[
https://issues.apache.org/jira/browse/SENTRY-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16424385#comment-16424385
]
Sergio Peña edited comment on SENTRY-2140 at 4/3/18 6:13 PM:
-------------------------------------------------------------
[~moist] Can you share a google document where we can add comments? I think
that will be more efficient. Btw, here are some initial comments I have.
Is the scope limited to column privileges? what about attributes for other
authorization objects, such as tables, databases, URI?
What about user attributes? This is part of an ABAC architecture. Are we
planning to have a full ABAC architecture, btw?
You mentioned a range of masking options, is this part of the scope to support
column masking? Would RBAC support column masking too? Would that be in a
separate feature?
The proposal mentions privileges for users? We do not have user privileges
implemented yet, this could be removed from the proposal unless we implement
user privileges in the future?
This grant commad on Hive would need a discussion in the Hive community as
well. Is there a proposal there to talk about ABAC commands? Btw, is this only
for Beeline? what about JDBC? HiveCLI? I think we should refer to Hive SQL
syntax or just SQL syntax instead of Beeline as this is one of a few interfaces
to write Hive SQL commands.
We do not support any Impala binding in the Apache code. Should this
requirement be part of the Sentry project?
I don't see too much detail on the following:
- What is a delta transmision?
- What is a file based snapshot parser and why is it needed? Does it mean
something will be stored in a file? but you mentioned something
about sentry_abac_privileges tables?
- Why is the cache needed? Sentry does not have a cache for RBAC rules, why is
needed for ABAC?
- Why is LDAP and SAP mentioned in the doc? Are we going to support user
attributes? How are this designed? So far I saw examples of
attributes in columns.
- Why is '-t hive' different from ABAC? Would 'sentryShell -t hive
--add_attribute' work?
was (Author: spena):
[~moist] Can you share a google document where we can add comments? I think
that will be more efficient. Btw, here are some initial comments I have;
{noformat}
Is the scope limited to column privileges? what about attributes for other
authorization objects, such as tables, databases, URI?
What about user attributes? This is part of an ABAC architecture. Are we
planning to have a full ABAC architecture, btw?
You mentioned a range of masking options, is this part of the scope to support
column masking? Would RBAC support column masking too? Would that be in a
separate feature?
The proposal mentions privileges for users? We do not have user privileges
implemented yet, this could be removed from the proposal unless we implement
user privileges in the future?
This grant commad on Hive would need a discussion in the Hive community as
well. Is there a proposal there to talk about ABAC commands? Btw, is this only
for Beeline? what about JDBC? HiveCLI? I think we should refer to Hive SQL
syntax or just SQL syntax instead of Beeline as this is one of a few interfaces
to write Hive SQL commands.
We do not support any Impala binding in the Apache code. Should this
requirement be part of the Sentry project?
I don't see too much detail on the following:
- What is a delta transmision?
- What is a file based snapshot parser and why is it needed? Does it mean
something will be stored in a file? but you mentioned something about
sentry_abac_privileges tables?
- Why is the cache needed? Sentry does not have a cache for RBAC rules, why is
needed for ABAC?
- Why is LDAP and SAP mentioned in the doc? Are we going to support user
attributes? How are this designed? So far I saw examples of attributes in
columns.
- Why is '-t hive' different from ABAC? Would 'sentryShell -t hive
--add_attribute' work?{noformat}
> Attribute based access control
> ------------------------------
>
> Key: SENTRY-2140
> URL: https://issues.apache.org/jira/browse/SENTRY-2140
> Project: Sentry
> Issue Type: New Feature
> Components: Core
> Reporter: Steve Moist
> Priority: Major
> Attachments: Sentry ABAC Proposal v1.1.pdf, Sentry ABAC Proposal.pdf
>
>
> As a user, I want to have finer grain control over which users/roles can view
> data in Hive. Some information such as Social Security Number is considered
> very confidential information. I want to be able to tag columns in Hive with
> "attributes" that prevent users/roles from not accessing or seeing the data.
> For users/roles that have that attribute, they should be able to see that
> information.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
