sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dapeng Sun (JIRA)" <>
Subject [jira] [Updated] (SENTRY-498) Sentry integration with Hive authorization framework V2
Date Tue, 03 Nov 2015 05:20:27 GMT


Dapeng Sun updated SENTRY-498:
    Affects Version/s: hive_plugin_v2

> Sentry integration with Hive authorization framework V2 
> --------------------------------------------------------
>                 Key: SENTRY-498
>                 URL:
>             Project: Sentry
>          Issue Type: New Feature
>    Affects Versions: hive_plugin_v2
>            Reporter: Xiaomeng Huang
>            Assignee: Dapeng Sun
>              Labels: roadmap
>             Fix For: hive_plugin_v2
>         Attachments: SENTRY-498.003.patch, SENTRY-498.004-hive_plugin_v2.patch, SENTRY-498.005-hive_plugin_v2.patch,
SENTRY-498.007-hive_plugin_v2.patch, SENTRY-498.008-hive_plugin_v2.patch
> Currently Sentry grant/revoke privileges via hook DDLTask, and do authorization via HiveSemanticAnalyzerHook.
Now hive has a pluggable authorization framework via exposing some interfaces HiveAccessController
and HiveAuthorizationValidator. HiveAccessController is used to grant/revoke roles and privileges.
HiveAuthorizationValidator is used to do fine-grained authorization. 
> Advantages to use this framework to grant/revoke privileges and do authorization:
> - This framework is very convenient to use by external authorization system. 
> - Using this framework will be better accepted by community.
> - We don't need to take efforts to add so many hooks. 
> - Some hooks has limitations. e.g. For column level security, we can't get accessed cloumns
from query via HiveSemanticAnalyzerHook, so I extend the readEntity to put accessed columns
into it(HIVE-7730). But if we use this framework, we don't need to extend the readEntity,
we can just get accessed columns from ColumnAccessInfo directly. 
> I will not remove the old sentry authorization framework, I will just add a new authorizationV2
via implement Hive authorization framework. If all the e2e tests passed, we can mark the old
authorization deprecated.

This message was sent by Atlassian JIRA

View raw message