You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@kylin.apache.org by Sonny Heer <so...@gmail.com> on 2017/09/16 22:23:12 UTC
Kylin acl - ldap
Kylin versions is 1.6
Is there a way to give full access to a project? Currently we are able to
give access to a project via ROLE in ldap, but that doesn't allow user to
sync/load hive tables (the blue buttons are missing). Also unable to edit
model. In order to give that permission we have to edit group to add
kylin-admins, but then user has full access to all projects.
Question:
when only allowing a custom ROLE access to projectA - shouldn't the user be
able to load tables/ edit models?
Thanks
Re: Kylin acl - ldap
Posted by Sonny Heer <so...@gmail.com>.
Any updates on this issue? Has it been fixed in later versions? we are on
1.6
On Fri, Sep 22, 2017 at 5:34 PM, Li Yang <li...@apache.org> wrote:
> The JIRA is good. Thanks Sonny!
>
> On Tue, Sep 19, 2017 at 8:46 AM, Sonny Heer <so...@gmail.com> wrote:
>
>> Here is the JIRA: https://issues.apache.org/jira/browse/KYLIN-2878
>>
>> Let me know if more info is needed. The basic idea is non-admin ldap
>> group / role with full permissions to projectA should allow user in that
>> group to edit model and sync tables within projectA.
>>
>> Thanks!
>>
>> On Sun, Sep 17, 2017 at 12:36 AM, Li Yang <li...@apache.org> wrote:
>>
>>> This is good proposal. Could a JIRA be created?
>>>
>>> A little history. Before KYLIN-2717
>>> <https://issues.apache.org/jira/browse/KYLIN-2717>, a table is global
>>> and is shared by all projects. Only system admin can sync Hive table, as it
>>> will have system wide impact.
>>>
>>> Once KYLIN-2717 <https://issues.apache.org/jira/browse/KYLIN-2717> is
>>> done, tables are isolated by project, we will be ready to grant table
>>> permissions to project level admin.
>>>
>>> On Sun, Sep 17, 2017 at 6:23 AM, Sonny Heer <so...@gmail.com> wrote:
>>>
>>>> Kylin versions is 1.6
>>>>
>>>> Is there a way to give full access to a project? Currently we are able
>>>> to give access to a project via ROLE in ldap, but that doesn't allow user
>>>> to sync/load hive tables (the blue buttons are missing). Also unable to
>>>> edit model. In order to give that permission we have to edit group to add
>>>> kylin-admins, but then user has full access to all projects.
>>>>
>>>> Question:
>>>>
>>>> when only allowing a custom ROLE access to projectA - shouldn't the
>>>> user be able to load tables/ edit models?
>>>>
>>>> Thanks
>>>>
>>>
>>>
>>
>
Re: Kylin acl - ldap
Posted by Li Yang <li...@apache.org>.
The JIRA is good. Thanks Sonny!
On Tue, Sep 19, 2017 at 8:46 AM, Sonny Heer <so...@gmail.com> wrote:
> Here is the JIRA: https://issues.apache.org/jira/browse/KYLIN-2878
>
> Let me know if more info is needed. The basic idea is non-admin ldap
> group / role with full permissions to projectA should allow user in that
> group to edit model and sync tables within projectA.
>
> Thanks!
>
> On Sun, Sep 17, 2017 at 12:36 AM, Li Yang <li...@apache.org> wrote:
>
>> This is good proposal. Could a JIRA be created?
>>
>> A little history. Before KYLIN-2717
>> <https://issues.apache.org/jira/browse/KYLIN-2717>, a table is global
>> and is shared by all projects. Only system admin can sync Hive table, as it
>> will have system wide impact.
>>
>> Once KYLIN-2717 <https://issues.apache.org/jira/browse/KYLIN-2717> is
>> done, tables are isolated by project, we will be ready to grant table
>> permissions to project level admin.
>>
>> On Sun, Sep 17, 2017 at 6:23 AM, Sonny Heer <so...@gmail.com> wrote:
>>
>>> Kylin versions is 1.6
>>>
>>> Is there a way to give full access to a project? Currently we are able
>>> to give access to a project via ROLE in ldap, but that doesn't allow user
>>> to sync/load hive tables (the blue buttons are missing). Also unable to
>>> edit model. In order to give that permission we have to edit group to add
>>> kylin-admins, but then user has full access to all projects.
>>>
>>> Question:
>>>
>>> when only allowing a custom ROLE access to projectA - shouldn't the user
>>> be able to load tables/ edit models?
>>>
>>> Thanks
>>>
>>
>>
>
Re: Kylin acl - ldap
Posted by Sonny Heer <so...@gmail.com>.
Here is the JIRA: https://issues.apache.org/jira/browse/KYLIN-2878
Let me know if more info is needed. The basic idea is non-admin ldap group
/ role with full permissions to projectA should allow user in that group to
edit model and sync tables within projectA.
Thanks!
On Sun, Sep 17, 2017 at 12:36 AM, Li Yang <li...@apache.org> wrote:
> This is good proposal. Could a JIRA be created?
>
> A little history. Before KYLIN-2717
> <https://issues.apache.org/jira/browse/KYLIN-2717>, a table is global and
> is shared by all projects. Only system admin can sync Hive table, as it
> will have system wide impact.
>
> Once KYLIN-2717 <https://issues.apache.org/jira/browse/KYLIN-2717> is
> done, tables are isolated by project, we will be ready to grant table
> permissions to project level admin.
>
> On Sun, Sep 17, 2017 at 6:23 AM, Sonny Heer <so...@gmail.com> wrote:
>
>> Kylin versions is 1.6
>>
>> Is there a way to give full access to a project? Currently we are able
>> to give access to a project via ROLE in ldap, but that doesn't allow user
>> to sync/load hive tables (the blue buttons are missing). Also unable to
>> edit model. In order to give that permission we have to edit group to add
>> kylin-admins, but then user has full access to all projects.
>>
>> Question:
>>
>> when only allowing a custom ROLE access to projectA - shouldn't the user
>> be able to load tables/ edit models?
>>
>> Thanks
>>
>
>
Re: Kylin acl - ldap
Posted by Li Yang <li...@apache.org>.
This is good proposal. Could a JIRA be created?
A little history. Before KYLIN-2717
<https://issues.apache.org/jira/browse/KYLIN-2717>, a table is global and
is shared by all projects. Only system admin can sync Hive table, as it
will have system wide impact.
Once KYLIN-2717 <https://issues.apache.org/jira/browse/KYLIN-2717> is done,
tables are isolated by project, we will be ready to grant table permissions
to project level admin.
On Sun, Sep 17, 2017 at 6:23 AM, Sonny Heer <so...@gmail.com> wrote:
> Kylin versions is 1.6
>
> Is there a way to give full access to a project? Currently we are able to
> give access to a project via ROLE in ldap, but that doesn't allow user to
> sync/load hive tables (the blue buttons are missing). Also unable to edit
> model. In order to give that permission we have to edit group to add
> kylin-admins, but then user has full access to all projects.
>
> Question:
>
> when only allowing a custom ROLE access to projectA - shouldn't the user
> be able to load tables/ edit models?
>
> Thanks
>