Page tree
Skip to end of metadata
Go to start of metadata


  • Goal: Bring it on par with sentry
  • High level design for tag based policies

Revisit Authorization Model:

  • Currently read on Dataset requires permission on Namespace
    • Disadvantages: 
      • Dataset READ/WRITE require some permission on the namespace like READ. But since privileges are hierarchical this will lead to READ on every entity inside the namespace.
  • Having EXECUTE on a program does not allow user to run the program unless he has some privilege on the Application. 
    • To see the program in UI some privilege is needed on the application
  • Need for non hierarchical privileges ?
    • Managing non-hierarchical privileges can be cumbersome for admins
  • Revoke all from an entity leads to entity with no privileges leading to an unusable entity
    • What happens if the only user who has ADMIN on the entity disappears from LDAP for some reason ?
  • Updating system artifacts is not possible since only cdap has access on system namespace.
  • Define the  behavior on changing privileges
    • Existing program containers
    • New program containers
    • System container
    • Master


  • Reduce number of roles created by Sentry
    • Backward compatibility
  • Handle cases where user does not have its own group
  • Cache invalidation in case of group privilege change
    • Performance testing
  • Grant on roles fail if the granting user does not have the same privilege (CDAP-9305)


  • Decouple grant/revoke from entity creation
    • Support granting/revoke outside CDAP 
    • Sentry CLI for CDAP
    • Support using existing roles and group
      • Allow user to set their current role in CDAP CLI
  • Reduce CDAP start time because of security
  • Revoking privileges from admin users when they are removed from that instance.admin config
    • Role for instance and system admins and every restart we remove all groups and add again.
  • On namespace/entity delete some privileges are left over 
  • Debugging 
    • Security issues 
      • MDC based trace logging for a user (dynamic configuration)
    • Performance of security extensions
      • Instrumentation of security extension calls
  • Flow start behavior is inconsistent with authorization (CDAP-8568)


  • Review all pending PRs (Rohit)
  • How many new test cases to add and how many are done (Yaojie)
  • Refactoring to run same tests in
    • Impersonation
      • Namespace Level
      • App Level
      • Classic (No impersonation, authorization)
    • Custom Mapping (Hive, Hbase, HDFS)
  • Authorization : More tests
    • Artifact
    • Pipeline
    • Dataset types
    • Dataset modules
    • Secure keys

Stretch goals for 4.3 

  1. Tag based enforcement in Ranger
  2. startTLS for LDAP
  3. Service Authorization
  4. Only work with push down privileges to underlying storage provider (for environments which does not have sentry or ranger)



Week 1: Jul 5 - Jul 7

  • Authorization Model Design
    • Sentry Model design
  • Ranger Integration
  • Continue integration tests



Dataset Modules

OperationExisting PrivilegesNew Privileges
DeployWRITE (on the namespace) 
Delete-all in the namespaceADMIN (on the namespace) 
ListOnly returns those artifacts on which user has at least one of READ, WRITE, EXECUTE, or ADMIN 
ViewAt least one of READ, WRITE, EXECUTE, or ADMIN 
  • No labels