Fix user based grant in cdap sentry extension
Description
Release Notes
Users can now grant and revoke privileges for UNIX groups and users when using Apache Sentry as the authorization extension for CDAP.
relates to
Activity
Show:
Rohit Sinha March 23, 2017 at 2:38 AM
Rohit Sinha March 22, 2017 at 11:47 PM
@Bhooshan Mogal suggested that we keep the support for granting privileges to user in sentry extension as CDAP should be agnostic to the authorization backend and its limitations as such.
So we will be adding support to revoke privileges from a user for feature completion.
Rohit Sinha March 22, 2017 at 6:41 PM
@Bhooshan Mogal: I am going to disable user based grants from user. User based grants will only be done if the requesting user is cdap (cdap principal). If an user tries to perform grant from cdap cli or rest UI to a user SentryAuthorizer will throw exception.
Now for user based grant by cdap sentry we don't need revoke as such as its tied to the owner of the entity and will be removed when the entity is deleted.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Created March 17, 2017 at 9:56 PM
Updated April 15, 2017 at 4:24 PM
Resolved March 24, 2017 at 7:05 PM
Sentry only supports grants on a role and expect roles to be given to groups. This is a bit inconvenient and cdap works around it by creating entity role while entity creation. To support this cdap sentry extension allow user based grant which is needed to support entity creation in cdap by a user although we should restrict an end user from doing this.
Even if we decide to keep supporting this we should provide a way to revoke which we don't have right now