You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Sravya Tirukkovalur <sr...@apache.org> on 2015/06/27 20:06:41 UTC
Import/ export rules for specific data objects
Hi fellow developers,
We are working on the import/export feature of sentry rules as part
of SENTRY-197. As a follow on I was wondering if it might help to add a
functionality where we can export/ import rules for a specific auth object.
So for example: export sentry rules for database db1. I think this might
have multiple use cases like when users setup their rules for a db on a
test environment and then migrate them to production.
What do you guys think?
Thanks!
Re: Import/ export rules for specific data objects
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
@Dapeng: yes.
On Tue, Jun 30, 2015 at 8:14 PM, Sun, Dapeng <da...@intel.com> wrote:
> > I was mostly thinking auth object = database/table which would be
> beneficial in the above use case I mentioned. And we export all the
> permissions -> roles pertaining to this auth object and roles-> groups for
> those roles?
> Okay, it will be useful, thanks.
>
> +1, I guess "table" will be the table of a specific database, yes? Looking
> forward to see the feature.
>
> Regards
> Dapeng
>
> -----Original Message-----
> From: Sravya Tirukkovalur [mailto:sravya@cloudera.com]
> Sent: Wednesday, July 01, 2015 2:25 AM
> To: dev
> Subject: Re: Import/ export rules for specific data objects
>
> Thanks for the feedback folks! Filed
> https://issues.apache.org/jira/browse/SENTRY-785 to track this feature.
>
> On Tue, Jun 30, 2015 at 8:41 AM, Lenni Kuff <ls...@cloudera.com> wrote:
>
> > +1 for supporting filtering on the auth object. I think it would be
> > important to support wildcard characters (basically allow the filter
> > to be a regex on the object name).
> >
> > Thanks,
> > Lenni
> >
> > On Mon, Jun 29, 2015 at 10:32 AM, Sravya Tirukkovalur
> > <sravya@cloudera.com
> > >
> > wrote:
> >
> > > I was mostly thinking auth object = database/table which would be
> > > beneficial in the above use case I mentioned. And we export all the
> > > permissions -> roles pertaining to this auth object and roles->
> > > groups
> > for
> > > those roles?
> > >
> > > On Sun, Jun 28, 2015 at 9:59 PM, Sun, Dapeng <da...@intel.com>
> > wrote:
> > >
> > > > Yes, it's a good idea.
> > > >
> > > > I think we should document what auth object we will support and
> > > > which
> > > rule
> > > > will we export.
> > > > For example, could the auth object be database, role and etc? and
> > > > our policy rules are user->group->role->permission, which mapping
> > > relationships
> > > > will be exported?
> > > >
> > > >
> > > > Regards
> > > > Dapeng
> > > >
> > > > -----Original Message-----
> > > > From: Ma, Junjie [mailto:junjie.ma@intel.com]
> > > > Sent: Monday, June 29, 2015 9:06 AM
> > > > To: dev@sentry.incubator.apache.org
> > > > Subject: RE: Import/ export rules for specific data objects
> > > >
> > > >
> > > > I thinks this is an useful feature for the migration. This can be
> > > > an improvement of SENTRY-197, and we can created a new ticket to
> > > > trace
> > this.
> > > >
> > > > Best regards,
> > > >
> > > > Colin Ma(Ma Jun Jie)
> > > >
> > > > -----Original Message-----
> > > > From: Sravya Tirukkovalur [mailto:sravya@apache.org]
> > > > Sent: Sunday, June 28, 2015 2:07 AM
> > > > To: dev
> > > > Subject: Import/ export rules for specific data objects
> > > >
> > > > Hi fellow developers,
> > > >
> > > > We are working on the import/export feature of sentry rules as
> > > > part of SENTRY-197. As a follow on I was wondering if it might
> > > > help to add a functionality where we can export/ import rules for
> > > > a specific auth
> > > object.
> > > > So for example: export sentry rules for database db1. I think this
> > might
> > > > have multiple use cases like when users setup their rules for a db
> > > > on a test environment and then migrate them to production.
> > > >
> > > > What do you guys think?
> > > >
> > > > Thanks!
