sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-1032) Rename shell command group/role shell commands and implement with solr shell
Date Sat, 30 Jan 2016 00:05:39 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124476#comment-15124476
] 

Gregory Chanan commented on SENTRY-1032:
----------------------------------------

bq. So I do not think grant in the case of role is non intuitive. Although, I prefer assign.
As it goes well with saying assign the group "dept_A_engineers" to role "PCI_compliant_access_role"
for example.

Well, grant isn't currently used in the generic context to talk about roles/groups, so I'm
not arguing something different here.  Agreed on your second point about assign.

bq. Role can be thought as a collection of groups, but in which case the opposite is also
true: Group is a collection of roles. It is a many to many relationship.

Sure, although you could make the same argument about users and groups and I've never heard
anyone say "add group to user".  I wouldn't say a group is a collection of roles.  I'd phrase
it as a group _has a_ collection of roles and it _is_ a collection of users.  If we accept
that people say "add group to user" we are using the term add as in both a _has a_ and _is
a_ context.  That's why I preferred using a different term.

{quote}Groups usually come from Active Directory, so user:group mappings happen first and
they are pretty much setup just once in a company when a new employee joins. Roles are specific
to data access rules. Some groups in the company can have powers to see sensitive data and
some might not. So assigning a role to a group happens next once they figure out which groups
can access what.{quote}

That makes sense.  In this case, I'd propose we go with "assign group to role" so group comes
first.

> Rename shell command group/role shell commands and implement with solr shell
> ----------------------------------------------------------------------------
>
>                 Key: SENTRY-1032
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1032
>             Project: Sentry
>          Issue Type: Task
>          Components: Service
>    Affects Versions: 1.7.0
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>         Attachments: SENTRY-1032.patch
>
>
> --add_role_group is a bit confusing because the command is to add group to role (i.e.
the objects are reversed).  Let's change this before it is released and we need to support
backwards compatibility.
> same for --delete_role_group.
> Also, these commands are not implemented with SentryShellSolr.  Let's do that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message