Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/13759 )
Change subject: security: add docs for Sentry ...................................................................... Patch Set 2: (14 comments) http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc File docs/security.adoc: http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@175 PS2, Line 175: Privileges granted on a higher scope imply privileges on a lower : scope Maybe add a reference to Apache sentry docs? For example, https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Privileges http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@193 PS2, Line 193: that user has `METADATA` privileges Maybe mention `METADATA` privilege is only defined in Kudu. Unlike `UPDATE` and `DELETE`, I think there are few chances `METADATA` will become a Sentry privilege. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@199 PS2, Line 199: in Sentry deployments Maybe good to call out as of Sentry 2.2, `UPDATE` and `DELETE` are not supported yet. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@206 PS2, Line 206: off of nit: of? http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@219 PS2, Line 219: for five minutes by default Maybe mention this can be adjusted by flag, since it controls how long it takes to have the newly privileges granted in sentry to take effect. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@228 PS2, Line 228: Configuring the Integration with Apache Sentry : I think we should note that when Sentry HDFS sync feature in enabled, kudu needs to be in hive group. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@234 PS2, Line 234: documentation nit: add a link? http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@241 PS2, Line 241: server1 Mention this needs to match what is set in Hive? http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@267 PS2, Line 267: access requirements nit: maybe use 'fine-grained authorization'? http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@272 PS2, Line 272: Caching Do we need to talk about when and how to config the capacity of the cache (sentry_privileges_cache_capacity_mb)? http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@274 PS2, Line 274: requests nit: maybe 'privilege retrieval requests' to be more specific. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@299 PS2, Line 299: GRANT OPTION Explain grant option a bit? Apache Sentry reference is https://cwiki.apache.org/confluence/display/SENTRY/Support+Delegated+GRANT+and+REVOKE+in+Hive+and+Impala. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@301 PS2, Line 301: with no nit: without http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@321 PS2, Line 321: `METADATA ON TABLE` and `SELECT ON COLUMN` Note the differences of the required privileges in this scenario between Kudu and Impala? -- To view, visit http://gerrit.cloudera.org:8080/13759 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie50bb11a9a5d2d2294cf0ac34ccd7d75aa2cbcdf Gerrit-Change-Number: 13759 Gerrit-PatchSet: 2 Gerrit-Owner: Andrew Wong <[email protected]> Gerrit-Reviewer: Alex Rodoni <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Sat, 29 Jun 2019 00:58:53 +0000 Gerrit-HasComments: Yes
