Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/13759 )
Change subject: security: add docs for Sentry ...................................................................... Patch Set 3: (13 comments) http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc File docs/security.adoc: http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@175 PS2, Line 175: Privileges granted on a higher scope imply privileges on a lower : scope > Maybe add a reference to Apache sentry docs? For example, https://cwiki.apa Done http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@193 PS2, Line 193: l privilege per se, rather, it is a > Maybe mention `METADATA` privilege is only defined in Kudu. Unlike `UPDATE` Done http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@199 PS2, Line 199: details about Sentry > Maybe good to call out as of Sentry 2.2, `UPDATE` and `DELETE` are not supp I already called out 2.2 elsewhere. I prefer this being generic and not tied to a version if it doesn't need to be. WDYT http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@206 PS2, Line 206: > nit: of? Not quite, but fixed. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@219 PS2, Line 219: matically attach authorizat > Maybe mention this can be adjusted by flag, since it controls how long it t This is noted in the Caching section. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@228 PS2, Line 228: a tablet server that has been configured to enforce fine-grained access : > I think we should note that when Sentry HDFS sync feature in enabled, kudu That seems like it should be documented in the HMS docs, no? That doesn't have anything to do with fine-grained access control IMO. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@241 PS2, Line 241: re.adoc > Mention this needs to match what is set in Hive? Done http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@267 PS2, Line 267: > nit: maybe use 'fine-grained authorization'? Done http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@272 PS2, Line 272: d extra > Do we need to talk about when and how to config the capacity of the cache ( I don't think so, if questions come up about it, they can ask on mailing lists or on Slack. AFAWCT the default is sufficient. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@274 PS2, Line 274: > nit: maybe 'privilege retrieval requests' to be more specific. Done http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@299 PS2, Line 299: > Explain grant option a bit? Apache Sentry reference is https://cwiki.apache Just added a link. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@301 PS2, Line 301: > nit: without I would choose either "with no rename" or "without a rename"; I'm leaving this as is. http://gerrit.cloudera.org:8080/#/c/13759/2/docs/security.adoc@321 PS2, Line 321: === Policy for Kudu Tablet Servers > Note the differences of the required privileges in this scenario between Ku I've pointed at Impala authorization docs elsewhere. Is that not sufficient? -- To view, visit http://gerrit.cloudera.org:8080/13759 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie50bb11a9a5d2d2294cf0ac34ccd7d75aa2cbcdf Gerrit-Change-Number: 13759 Gerrit-PatchSet: 3 Gerrit-Owner: Andrew Wong <[email protected]> Gerrit-Reviewer: Alex Rodoni <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Sun, 30 Jun 2019 21:53:03 +0000 Gerrit-HasComments: Yes
