[
https://issues.apache.org/jira/browse/SENTRY-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470930#comment-16470930
]
Anthony Young-Garner commented on SENTRY-2140:
----------------------------------------------
[~akolb] – I've changed the Jira name per our discussion.
[~spena] – See replies below on Attribute Ingestion, Column Masking and
Attributes and Privileges.
+Attribute Ingestion+
> what about proposing just the interface and API that Sentry will use for
>attribute ingestion only?
[~btowles] is investigating an alternative default attribute ingestion
implementation using Hive Metastore (HMS). He'll post more about it on Jira
(SENTRY-2225) or on the mailing list. I think it may be difficult to prove out
the effectiveness and usefulness of the attribute provider SPI/API without at
least one default and/or reference implementation of the SPI/API but I agree
that having an interface without an implementation is an option worth at least
considering.
+Column Masking+
> Have you investigated if this V2 will work with column masking only without
> interfering with V1 privileges?
Per our discussion over instant message, I've verified by running the code that
we're able to use the row filtering and column masking functionality in
DefaultSentryValidator without interfering with Hive authz V1 privileges. You
also verified by code inspection.
+Attributes and Privileges+
> I did not understand why the 'sentryShell -t hive' command cannot be used for
>attribute-role privileges. If these attributes are meant only for Hive, then
>why cannot we use the command?
I think the intention is that the CLI commands be extensible to multiple
external attribute sources and/or multiple data sources, including Hive and
Impala but also eventually Spark and perhaps non-columnar sources such as Solr
and Kafka. One of use will detail the proposed commands and backing DB schema
further on SENTRY-2227.
> Metadata Driven Column Masking
> ------------------------------
>
> Key: SENTRY-2140
> URL: https://issues.apache.org/jira/browse/SENTRY-2140
> Project: Sentry
> Issue Type: New Feature
> Components: Core
> Reporter: Steve Moist
> Priority: Major
> Labels: ABAC
> Attachments: Sentry ABAC Proposal v1.1.pdf, Sentry ABAC Proposal.pdf
>
>
> As a user, I want to have finer grain control over which users/roles can view
> data in Hive. Some information such as Social Security Number is considered
> very confidential information. I want to be able to tag columns in Hive with
> "attributes" or other metadata that prevent users/roles from not accessing or
> seeing the data. For users/roles that have that attribute, they should be
> able to see that information.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