> > > >
> > >
> > >
> > >
> > > --
> > > Sravya Tirukkovalur
> > >
> >
>
>
>
> --
> Sravya Tirukkovalur
>
--
Sravya Tirukkovalur
RE: Import/ export rules for specific data objects
Posted by "Sun, Dapeng" <da...@intel.com>.
> I was mostly thinking auth object = database/table which would be beneficial in the above use case I mentioned. And we export all the permissions -> roles pertaining to this auth object and roles-> groups for those roles?
Okay, it will be useful, thanks.
+1, I guess "table" will be the table of a specific database, yes? Looking forward to see the feature.
Regards
Dapeng
-----Original Message-----
From: Sravya Tirukkovalur [mailto:sravya@cloudera.com]
Sent: Wednesday, July 01, 2015 2:25 AM
To: dev
Subject: Re: Import/ export rules for specific data objects
Thanks for the feedback folks! Filed
https://issues.apache.org/jira/browse/SENTRY-785 to track this feature.
On Tue, Jun 30, 2015 at 8:41 AM, Lenni Kuff <ls...@cloudera.com> wrote:
> +1 for supporting filtering on the auth object. I think it would be
> important to support wildcard characters (basically allow the filter
> to be a regex on the object name).
>
> Thanks,
> Lenni
>
> On Mon, Jun 29, 2015 at 10:32 AM, Sravya Tirukkovalur
> <sravya@cloudera.com
> >
> wrote:
>
> > I was mostly thinking auth object = database/table which would be
> > beneficial in the above use case I mentioned. And we export all the
> > permissions -> roles pertaining to this auth object and roles->
> > groups
> for
> > those roles?
> >
> > On Sun, Jun 28, 2015 at 9:59 PM, Sun, Dapeng <da...@intel.com>
> wrote:
> >
> > > Yes, it's a good idea.
> > >
> > > I think we should document what auth object we will support and
> > > which
> > rule
> > > will we export.
> > > For example, could the auth object be database, role and etc? and
> > > our policy rules are user->group->role->permission, which mapping
> > relationships
> > > will be exported?
> > >
> > >
> > > Regards
> > > Dapeng
> > >
> > > -----Original Message-----
> > > From: Ma, Junjie [mailto:junjie.ma@intel.com]
> > > Sent: Monday, June 29, 2015 9:06 AM
> > > To: dev@sentry.incubator.apache.org
> > > Subject: RE: Import/ export rules for specific data objects
> > >
> > >
> > > I thinks this is an useful feature for the migration. This can be
> > > an improvement of SENTRY-197, and we can created a new ticket to
> > > trace
> this.
> > >
> > > Best regards,
> > >
> > > Colin Ma(Ma Jun Jie)
> > >
> > > -----Original Message-----
> > > From: Sravya Tirukkovalur [mailto:sravya@apache.org]
> > > Sent: Sunday, June 28, 2015 2:07 AM
> > > To: dev
> > > Subject: Import/ export rules for specific data objects
> > >
> > > Hi fellow developers,
> > >
> > > We are working on the import/export feature of sentry rules as
> > > part of SENTRY-197. As a follow on I was wondering if it might
> > > help to add a functionality where we can export/ import rules for
> > > a specific auth
> > object.
> > > So for example: export sentry rules for database db1. I think this
> might
> > > have multiple use cases like when users setup their rules for a db
> > > on a test environment and then migrate them to production.
> > >
> > > What do you guys think?
> > >
> > > Thanks!
> > >
> >
> >
> >
> > --
> > Sravya Tirukkovalur
> >
>
--
Sravya Tirukkovalur
Re: Import/ export rules for specific data objects
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
Thanks for the feedback folks! Filed
https://issues.apache.org/jira/browse/SENTRY-785 to track this feature.
On Tue, Jun 30, 2015 at 8:41 AM, Lenni Kuff <ls...@cloudera.com> wrote:
> +1 for supporting filtering on the auth object. I think it would be
> important to support wildcard characters (basically allow the filter to be
> a regex on the object name).
