You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Bhooshan Mogal <bh...@gmail.com> on 2016/03/22 18:22:29 UTC
Default role for a user?
Hi Folks,
I have the following use-case and wanted to hear the community's thoughts
on whether its already possible with Apache Sentry or even if we should add
such a feature in future:
When a principal creates an entity in my system (and he is authorized to do
so), I want to make him the owner of that entity. In other words, I want to
grant him privileges to read, write and administer that entity, if if the
authorization check for the create operation succeeds, and creation is
successful.
The problem with this today is that to check if he is authorized, I pass in
a user name. To grant him all the privileges if the operation was
successful, I need to grant it to a role in Sentry. I know there has been
discussion about have user/group level access control in Sentry, but until
that happens, I am unclear about how I should map that user name to a role,
given that a single user may have multiple roles.
In the worst case, I could grant privileges to all his roles, but seems
like this could open up a security loophole? I had some initial ideas about
perhaps something like a default role for a user, but I'm not sure if
Sentry supports that model.
Appreciate any thoughts on this use case,
-
Bhooshan
Re: Default role for a user?
Posted by Bhooshan Mogal <bh...@gmail.com>.
Hi Hao,
Apologies for the delayed response. I think SENTRY-711 is support for
adding users to roles. What I was thinking of was more on the lines of
granting/revoking privileges to users/groups (and not roles) -- so not RBAC.
Thanks,
Bhooshan
On Tue, Mar 22, 2016 at 3:39 PM, Hao Hao <ha...@cloudera.com> wrote:
> Hi Bhooshan,
>
> Jira Sentry-711 is for adding user level privileges, I assume that is the
> user/group based access control that you are talking about? If so, this is
> on Sentry roadmap. Thanks!
>
> Best,
> Hao
>
> On Tue, Mar 22, 2016 at 2:16 PM, Bhooshan Mogal <bh...@gmail.com>
> wrote:
>
> > Thanks Hao!
> >
> > Yes, that seems like a viable work-around until Sentry supports
> user/group
> > based access control. Is that on the roadmap any time soon?
> >
> > -
> > Bhooshan
> >
> > On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <ha...@cloudera.com> wrote:
> >
> > > Hi Bhooshan,
> > >
> > > Thanks a lot for sharing this interesting question. Based on my
> > > understanding, you can create a new role for holding all privileges
> > > (privileges
> > > to read, write and administer that entity) you want to grant to that
> > user.
> > > And grant that role to the user. You do not need to grant privileges to
> > all
> > > his roles. The relationship of role and users is once user has certain
> > > role, he can have all the privileges of the role that are asscociated
> > with.
> > > Thanks!
> > >
> > > Best,
> > > Hao
> > >
> > > On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <
> > bhooshan.mogal@gmail.com
> > > >
> > > wrote:
> > >
> > > > Hi Folks,
> > > >
> > > > I have the following use-case and wanted to hear the community's
> > thoughts
> > > > on whether its already possible with Apache Sentry or even if we
> should
> > > add
> > > > such a feature in future:
> > > >
> > > > When a principal creates an entity in my system (and he is authorized
> > to
> > > do
> > > > so), I want to make him the owner of that entity. In other words, I
> > want
> > > to
> > > > grant him privileges to read, write and administer that entity, if if
> > the
> > > > authorization check for the create operation succeeds, and creation
> is
> > > > successful.
> > > >
> > > > The problem with this today is that to check if he is authorized, I
> > pass
> > > in
> > > > a user name. To grant him all the privileges if the operation was
> > > > successful, I need to grant it to a role in Sentry. I know there has
> > been
> > > > discussion about have user/group level access control in Sentry, but
> > > until
> > > > that happens, I am unclear about how I should map that user name to a
> > > role,
> > > > given that a single user may have multiple roles.
> > > >
> > > > In the worst case, I could grant privileges to all his roles, but
> seems
> > > > like this could open up a security loophole? I had some initial ideas
> > > about
> > > > perhaps something like a default role for a user, but I'm not sure if
> > > > Sentry supports that model.
> > > >
> > > > Appreciate any thoughts on this use case,
> > > > -
> > > > Bhooshan
> > > >
> > >
> >
> >
> >
> > --
> > Bhooshan
> >
>
--
Bhooshan
Re: Default role for a user?
Posted by Hao Hao <ha...@cloudera.com>.
Hi Bhooshan,
Jira Sentry-711 is for adding user level privileges, I assume that is the
user/group based access control that you are talking about? If so, this is
on Sentry roadmap. Thanks!
Best,
Hao
On Tue, Mar 22, 2016 at 2:16 PM, Bhooshan Mogal <bh...@gmail.com>
wrote:
> Thanks Hao!
>
> Yes, that seems like a viable work-around until Sentry supports user/group
> based access control. Is that on the roadmap any time soon?
>
> -
> Bhooshan
>
> On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <ha...@cloudera.com> wrote:
>
> > Hi Bhooshan,
> >
> > Thanks a lot for sharing this interesting question. Based on my
> > understanding, you can create a new role for holding all privileges
> > (privileges
> > to read, write and administer that entity) you want to grant to that
> user.
