[jira] [Commented] (SENTRY-2140) Attribute based access control
[ https://issues.apache.org/jira/browse/SENTRY-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16387327#comment-16387327 ] Alexander Kolbasov commented on SENTRY-2140: [~moist], thank you for the proposal. The example part is great, it helps to understand where you are coming from. It would be good to add a bit more technical substance there. In particular: 1) More formal definition of tags and their interaction with Hive privilege model 2) Some discussion of how it all applies (or doesn't apply) to generic privilege model 3) Proposed changes to Sentry thrift API (after all, CLI examples that you mention just speak Sentrish). 4) Proposed changes to the Hive privilege model > Attribute based access control > -- > > Key: SENTRY-2140 > URL: https://issues.apache.org/jira/browse/SENTRY-2140 > Project: Sentry > Issue Type: New Feature > Components: Core >Reporter: Steve Moist >Priority: Major > Attachments: Sentry ABAC Proposal.pdf > > > As a user, I want to have finer grain control over which users/roles can view > data in Hive. Some information such as Social Security Number is considered > very confidential information. I want to be able to tag columns in Hive with > "attributes" that prevent users/roles from not accessing or seeing the data. > For users/roles that have that attribute, they should be able to see that > information. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-1242) Enable getting all privileges on a hive object
[ https://issues.apache.org/jira/browse/SENTRY-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16386832#comment-16386832 ] Alexander Kolbasov commented on SENTRY-1242: [~moist] Can you post some example showing the command and the output? > Enable getting all privileges on a hive object > -- > > Key: SENTRY-1242 > URL: https://issues.apache.org/jira/browse/SENTRY-1242 > Project: Sentry > Issue Type: New Feature >Affects Versions: 2.0.0 >Reporter: Sravya Tirukkovalur >Assignee: Steve Moist >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-1242-001.patch, SENTRY-1242-002.diff > > > Enable show grant on table/db . This syntax is already supported by > hive. > This would be really useful for the admin to find out all policies on a hive > object. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-1242) Enable getting all privileges on a hive object
[
https://issues.apache.org/jira/browse/SENTRY-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16386806#comment-16386806
]
Hadoop QA commented on SENTRY-1242:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12910431/SENTRY-1242-001.patch
against master.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} failed to apply patch (exit code 1):
The patch does not appear to apply with p0, p1, or p2
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3682/console
This message is automatically generated.
> Enable getting all privileges on a hive object
> --
>
> Key: SENTRY-1242
> URL: https://issues.apache.org/jira/browse/SENTRY-1242
> Project: Sentry
> Issue Type: New Feature
>Affects Versions: 2.0.0
>Reporter: Sravya Tirukkovalur
>Assignee: Steve Moist
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: SENTRY-1242-001.patch, SENTRY-1242-002.diff
>
>
> Enable show grant on table/db . This syntax is already supported by
> hive.
> This would be really useful for the admin to find out all policies on a hive
> object.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SENTRY-2147) Fix Javadoc for SentryHiveAuthorizerFactory
[
https://issues.apache.org/jira/browse/SENTRY-2147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16386691#comment-16386691
]
Hadoop QA commented on SENTRY-2147:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12913080/SENTRY-2147.patch
against master.
{color:red}Overall:{color} -1 due to 2 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.tests.e2e.dbprovider.TestHmsNotificationProcessing
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3681/console
This message is automatically generated.
> Fix Javadoc for SentryHiveAuthorizerFactory
> ---
>
> Key: SENTRY-2147
> URL: https://issues.apache.org/jira/browse/SENTRY-2147
> Project: Sentry
> Issue Type: Improvement
>Reporter: Colm O hEigeartaigh
>Assignee: Colm O hEigeartaigh
>Priority: Trivial
> Fix For: 2.1.0
>
> Attachments: SENTRY-2147.patch, SENTRY-2147.patch.1
>
>
> The Javadoc for SentryHiveAuthorizerFactory incorrectly states that it should
> be configured as follows:
>
> hive.security.authorization.enable
>
> org.apache.sentry.binding.hive.authz.SentryHiveAuthorizerFactory
>
> Instead it should be "hive.security.authorization.manager".
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SENTRY-2149) Implement functionality to show groups
[
https://issues.apache.org/jira/browse/SENTRY-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16386415#comment-16386415
]
Alexander Kolbasov commented on SENTRY-2149:
The submitter can clarify this, but looks like the request is to be able to see
all groups known to Sentry. Note that you can do this with Sentry CLI.
> Implement functionality to show groups
> --
>
> Key: SENTRY-2149
> URL: https://issues.apache.org/jira/browse/SENTRY-2149
> Project: Sentry
> Issue Type: New Feature
>Reporter: Sachin
>Priority: Major
>
> Sentry allows to list the roles
> SHOW ROLES;
> There should be also a way to show the groups . Currently it seems that this
> is only possible by directly querying the Sentry database. This functionality
> should be provided out-of-the-box similar to the statement above.
> The functionality could look similar to the following statement
> {code:sql}
> SHOW GROUPS;{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SENTRY-2147) Fix Javadoc for SentryHiveAuthorizerFactory
[ https://issues.apache.org/jira/browse/SENTRY-2147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated SENTRY-2147: Attachment: SENTRY-2147.patch.1 > Fix Javadoc for SentryHiveAuthorizerFactory > --- > > Key: SENTRY-2147 > URL: https://issues.apache.org/jira/browse/SENTRY-2147 > Project: Sentry > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Trivial > Fix For: 2.1.0 > > Attachments: SENTRY-2147.patch, SENTRY-2147.patch.1 > > > The Javadoc for SentryHiveAuthorizerFactory incorrectly states that it should > be configured as follows: > > hive.security.authorization.enable > > org.apache.sentry.binding.hive.authz.SentryHiveAuthorizerFactory > > Instead it should be "hive.security.authorization.manager". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2149) Implement functionality to show groups
[
https://issues.apache.org/jira/browse/SENTRY-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16386367#comment-16386367
]
kalyan kumar kalvagadda commented on SENTRY-2149:
-
There are couple of things here
# "SHOW ROLES" command list all the roles that are grant to user who is
running this command.
# I'm not sure what do you meant when you said "SHOW GROUPS" should be
supported.
## If you meant, "SHOW GROUPS" should return the list of the groups that user
belongs. This is not a feature that sentry should be supporting as sentry is
not a source of truth for this information.
## This information should be retrieved from differently. It should be based
on the user<=>group mapping service that you are using.
> Implement functionality to show groups
> --
>
> Key: SENTRY-2149
> URL: https://issues.apache.org/jira/browse/SENTRY-2149
> Project: Sentry
> Issue Type: New Feature
>Reporter: Sachin
>Priority: Major
>
> Sentry allows to list the roles
> SHOW ROLES;
> There should be also a way to show the groups . Currently it seems that this
> is only possible by directly querying the Sentry database. This functionality
> should be provided out-of-the-box similar to the statement above.
> The functionality could look similar to the following statement
> {code:sql}
> SHOW GROUPS;{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