>
> Thanks,
> Lenni
>
> On Mon, Jun 29, 2015 at 10:32 AM, Sravya Tirukkovalur <sravya@cloudera.com
> >
> wrote:
>
> > I was mostly thinking auth object = database/table which would be
> > beneficial in the above use case I mentioned. And we export all the
> > permissions -> roles pertaining to this auth object and roles-> groups
> for
> > those roles?
> >
> > On Sun, Jun 28, 2015 at 9:59 PM, Sun, Dapeng <da...@intel.com>
> wrote:
> >
> > > Yes, it's a good idea.
> > >
> > > I think we should document what auth object we will support and which
> > rule
> > > will we export.
> > > For example, could the auth object be database, role and etc? and our
> > > policy rules are user->group->role->permission, which mapping
> > relationships
> > > will be exported?
> > >
> > >
> > > Regards
> > > Dapeng
> > >
> > > -----Original Message-----
> > > From: Ma, Junjie [mailto:junjie.ma@intel.com]
> > > Sent: Monday, June 29, 2015 9:06 AM
> > > To: dev@sentry.incubator.apache.org
> > > Subject: RE: Import/ export rules for specific data objects
> > >
> > >
> > > I thinks this is an useful feature for the migration. This can be an
> > > improvement of SENTRY-197, and we can created a new ticket to trace
> this.
> > >
> > > Best regards,
> > >
> > > Colin Ma(Ma Jun Jie)
> > >
> > > -----Original Message-----
> > > From: Sravya Tirukkovalur [mailto:sravya@apache.org]
> > > Sent: Sunday, June 28, 2015 2:07 AM
> > > To: dev
> > > Subject: Import/ export rules for specific data objects
> > >
> > > Hi fellow developers,
> > >
> > > We are working on the import/export feature of sentry rules as part of
> > > SENTRY-197. As a follow on I was wondering if it might help to add a
> > > functionality where we can export/ import rules for a specific auth
> > object.
> > > So for example: export sentry rules for database db1. I think this
> might
> > > have multiple use cases like when users setup their rules for a db on a
> > > test environment and then migrate them to production.
> > >
> > > What do you guys think?
> > >
> > > Thanks!
> > >
> >
> >
> >
> > --
> > Sravya Tirukkovalur
> >
>
--
Sravya Tirukkovalur
Re: Import/ export rules for specific data objects
Posted by Lenni Kuff <ls...@cloudera.com>.
+1 for supporting filtering on the auth object. I think it would be
important to support wildcard characters (basically allow the filter to be
a regex on the object name).
Thanks,
Lenni
On Mon, Jun 29, 2015 at 10:32 AM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:
> I was mostly thinking auth object = database/table which would be
> beneficial in the above use case I mentioned. And we export all the
> permissions -> roles pertaining to this auth object and roles-> groups for
> those roles?
>
> On Sun, Jun 28, 2015 at 9:59 PM, Sun, Dapeng <da...@intel.com> wrote:
>
> > Yes, it's a good idea.
> >
> > I think we should document what auth object we will support and which
> rule
> > will we export.
> > For example, could the auth object be database, role and etc? and our
> > policy rules are user->group->role->permission, which mapping
> relationships
> > will be exported?
> >
> >
> > Regards
> > Dapeng
> >
> > -----Original Message-----
> > From: Ma, Junjie [mailto:junjie.ma@intel.com]
> > Sent: Monday, June 29, 2015 9:06 AM
> > To: dev@sentry.incubator.apache.org
> > Subject: RE: Import/ export rules for specific data objects
> >
> >
> > I thinks this is an useful feature for the migration. This can be an
> > improvement of SENTRY-197, and we can created a new ticket to trace this.
> >
> > Best regards,
> >
> > Colin Ma(Ma Jun Jie)
> >
> > -----Original Message-----
> > From: Sravya Tirukkovalur [mailto:sravya@apache.org]
> > Sent: Sunday, June 28, 2015 2:07 AM
> > To: dev
> > Subject: Import/ export rules for specific data objects
> >
> > Hi fellow developers,
> >
> > We are working on the import/export feature of sentry rules as part of
> > SENTRY-197. As a follow on I was wondering if it might help to add a
> > functionality where we can export/ import rules for a specific auth
> object.
> > So for example: export sentry rules for database db1. I think this might
> > have multiple use cases like when users setup their rules for a db on a
> > test environment and then migrate them to production.
