sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <>
Subject [jira] [Commented] (SENTRY-19) Add support for solr index-level authorization
Date Mon, 07 Oct 2013 19:29:52 GMT


Gregory Chanan commented on SENTRY-19:

Thank you for the careful reading, Shreepadma.

bq. Today, Sentry doesn't provide support for built-in superusers. However, superusers can
be defined in the policy file. Looks like Solr requires solr user to be defined as a superuser
in the policy file.

Good point.  I don't think we need support for superusers, at least for a first version. 
What I was thinking was that the solr custom component would have some code like:
  if (user == "solr") {} // skip check
  else {
    // call hasAccess(...) on Sentry
and we could let the name be parameterizable via java system props or the like.  If sentry
had some built-in notion of a superuser we could use that as well, but like I said, not strictly
necessary for a first version.

bq.  Will the first version support users = collection=index1->action=Query and a later
version support users = namespace = * -> collection = index1 -> shard = * -> action
= Query?

The first version will support "users = collection=index1->action=Query".  The string "users
= namespace = * -> collection = index1 -> shard = * -> action = Query" is just a
thought experiment to prove that we our model is extensible; there are no current plans to
implement namespace or shard granularity security.

bq.  It will be useful to put together a table of which operations require which privileges
along with how privileges are inherited. Its mentioned as future work, but probably worth
adding it so that the model is clear.

I agree on the first part, " which operations require which privileges."  On the privilege
inheritance, you mean something like Table 2, here:
 I thought since I only have one model object type that wasn't relevant.  Am I missing something?

> Add support for solr index-level authorization
> ----------------------------------------------
>                 Key: SENTRY-19
>                 URL:
>             Project: Sentry
>          Issue Type: New Feature
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SolrSentryIndexLevelSecurity.pdf
> I want to use sentry in order to build index-level authorization controls for solr.
> I'll post a design document to this JIRA next week.

This message was sent by Atlassian JIRA

View raw message