sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sravya Tirukkovalur (JIRA)" <>
Subject [jira] [Commented] (SENTRY-1032) Rename shell command group/role shell commands and implement with solr shell
Date Fri, 29 Jan 2016 23:46:39 GMT


Sravya Tirukkovalur commented on SENTRY-1032:

bq. I don't think we should use the term "grant" when talking about roles and groups because
it overloads the term with respect to privileges. Let's reserve the term grant for privileges.
If I say "grant x to y" and we respect the above I know x is a privilege and y is a role.
Less thinking involved.

Effectively to grant a user a privilege, we need to :
1. Find the role which has the required privileges (or create a role and grant required privileges
to it) and 
2. Grant/Assign this role to the group which user belongs to.

So I do not think grant in the case of role is non intuitive. Although, I prefer assign. As
it goes well with saying assign the group "dept_A_engineers" to role "PCI_compliant_access_role"
for example.

bq. Groups are collections of users and roles are collections of groups. 

Role can be thought as a collection of groups, but in which case the opposite is also true:
Group is a collection of roles. It is a many to many relationship.

bq. I'm interested in your point that "groups come first". Can you describe that workflow?

Groups usually come from Active Directory, so user:group mappings happen first and they are
pretty much setup just once in a company when a new employee joins. Roles are specific to
data access rules. Some groups in the company can have powers to see sensitive data and some
might not. So assigning a role to a group happens next once they figure out which groups can
access what.

> Rename shell command group/role shell commands and implement with solr shell
> ----------------------------------------------------------------------------
>                 Key: SENTRY-1032
>                 URL:
>             Project: Sentry
>          Issue Type: Task
>          Components: Service
>    Affects Versions: 1.7.0
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SENTRY-1032.patch
> --add_role_group is a bit confusing because the command is to add group to role (i.e.
the objects are reversed).  Let's change this before it is released and we need to support
backwards compatibility.
> same for --delete_role_group.
> Also, these commands are not implemented with SentryShellSolr.  Let's do that.

This message was sent by Atlassian JIRA

View raw message