sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-19) Add support for solr index-level authorization
Date Mon, 07 Oct 2013 19:29:52 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-19?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13788479#comment-13788479
] 

Gregory Chanan commented on SENTRY-19:
--------------------------------------

Thank you for the careful reading, Shreepadma.

bq. Today, Sentry doesn't provide support for built-in superusers. However, superusers can
be defined in the policy file. Looks like Solr requires solr user to be defined as a superuser
in the policy file.

Good point.  I don't think we need support for superusers, at least for a first version. 
What I was thinking was that the solr custom component would have some code like:
{code}
  if (user == "solr") {} // skip check
  else {
    // call hasAccess(...) on Sentry
  }
{code}
and we could let the name be parameterizable via java system props or the like.  If sentry
had some built-in notion of a superuser we could use that as well, but like I said, not strictly
necessary for a first version.

bq.  Will the first version support users = collection=index1->action=Query and a later
version support users = namespace = * -> collection = index1 -> shard = * -> action
= Query?

The first version will support "users = collection=index1->action=Query".  The string "users
= namespace = * -> collection = index1 -> shard = * -> action = Query" is just a
thought experiment to prove that we our model is extensible; there are no current plans to
implement namespace or shard granularity security.

bq.  It will be useful to put together a table of which operations require which privileges
along with how privileges are inherited. Its mentioned as future work, but probably worth
adding it so that the model is clear.

I agree on the first part, " which operations require which privileges."  On the privilege
inheritance, you mean something like Table 2, here: http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_Sentry.html?
 I thought since I only have one model object type that wasn't relevant.  Am I missing something?

> Add support for solr index-level authorization
> ----------------------------------------------
>
>                 Key: SENTRY-19
>                 URL: https://issues.apache.org/jira/browse/SENTRY-19
>             Project: Sentry
>          Issue Type: New Feature
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SolrSentryIndexLevelSecurity.pdf
>
>
> I want to use sentry in order to build index-level authorization controls for solr.
> I'll post a design document to this JIRA next week.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message