[GitHub] [incubator-pegasus] kirbyzhou commented on issue #1054: Feature: Integrate with Apache Ranger

[GitBox <gi...@apache.org>]

kirbyzhou commented on issue #1054:
URL: https://github.com/apache/incubator-pegasus/issues/1054#issuecomment-1186893384

   If I understand it correctly, the ACL model is so simple now. There are two access_controller class.  
   
   - meta_access_controller:
   
   Super User is allowed to do anything. 
   All other users are allowed to do the things listed in FLAGS_meta_acl_rpc_allow_list. There is no per-user settings.
   Default meta_acl_rpc_allow_list are 
   ```
   RPC_CM_LIST_APPS 
   RPC_CM_LIST_NODES 
   RPC_CM_CLUSTER_INFO 
   RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX
   ```
   
   - replica_access_controller： 
   
   Super User is allowed to do anything. 
   Users in the users list are allowed to do anything. Users are set by 'replica_access_controller.allowed_users' vars in replica::update_ac_allowed_users
   There seems no per-user settings too.
   
   
   It seems we first have to enhance the access controller mech, add per-user / per-table support.
   Such as :
   { Table1: { user1: read, user2: read+write }, Table2: { user3: read, user4: read+write } }
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For additional commands, e-mail: dev-help@pegasus.apache.org