...
Sentry: Provides a service for managing privileges and propagating those privileges to third-party systems like Hive and HDFS.
Group: Can be associated with multiple users.
Role: Can be associated with multiple groups. eE.g. admin, guest.
Privilege: Entity and action pair, can be associated with a role.
HTTP Handler Integration
- For the UI and CLI to hide unauthorized actions, need a way to associate an HTTP path to a set of required privileges. E.g. "GET /namespaces/foo" -> (entity="namespace:foo", action=SELECT).
- Need a non-repetitive way to perform authorization in the HTTP handler methods.
*Handler: Converts HTTP requests into method calls on *Managers. Converts the method call result into an HTTP response.
*Manager: Performs operations on entities like namespaces and applications.