Re: Nomenclature for group and role associations in the shell

[Sravya Tirukkovalur <sr...@cloudera.com>]

Thanks for bringing this up Greg! So here is what I understand:

There are three options for naming the process of setting group:role
mapping:

1. Add role to group
2. Grant role to group
3. Assign role to group

Most popular database systems like Oracle[1], Postgres[2] support "grant"
role to group. And even Hive, Impala support "grant".

I too think grant voids the += issue. Although assign sounds better in some
aspects like we will have unique terms for each operation, IMO grant is the
best for the mentioned reasons.

[1]: http://www.techonthenet.com/oracle/roles.php
[2]: http://www.postgresql.org/docs/9.0/static/role-membership.html

On Fri, Jan 29, 2016 at 4:33 PM, Gregory Chanan <gc...@cloudera.com>
wrote:

> Over in https://issues.apache.org/jira/browse/SENTRY-1032 we've been going
> back on forth on how to name the process of associating a role and group.
>
> The generic client and the original shell code use "add role to group".
> This immediately struck me as sounding funny, because if you view roles and
> groups as somewhat symmetric to groups and users (this is how they are
> specified in the file-based model with local groups, i.e. groups are made
> up of users and roles are made up of groups and you would typically say
> "add user to group" not "add group to user".  In other words, it wasn't
> clear to me which of {roles,groups} should be added to the other.
>
> So I looked at what wikipedia had to say about this (
> https://en.wikipedia.org/wiki/Role-based_access_control).  Here's the
> quote:
> Role assignment: A subject can exercise a permission only if the subject
> has selected or been assigned a role.
>
> I think we can agree that "select" is not a good term, because of its use
> in the database model.
>
> "Assign" seems promising, although it has the downside in programming of
> not being additive (i.e. it means '=' not '+=').  But in this context it
> definitely means '+=' (assigning a role to a group doesn't imply the group
> drops all their other roles).
>
> "Grant" is another option that voids the += issue, although it's nice that
> it is used in the singular context of granting a privilege to a role.
>
> I'm slightly in favor of using "assign" because then we have unique terms
> for each step, i.e.:
> - add user to a group
> - assign role to a group
> - grant privilege to a role
>
> Opinions?
>



-- 
Sravya Tirukkovalur

Re: Nomenclature for group and role associations in the shell

[Gregory Chanan <gc...@cloudera.com>]

Thanks Sravya.  In a vacuum, Grant doesn't seem ideal, given that even the
PostgreSQL docs draws a distinction between the two (
http://www.postgresql.org/docs/9.0/static/sql-grant.html):

"The GRANT command has two basic variants: one that grants privileges on a
database object (table, column, view, sequence, database, foreign-data
wrapper, foreign server, function, procedural language, schema, or
tablespace), and one that grants membership in a role. These variants are
similar in many ways, but they are different enough to be described
separately."

But there is value in already accepted usage and it's probably not worth us
redefining terms here.  So, I agree with you, let's go with grant.

Greg

On Tue, Feb 2, 2016 at 1:33 PM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:

> Thanks for bringing this up Greg! So here is what I understand:
>
> There are three options for naming the process of setting group:role
> mapping:
>
> 1. Add role to group
> 2. Grant role to group
> 3. Assign role to group
>
> Most popular database systems like Oracle[1], Postgres[2] support "grant"
> role to group. And even Hive, Impala support "grant".
>
> I too think grant voids the += issue. Although assign sounds better in some
> aspects like we will have unique terms for each operation, IMO grant is the
> best for the mentioned reasons.
>
> [1]: http://www.techonthenet.com/oracle/roles.php
> [2]: http://www.postgresql.org/docs/9.0/static/role-membership.html
>
> On Fri, Jan 29, 2016 at 4:33 PM, Gregory Chanan <gc...@cloudera.com>
> wrote:
>
> > Over in https://issues.apache.org/jira/browse/SENTRY-1032 we've been
> going
> > back on forth on how to name the process of associating a role and group.
> >
> > The generic client and the original shell code use "add role to group".
> > This immediately struck me as sounding funny, because if you view roles
> and
> > groups as somewhat symmetric to groups and users (this is how they are
> > specified in the file-based model with local groups, i.e. groups are made
> > up of users and roles are made up of groups and you would typically say
> > "add user to group" not "add group to user".  In other words, it wasn't
> > clear to me which of {roles,groups} should be added to the other.
> >
> > So I looked at what wikipedia had to say about this (
> > https://en.wikipedia.org/wiki/Role-based_access_control).  Here's the
> > quote:
> > Role assignment: A subject can exercise a permission only if the subject
> > has selected or been assigned a role.
> >
> > I think we can agree that "select" is not a good term, because of its use
> > in the database model.
> >
> > "Assign" seems promising, although it has the downside in programming of
> > not being additive (i.e. it means '=' not '+=').  But in this context it
> > definitely means '+=' (assigning a role to a group doesn't imply the
> group
> > drops all their other roles).
> >
> > "Grant" is another option that voids the += issue, although it's nice
> that
> > it is used in the singular context of granting a privilege to a role.
> >
> > I'm slightly in favor of using "assign" because then we have unique terms
> > for each step, i.e.:
> > - add user to a group
> > - assign role to a group
> > - grant privilege to a role
> >
> > Opinions?
> >
>
>
>
> --
> Sravya Tirukkovalur
>