You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2018/03/06 16:50:00 UTC

[jira] [Comment Edited] (SENTRY-2140) Attribute based access control

    [ https://issues.apache.org/jira/browse/SENTRY-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16388085#comment-16388085 ] 

Na Li edited comment on SENTRY-2140 at 3/6/18 4:49 PM:
-------------------------------------------------------

[~moist] Thanks for the design documentation.

1) Can you add more specific details on how ABAC work with Role Based Access Control? In my opinion, it happens at "Enforcement point for attribute privileges in Sentry bindings for Hive and Impala"

2) "Means for user to specify attribute privileges for roles (and users?)" It seems you only use attribute on table column, Can we use attribute on user and session? For example, can we grant access on accessing table column with PII only for user with clearance > 4, during working hour and user country matches the value of the "Country" column?

3) How is the info from "Attribute Ingestion" used in "Enforcement point for attribute privileges"? An example that shows the whole work flow would be very helpful.


was (Author: linaataustin):
[~moist] Thanks for the design documentation.

1) Can you add more specific details on how ABAC work with Role Based Access Control? In my opinion, it happens at "Enforcement point for attribute privileges in Sentry bindings for Hive and Impala"

2) "Means for user to specify attribute privileges for roles (and users?)" It seems you only use attribute on table column, Can we use attribute on user and session? For example, can we grant access on accessing table column with PII only during working hour and user country matches the value of the "Country" column?

3) How is the info from "Attribute Ingestion" used in "Enforcement point for attribute privileges"? An example that shows the whole work flow would be very helpful.

> Attribute based access control
> ------------------------------
>
>                 Key: SENTRY-2140
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2140
>             Project: Sentry
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Steve Moist
>            Priority: Major
>         Attachments: Sentry ABAC Proposal.pdf
>
>
> As a user, I want to have finer grain control over which users/roles can view data in Hive.  Some information such as Social Security Number is considered very confidential information.  I want to be able to tag columns in Hive with "attributes" that prevent users/roles from not accessing or seeing the data.  For users/roles that have that attribute, they should be able to see that information.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)