> > And grant that role to the user. You do not need to grant privileges to
> all
> > his roles. The relationship of role and users is once user has certain
> > role, he can have all the privileges of the role that are asscociated
> with.
> > Thanks!
> >
> > Best,
> > Hao
> >
> > On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <
> bhooshan.mogal@gmail.com
> > >
> > wrote:
> >
> > > Hi Folks,
> > >
> > > I have the following use-case and wanted to hear the community's
> thoughts
> > > on whether its already possible with Apache Sentry or even if we should
> > add
> > > such a feature in future:
> > >
> > > When a principal creates an entity in my system (and he is authorized
> to
> > do
> > > so), I want to make him the owner of that entity. In other words, I
> want
> > to
> > > grant him privileges to read, write and administer that entity, if if
> the
> > > authorization check for the create operation succeeds, and creation is
> > > successful.
> > >
> > > The problem with this today is that to check if he is authorized, I
> pass
> > in
> > > a user name. To grant him all the privileges if the operation was
> > > successful, I need to grant it to a role in Sentry. I know there has
> been
> > > discussion about have user/group level access control in Sentry, but
> > until
> > > that happens, I am unclear about how I should map that user name to a
> > role,
> > > given that a single user may have multiple roles.
> > >
> > > In the worst case, I could grant privileges to all his roles, but seems
> > > like this could open up a security loophole? I had some initial ideas
> > about
> > > perhaps something like a default role for a user, but I'm not sure if
> > > Sentry supports that model.
> > >
> > > Appreciate any thoughts on this use case,
> > > -
> > > Bhooshan
> > >
> >
>
>
>
> --
> Bhooshan
>
Re: Default role for a user?
Posted by Bhooshan Mogal <bh...@gmail.com>.
Thanks Hao!
Yes, that seems like a viable work-around until Sentry supports user/group
based access control. Is that on the roadmap any time soon?
-
Bhooshan
On Tue, Mar 22, 2016 at 11:41 AM, Hao Hao <ha...@cloudera.com> wrote:
> Hi Bhooshan,
>
> Thanks a lot for sharing this interesting question. Based on my
> understanding, you can create a new role for holding all privileges
> (privileges
> to read, write and administer that entity) you want to grant to that user.
> And grant that role to the user. You do not need to grant privileges to all
> his roles. The relationship of role and users is once user has certain
> role, he can have all the privileges of the role that are asscociated with.
> Thanks!
>
> Best,
> Hao
>
> On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <bhooshan.mogal@gmail.com
> >
> wrote:
>
> > Hi Folks,
> >
> > I have the following use-case and wanted to hear the community's thoughts
> > on whether its already possible with Apache Sentry or even if we should
> add
> > such a feature in future:
> >
> > When a principal creates an entity in my system (and he is authorized to
> do
> > so), I want to make him the owner of that entity. In other words, I want
> to
> > grant him privileges to read, write and administer that entity, if if the
> > authorization check for the create operation succeeds, and creation is
> > successful.
> >
> > The problem with this today is that to check if he is authorized, I pass
> in
> > a user name. To grant him all the privileges if the operation was
> > successful, I need to grant it to a role in Sentry. I know there has been
> > discussion about have user/group level access control in Sentry, but
> until
> > that happens, I am unclear about how I should map that user name to a
> role,
> > given that a single user may have multiple roles.
> >
> > In the worst case, I could grant privileges to all his roles, but seems
> > like this could open up a security loophole? I had some initial ideas
> about
> > perhaps something like a default role for a user, but I'm not sure if
> > Sentry supports that model.
> >
> > Appreciate any thoughts on this use case,
> > -
> > Bhooshan
> >
>
--
Bhooshan
Re: Default role for a user?
Posted by Hao Hao <ha...@cloudera.com>.
Hi Bhooshan,
Thanks a lot for sharing this interesting question. Based on my
understanding, you can create a new role for holding all privileges (privileges
to read, write and administer that entity) you want to grant to that user.
And grant that role to the user. You do not need to grant privileges to all
his roles. The relationship of role and users is once user has certain
role, he can have all the privileges of the role that are asscociated with.
Thanks!
Best,
Hao
On Tue, Mar 22, 2016 at 10:22 AM, Bhooshan Mogal <bh...@gmail.com>
wrote:
> Hi Folks,
>
> I have the following use-case and wanted to hear the community's thoughts
> on whether its already possible with Apache Sentry or even if we should add
> such a feature in future:
>
> When a principal creates an entity in my system (and he is authorized to do
> so), I want to make him the owner of that entity. In other words, I want to
> grant him privileges to read, write and administer that entity, if if the
> authorization check for the create operation succeeds, and creation is
> successful.
>
> The problem with this today is that to check if he is authorized, I pass in
> a user name. To grant him all the privileges if the operation was
> successful, I need to grant it to a role in Sentry. I know there has been
> discussion about have user/group level access control in Sentry, but until
> that happens, I am unclear about how I should map that user name to a role,
> given that a single user may have multiple roles.
>
> In the worst case, I could grant privileges to all his roles, but seems
> like this could open up a security loophole? I had some initial ideas about
> perhaps something like a default role for a user, but I'm not sure if
> Sentry supports that model.
>
> Appreciate any thoughts on this use case,
> -
> Bhooshan
>