Overview of Security Changes in 4.3

1. Authorizer API Changes

  • Deprecated createFilter() API. CDAP will not use it from 4.3
  •  Added new isVisible(Set<EntityId>, Principal) API

2. Model Changes

  • Hierarchical privileges are replaced with Wildcard privileges
  • Pre grant will be allowed and CDAP will no more do auto grant/revoke
  • CDAP authorization policies will change in 4.3 for convenient authorization privilege management
  • Added a notion of visibility which defines who can see an entity. An entity is visible to a user if the user has privilege on the entity or any of its descendant. 

3. Ranger Integration

  • Ranger extension will be packaged in RPM bundle
  • Admins will be able to do privilege management using Ranger UI
  • CDAP will do enforcement through privileges in Ranger
  • There must be a CDAP user who has privilege on all resources in CDAP for the resource lookup to work

Created in 2020 by Google Inc.