[DISCUSS] Sentry interactive shell

[Alexander Kolbasov <ak...@cloudera.com>]

Inspired by SentryShell I wrote a prototype of interactive Sentry shell
where you have an open session and can issue CRUD commands for
roles/groups/privileges. I there any interest in making this integrated
into Sentry code base?

Re: [DISCUSS] Sentry interactive shell

[Alexander Kolbasov <ak...@cloudera.com>]

So we have this interactive Sentry shell that is lying around in a branch
(akolb-ha-cli). I think that it would be useful to make it generally
available in master - are there any opinions about that?

On Wed, Dec 14, 2016 at 9:42 PM Alexander Kolbasov <ak...@cloudera.com>
wrote:

> On Dec 14, 2016, at 8:46 PM, Lenni Kuff <ls...@cloudera.com> wrote:
>
> Thanks for kicking this off Sasha. IMO, a robust Sentry CLI seems super
> important for the project - especially as Sentry support for more
> components comes online. It also helps to allow 3rd party integration with
> Sentry.
>
>
> I would like to understand this use case a bit better. Do you have some
> specific examples in mind? What I discovered while working on CLI
> interfaces is that the current code assumes that it is dealing with a
> “well-behaving” client where the good behavior isn’t well defined. Just
> obeying the Thrift protocol is triggering various interesting issues (which
> should be fixed IMO). So for applications the API was never thrift but a
> some Java interfaces. Once you start dealing with CLIs (and with 3rd party
> integrations) it is really important to define what exactly is the API - is
> it defined at the Thrift level or at Java interface level.
>
> Is there a design document / JIRA / other material to review on the new
> CLI?
>
>
> There isn’t. So far I implemented two Sentry CLIs - one classical
> command-line which is super useful for me (as a developer) and which is
> written in GO and allows easy access to the Thrift protocol itself. Another
> one (interactive CLI)  I wrote mostly to demonstrate client failover for
> Sentry HA but it is full featured (although it only supports Hive model for
> now)- you can do all CRUD operations on roles/privileges/groups and *it
> goes through the same Java code path as all other clients*. My goal was to
> write the smallest amount of code and have a fully working (and useful)
> version quickly. If there is an interest to open this up to a wider
> audience, we may start a discussion on the design choices, e.t.c.
>
> Given SentryShell is has been in development for this same purpose
> (and has already been released), it would be good to understand the delta
> between the two and motivation for adding a new CLI vs updating
> SentryShell.
>
>
> I am curious whether anyone has any experience using the SentryShell. I
> only could find this documentation:
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Simple+Shell.
> While I was looking at the implementation of the SentryShell there is very
> little code that I actually used for the interactive shell, so there isn’t
> much intersection. Of course, if we decide to productize the interactive
> shell it makes a lot of sense to unify the two since they are doing,
> essentially, the same thing. But for now their overall organization is
> completely different.
>
> Is there a compelling reason to support both? Probably a good
> to get other folks input from the community.
>
>
> Not really. But I agree that it would be great to hear from people who
> actually use it. That said, I do see an independent value in stand-alone
> GO-based CLI that works directly over Thrift.
>
>
> Thanks,
> Lenni
>
>
> Thanks for your input!
>
> - Alex.
>
>
> On Wed, Dec 14, 2016 at 5:19 PM, Alexander Kolbasov <ak...@cloudera.com>
> wrote:
>
> Inspired by SentryShell I wrote a prototype of interactive Sentry shell
> where you have an open session and can issue CRUD commands for
> roles/groups/privileges. I there any interest in making this integrated
> into Sentry code base?
>
>

Re: [DISCUSS] Sentry interactive shell

[Alexander Kolbasov <ak...@cloudera.com>]

> On Dec 14, 2016, at 8:46 PM, Lenni Kuff <ls...@cloudera.com> wrote:
> 
> Thanks for kicking this off Sasha. IMO, a robust Sentry CLI seems super
> important for the project - especially as Sentry support for more
> components comes online. It also helps to allow 3rd party integration with
> Sentry.

I would like to understand this use case a bit better. Do you have some specific examples in mind? What I discovered while working on CLI interfaces is that the current code assumes that it is dealing with a “well-behaving” client where the good behavior isn’t well defined. Just obeying the Thrift protocol is triggering various interesting issues (which should be fixed IMO). So for applications the API was never thrift but a some Java interfaces. Once you start dealing with CLIs (and with 3rd party integrations) it is really important to define what exactly is the API - is it defined at the Thrift level or at Java interface level.

> Is there a design document / JIRA / other material to review on the new
> CLI?

There isn’t. So far I implemented two Sentry CLIs - one classical command-line which is super useful for me (as a developer) and which is written in GO and allows easy access to the Thrift protocol itself. Another one (interactive CLI)  I wrote mostly to demonstrate client failover for Sentry HA but it is full featured (although it only supports Hive model for now)- you can do all CRUD operations on roles/privileges/groups and *it goes through the same Java code path as all other clients*. My goal was to write the smallest amount of code and have a fully working (and useful) version quickly. If there is an interest to open this up to a wider audience, we may start a discussion on the design choices, e.t.c.

> Given SentryShell is has been in development for this same purpose
> (and has already been released), it would be good to understand the delta
> between the two and motivation for adding a new CLI vs updating
> SentryShell.

I am curious whether anyone has any experience using the SentryShell. I only could find this documentation: https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Simple+Shell <https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Simple+Shell>. While I was looking at the implementation of the SentryShell there is very little code that I actually used for the interactive shell, so there isn’t much intersection. Of course, if we decide to productize the interactive shell it makes a lot of sense to unify the two since they are doing, essentially, the same thing. But for now their overall organization is completely different.

> Is there a compelling reason to support both? Probably a good
> to get other folks input from the community.

Not really. But I agree that it would be great to hear from people who actually use it. That said, I do see an independent value in stand-alone GO-based CLI that works directly over Thrift.

> 
> Thanks,
> Lenni

Thanks for your input!

- Alex.

> 
> On Wed, Dec 14, 2016 at 5:19 PM, Alexander Kolbasov <ak...@cloudera.com>
> wrote:
> 
>> Inspired by SentryShell I wrote a prototype of interactive Sentry shell
>> where you have an open session and can issue CRUD commands for
>> roles/groups/privileges. I there any interest in making this integrated
>> into Sentry code base?
>> 

Re: [DISCUSS] Sentry interactive shell

[Lenni Kuff <ls...@cloudera.com>]

Thanks for kicking this off Sasha. IMO, a robust Sentry CLI seems super
important for the project - especially as Sentry support for more
components comes online. It also helps to allow 3rd party integration with
Sentry.

Is there a design document / JIRA / other material to review on the new
CLI? Given SentryShell is has been in development for this same purpose
(and has already been released), it would be good to understand the delta
between the two and motivation for adding a new CLI vs updating
SentryShell. Is there a compelling reason to support both? Probably a good
to get other folks input from the community.

Thanks,
Lenni

On Wed, Dec 14, 2016 at 5:19 PM, Alexander Kolbasov <ak...@cloudera.com>
wrote:

> Inspired by SentryShell I wrote a prototype of interactive Sentry shell
> where you have an open session and can issue CRUD commands for
> roles/groups/privileges. I there any interest in making this integrated
> into Sentry code base?
>