Page tree
Skip to end of metadata
Go to start of metadata
<input> - will have to be provided by users, no autocomplete
[input] - autocomplete will be available
FunctionExisting CommandProposed ChangeComments
Grant
security grant entity <entity-id> principal-type <principal-type> principal-name <principal-name> actions <actions>
grant actions <actions> on entity <entity-id> to [principal-type] <principal-name>
Should we make these role-based only like Sentry? Or allow users and groups too?
Revoke
security revoke entity <entity-id> principal-type <principal-type> principal-name <principal-name> actions <actions>
revoke actions <actions> on entity <entity-id> from [principal-type] <principal-name>
 
Check Access
security access entity <entity-id> principal-type <principal-type> principal-name <principal-name> actions <actions>

Remove.

 
Create Role-
create role <role-name>
 
Drop Role-
drop role <role-name>
 
List Roles-
list roles
 
Add role to group-
add role <role-name> to group <group-name>
Q: Should we allow adding roles to users as well? Sentry only supports adding to groups.
Remove role from group-
remove role <role-name> from group <group-name>
 
List roles for group-
list roles for group <group-name>
 
List privileges for role-
list privileges for role <role-name>
 
  • No labels

9 Comments

  1. Should we make these role-based only like Sentry? Or allow users and groups too?

    How would it map to Sentry if we allow users? Would we create a pseudo role for each user in Sentry?

    1. Sentry has feature requests open for supporting grants/revokes on users/groups. If I'm not wrong, Apache Ranger is user/group based. Maybe we can say that we only support roles right now, and update these APIs when we integrate with other products?

        1. Cool. I'll update the APIs to allow grants on only roles right now then. We can extend it when we integrate with other products.

  2. : Should we allow adding roles to users as well? Sentry only supports adding to groups.

    Similar, how would that translate to Sentry? 

  3. I like the new command syntax a lot better. Is the functionality to check privileges removed on purpose? Because it is not needed?

    1. I just feel that for a user-facing interface like REST API, CLI, UI, showing a list of privileges for a given Principal is much more useful than showing if a Principal is authorized to perform an action on an entity. The latter seems more like an enforcement scenario that is more suitable for enforcement checks in the platform.

      1. Seems like an API that returns a list of privileges is much better than something that just returns true or false.

  4. thanks for adding that.