You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "SentryQA (JIRA)" <ji...@apache.org> on 2014/02/13 04:33:19 UTC

[jira] [Commented] (SENTRY-115) Give bindings the ability to access the group mappings

    [ https://issues.apache.org/jira/browse/SENTRY-115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13899977#comment-13899977 ] 

SentryQA commented on SENTRY-115:
---------------------------------

Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12628610/SENTRY-115.4.patch against master.

{color:green}Overall:{color} +1 all checks pass

{color:green}SUCCESS:{color} all tests passed

Console output: http://bigtop01.cloudera.org:8080/job/PreCommit-SENTRY-Build/18/console

This message is automatically generated.

> Give bindings the ability to access the group mappings
> ------------------------------------------------------
>
>                 Key: SENTRY-115
>                 URL: https://issues.apache.org/jira/browse/SENTRY-115
>             Project: Sentry
>          Issue Type: New Feature
>    Affects Versions: 1.3.0
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SENTRY-115.4.patch, SENTRY-115v2.patch, SENTRY-115v4.patch
>
>
> This is a use case for document-level security with solr.
> In this setup, the solr document itself would store the authorization tokens, rather than having them stored directly in sentry.  It wouldn't be feasible to store them directly in sentry, as there could be million of documents, and storing them in say, an .ini file would be expensive and slow.
> Instead, the sentry binding would grab the groups associated with the user, and modify the user's query in order to only return documents that contain (at least one) of the user's groups in the auth tokens.
> Today, there is no way for the binding layer to access the mapping service; the group mapping happens "behind the scenes" when hasAccess is called.  The simplest way of providing this functionality is probably to add a function to get the GroupMappingService from the AuthorizationProvider.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)