> >
> > What do you guys think?
> >
> > Thanks!
> >
>
>
>
> --
> Sravya Tirukkovalur
>
Re: Import/ export rules for specific data objects
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
I was mostly thinking auth object = database/table which would be
beneficial in the above use case I mentioned. And we export all the
permissions -> roles pertaining to this auth object and roles-> groups for
those roles?
On Sun, Jun 28, 2015 at 9:59 PM, Sun, Dapeng <da...@intel.com> wrote:
> Yes, it's a good idea.
>
> I think we should document what auth object we will support and which rule
> will we export.
> For example, could the auth object be database, role and etc? and our
> policy rules are user->group->role->permission, which mapping relationships
> will be exported?
>
>
> Regards
> Dapeng
>
> -----Original Message-----
> From: Ma, Junjie [mailto:junjie.ma@intel.com]
> Sent: Monday, June 29, 2015 9:06 AM
> To: dev@sentry.incubator.apache.org
> Subject: RE: Import/ export rules for specific data objects
>
>
> I thinks this is an useful feature for the migration. This can be an
> improvement of SENTRY-197, and we can created a new ticket to trace this.
>
> Best regards,
>
> Colin Ma(Ma Jun Jie)
>
> -----Original Message-----
> From: Sravya Tirukkovalur [mailto:sravya@apache.org]
> Sent: Sunday, June 28, 2015 2:07 AM
> To: dev
> Subject: Import/ export rules for specific data objects
>
> Hi fellow developers,
>
> We are working on the import/export feature of sentry rules as part of
> SENTRY-197. As a follow on I was wondering if it might help to add a
> functionality where we can export/ import rules for a specific auth object.
> So for example: export sentry rules for database db1. I think this might
> have multiple use cases like when users setup their rules for a db on a
> test environment and then migrate them to production.
>
> What do you guys think?
>
> Thanks!
>
--
Sravya Tirukkovalur
RE: Import/ export rules for specific data objects
Posted by "Sun, Dapeng" <da...@intel.com>.
Yes, it's a good idea.
I think we should document what auth object we will support and which rule will we export.
For example, could the auth object be database, role and etc? and our policy rules are user->group->role->permission, which mapping relationships will be exported?
Regards
Dapeng
-----Original Message-----
From: Ma, Junjie [mailto:junjie.ma@intel.com]
Sent: Monday, June 29, 2015 9:06 AM
To: dev@sentry.incubator.apache.org
Subject: RE: Import/ export rules for specific data objects
I thinks this is an useful feature for the migration. This can be an improvement of SENTRY-197, and we can created a new ticket to trace this.
Best regards,
Colin Ma(Ma Jun Jie)
-----Original Message-----
From: Sravya Tirukkovalur [mailto:sravya@apache.org]
Sent: Sunday, June 28, 2015 2:07 AM
To: dev
Subject: Import/ export rules for specific data objects
Hi fellow developers,
We are working on the import/export feature of sentry rules as part of SENTRY-197. As a follow on I was wondering if it might help to add a functionality where we can export/ import rules for a specific auth object.
So for example: export sentry rules for database db1. I think this might have multiple use cases like when users setup their rules for a db on a test environment and then migrate them to production.
What do you guys think?
Thanks!
RE: Import/ export rules for specific data objects
Posted by "Ma, Junjie" <ju...@intel.com>.
I thinks this is an useful feature for the migration. This can be an improvement of SENTRY-197, and we can created a new ticket to trace this.
Best regards,
Colin Ma(Ma Jun Jie)
-----Original Message-----
From: Sravya Tirukkovalur [mailto:sravya@apache.org]
Sent: Sunday, June 28, 2015 2:07 AM
To: dev
Subject: Import/ export rules for specific data objects
Hi fellow developers,
We are working on the import/export feature of sentry rules as part of SENTRY-197. As a follow on I was wondering if it might help to add a functionality where we can export/ import rules for a specific auth object.
So for example: export sentry rules for database db1. I think this might have multiple use cases like when users setup their rules for a db on a test environment and then migrate them to production.
What do you guys think?
Thanks!