sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-1032) Rename shell command group/role shell commands and implement with solr shell
Date Fri, 29 Jan 2016 20:10:39 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124124#comment-15124124
] 

Gregory Chanan commented on SENTRY-1032:
----------------------------------------

Here's my thinking [~sravya]:

- I don't think we should use the term "grant" when talking about roles and groups because
it overloads the term with respect to privileges.  Let's reserve the term grant for privileges.
 If I say "grant x to y" and we respect the above I know x is a privilege and y is a role.
 Less thinking involved.
-  On "Theoretically I do not see a difference between "adding a group to a role" versus "adding
a role to a group"": my argument for "add a group to role" versus "add a role to a group"
is symmetry between users and groups.  Groups are collections of users and roles are collections
of groups.  You don't say "add a group to a user", you say "add a user to a group", so you
should say "add a group to role" not "add a role to group".
- "Also, all our client apis use addRoleToGroups deleteRoleFromGroups" -- the reason I brought
this up with the shell is that this is the first time these terms are really exposed to the
end user.  They should be as clear as possible in that case; the client apis are more internal
and we can evolve them compatibly as we go.

I'm interested in your point that "groups come first".  Can you describe that workflow?  I
thought that the role has to exist before you can associate a group with it.  Certainly we
should be guided by the user's workflow here -- maybe we just need a different term than "add"
or "grant".



> Rename shell command group/role shell commands and implement with solr shell
> ----------------------------------------------------------------------------
>
>                 Key: SENTRY-1032
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1032
>             Project: Sentry
>          Issue Type: Task
>          Components: Service
>    Affects Versions: 1.7.0
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SENTRY-1032.patch
>
>
> --add_role_group is a bit confusing because the command is to add group to role (i.e.
the objects are reversed).  Let's change this before it is released and we need to support
backwards compatibility.
> same for --delete_role_group.
> Also, these commands are not implemented with SentryShellSolr.  Let's do that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message