------------------------------------
>
>                 Key: SENTRY-2154
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2154
>             Project: Sentry
>          Issue Type: Sub-task
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>             Fix For: 2.1.0
>
>
> Need to add new DB table to support grant user to privileges
> Also, a flag should be added in privilege table to indicate the privilege is 
> created by user, or created by sentry implicitly. User can view the implicit 
> privileges, but cannot change it directly



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to