Security Tasks 4.3
Ranger:
- Goal: Bring it on par with sentry
- High level design for tag based policies
Revisit Authorization Model:
- Currently read on Dataset requires permission on Namespace
- Disadvantages:
- Dataset READ/WRITE require some permission on the namespace like READ. But since privileges are hierarchical this will lead to READ on every entity inside the namespace.
- Disadvantages:
- Having EXECUTE on a program does not allow user to run the program unless he has some privilege on the Application.
- To see the program in UI some privilege is needed on the application
- Need for non hierarchical privileges ?
- Managing non-hierarchical privileges can be cumbersome for admins
- Managing non-hierarchical privileges can be cumbersome for admins
- Revoke all from an entity leads to entity with no privileges leading to an unusable entity
- What happens if the only user who has ADMIN on the entity disappears from LDAP for some reason ?
- Updating system artifacts is not possible since only cdap has access on system namespace.
- Define the behavior on changing privileges
- Existing program containers
- New program containers
- System container
- Master
Sentry:
- Reduce number of roles created by Sentry
- Backward compatibility
- Handle cases where user does not have its own group
- Cache invalidation in case of group privilege change
- Performance testing
- Grant on roles fail if the granting user does not have the same privilege (CDAP-9305)
General
- Decouple grant/revoke from entity creation
- Support granting/revoke outside CDAP
- Sentry CLI for CDAP
- Support using existing roles and group
- Allow user to set their current role in CDAP CLI
- Reduce CDAP start time because of security
- CDAP system service access to system datasets should bypass authorization. (https://issues.cask.co/browse/CDAP-11659)
- Revoking privileges from admin users when they are removed from that instance.admin config
- Role for instance and system admins and every restart we remove all groups and add again.
- On namespace/entity delete some privileges are left over
- Debugging
- Security issues
- MDC based trace logging for a user (dynamic configuration)
- Performance of security extensions
- Instrumentation of security extension calls
- Security issues
- Flow start behavior is inconsistent with authorization (CDAP-8568)
ITN
- Review all pending PRs (Rohit)
- How many new test cases to add and how many are done (Yaojie)
- Refactoring to run same tests in
- Impersonation
- Namespace Level
- App Level
- Classic (No impersonation, authorization)
- Custom Mapping (Hive, Hbase, HDFS)
- Authorization : More tests
- Artifact
- Pipeline
- Dataset types
- Dataset modules
- Secure keys
Stretch goals for 4.3
- Tag based enforcement in Ranger
- startTLS for LDAP
- Service Authorization
- Only work with push down privileges to underlying storage provider (for environments which does not have sentry or ranger)
Week 1: Jul 5 - Jul 7
- Authorization Model Design
- Sentry Model design
- Ranger Integration
- Continue integration tests
Dataset Modules
| Operation | Existing Privileges | New Privileges |
|---|---|---|
| Deploy | WRITE (on the namespace) | |
| Delete | ADMIN | |
| Delete-all in the namespace | ADMIN (on the namespace) | |
| List | Only returns those artifacts on which user has at least one of READ, WRITE, EXECUTE, or ADMIN | |
| View | At least one of READ, WRITE, EXECUTE, or ADMIN |
Created in 2020 by Google Inc.