sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan P (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SENTRY-980) Allow connected users to perform operations typically reserved for admins.
Date Tue, 08 Dec 2015 21:27:10 GMT

     [ https://issues.apache.org/jira/browse/SENTRY-980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ryan P updated SENTRY-980:
--------------------------
    Description: 
As it stands only users that fall into one of the configured ADMIN_GROUPS can make calls such
as list_sentry_roles_by_group. This can cause issues for applications such as Impala which
have not been configured as an admin group. 

Technically it is a requirement for Impala to be granted these elevated privileges. There
are however a few specific use cases where this is not acceptable. 

I propose that we loosen the requirements slightly to allow users configured in ALLOW_CONNECT
to perform admin operations. This value should already only be used by services which implement
Sentry, not as end users. 



  was:
As it stands only users that fall into one of the configured ADMIN_GROUPS can make calls such
as list_sentry_roles_by_group. This can cause issues for applications such as Impala which
have not been configured as a admin group. 

Technically it is a requirement for Impala to be granted these elevated privileges. There
are however a few specific use cases where this is not acceptable. 

I propose that we loosen the requirements slightly to allow users configured in ALLOW_CONNECT
to perform admin operations. This value should already only be used by services which implement
Sentry, not as end users. 




> Allow connected users to perform operations typically reserved for admins. 
> ---------------------------------------------------------------------------
>
>                 Key: SENTRY-980
>                 URL: https://issues.apache.org/jira/browse/SENTRY-980
>             Project: Sentry
>          Issue Type: Improvement
>            Reporter: Ryan P
>            Priority: Minor
>
> As it stands only users that fall into one of the configured ADMIN_GROUPS can make calls
such as list_sentry_roles_by_group. This can cause issues for applications such as Impala
which have not been configured as an admin group. 
> Technically it is a requirement for Impala to be granted these elevated privileges. There
are however a few specific use cases where this is not acceptable. 
> I propose that we loosen the requirements slightly to allow users configured in ALLOW_CONNECT
to perform admin operations. This value should already only be used by services which implement
Sentry, not as end users. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message