cdap sentry listPrivileges used to build privilege cache does not list priviliges for the user's group
Description
Release Notes
Fixed an issue where the CDAP Sentry Extension was not able to fetch privileges associated with a user's group.
Activity
Show:
Rohit Sinha March 18, 2017 at 4:05 AM
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Created March 18, 2017 at 1:58 AM
Updated April 13, 2017 at 5:34 PM
Resolved March 20, 2017 at 2:23 AM
CDAP uses a privilege cache model for authorization enforcement. This cache is populated by listingPrivileges for a principal.
Sentry only supports adding groups to roles and the other way that is listing roles for a group and then from the roles getting the privilege. We are using our sentry integration listPrivilege to list listPrivileges with a Principal where principal type is a user so sentry just lists the privileges for the user's group.
For example, if we list privileges for Principal(name=ali, type=user) sentry listing privileges for group ali.
If ali belongs to some other group say developers then the privileges from developers are not populated in the cache.