You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by "Ma, Junjie" <ju...@intel.com> on 2016/01/07 06:55:25 UTC
Grant user to role
Hi,
Currently, sentry only support grant group to role, there should be a reasonable feature to grant user to role. This is also the gap between Hive and Sentry, for Hive, the following command is supported:
GRANT role_name TO USER user
I think it's an useful feature for authorization, and the SENTRY-711 is created for this. You can get the design doc, patch, review board's link in this JIRA.
Feel free for any comments, thanks.
Best regards,
Colin Ma(Ma Jun Jie)
RE: Grant user to role
Posted by "Ma, Junjie" <ju...@intel.com>.
Hi Anne,
Thanks for review the design.
For the user privilege and group privilege, they are isolated. Any user's privilege = group privilege + user privilege. If user privilege is revoked, user still has the group privilege.
Currently, I won’t implement the feature grant user to privilege, the first step will be grant user to role.
After implementation, the getPrivilege process will be as following:
1. backend.getPrivilege
2. get all roles for user = getRolesForUser + getRolesForGroup
3. get privileges for all roles
For the backward compatibility, I think there is no need to translate the user privilege to group privilege, just treat user has no privilege.
Best regards,
Colin Ma(Ma Jun Jie)
-----Original Message-----
From: Anne Yu [mailto:anneyu@cloudera.com]
Sent: Tuesday, January 12, 2016 8:02 AM
To: dev@sentry.incubator.apache.org
Subject: Re: Grant user to role
Hi Colin,
Some design question regarding this feature:
Say if user has both group and user level select on table privileges. After revoke user level privilege, will group level privilege still apply to the user, can user select form table? Or after revoke group privilege, will user level privilege still be valid? Here also need to consider situations when user belongs to multiple groups.
How to handle backward compatibility? That is, if user has user level privilege, backward sentry to an older version, how to translate it to group level privilege or just treat user has no privileges?
Thanks,
Anne
On Wed, Jan 6, 2016 at 9:55 PM, Ma, Junjie <ju...@intel.com> wrote:
> Hi,
>
> Currently, sentry only support grant group to role, there should be a
> reasonable feature to grant user to role. This is also the gap between
> Hive and Sentry, for Hive, the following command is supported:
> GRANT role_name TO USER user
> I think it's an useful feature for authorization, and the SENTRY-711
> is created for this. You can get the design doc, patch, review board's
> link in this JIRA.
> Feel free for any comments, thanks.
>
> Best regards,
>
> Colin Ma(Ma Jun Jie)
>
>
--
Thanks,
Anne
Re: Grant user to role
Posted by Anne Yu <an...@cloudera.com>.
Hi Colin,
Some design question regarding this feature:
Say if user has both group and user level select on table privileges. After
revoke user level privilege, will group level privilege still apply to the
user, can user select form table? Or after revoke group privilege, will
user level privilege still be valid? Here also need to consider situations
when user belongs to multiple groups.
How to handle backward compatibility? That is, if user has user level
privilege, backward sentry to an older version, how to translate it to
group level privilege or just treat user has no privileges?
Thanks,
Anne
On Wed, Jan 6, 2016 at 9:55 PM, Ma, Junjie <ju...@intel.com> wrote:
> Hi,
>
> Currently, sentry only support grant group to role, there should be a
> reasonable feature to grant user to role. This is also the gap between Hive
> and Sentry, for Hive, the following command is supported:
> GRANT role_name TO USER user
> I think it's an useful feature for authorization, and the SENTRY-711 is
> created for this. You can get the design doc, patch, review board's link in
> this JIRA.
> Feel free for any comments, thanks.
>
> Best regards,
>
> Colin Ma(Ma Jun Jie)
>
>
--
Thanks,
Anne