Versions Compared

Old Version 59

changes.mady.by.user Rohit Sinha

Saved on

compared with

New Version 60

changes.mady.by.user Rohit Sinha

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 
EntityOperationRequired PrivilegesResultant Privileges
Namespacecreate ADMIN (Instance)ADMIN (Namespace)
 updateADMIN (Namespace) 
 list/getREAD (Instance) 
 deletegetREAD (Namespace) 
 set preferencedeleteADMIN (Namespace) 
 get set preference ApplicationdeployWRITE (Namespace) 
 get preferenceREAD (Namespace) 
 updatesearchREAD (Namespace) 
deleteApplication  set preferencedeployWRITE (Namespace)ADMIN (Application)
  get preferencegetREAD (Application) 
 add metadata listREAD (Namespace) get metadata
 Programsstart/stop/debugupdateADMIN (Application) 
 set instancesdeleteADMIN (Application) 
 set runtime argspreferenceWRITE (Application) 
 get instance preferenceREAD (Application) get runtime args
  set preferenceadd metadataADMIN (Application) 
 get preference metadataREAD (Application) 
 get status 
 get historyProgramsstart/stop/debugEXECUTE (Program) 
  add metadataset instancesADMIN (Program) 
 get metadata listREAD (Namespace) emit logs
  view logsset runtime argsEXECUTE (Program) 
 emit metrics get runtime argsREAD (Program) view metrics
 Streamscreateget instancesREAD (Program) 
 update properties set preferenceADMIN (Program) 
delete  truncateget preferenceREAD (Program) 
 enqueue
asyncEnqueue
batch		get statusREAD (Program) 
 get history READ (Program) 
read events  set preferencesadd metadataADMIN (Program) 
 get preferences  metadataREAD (Program) 
add metadata emit logsWRITE (question) (Program) 
 get metadataview logsREAD (Program) 
 emit metricsWRITE (question) (Program) 
 view metricsREAD (Program) 
StreamsDatasetslist createWRITE (Namespace)ADMIN (Stream)
 get update propertiesADMIN (Stream) 
create  updatedeleteADMIN (Stream) 
 drop  executeAdmin (exists/truncate/upgradetruncateADMIN (Stream) 
 add metadataenqueue
 asyncEnqueue
 get metadatabatchWRITE (Stream) 
 emit metrics getREAD (Stream) view metrics
 Stream ViewscreatelistREAD (Namespace) 
 deleteread eventsREAD (Stream) 
 listset preferencesADMIN (Stream) 
 get preferencesREAD (Stream) 
 add metadata ADMIN (Stream) 
 get metadata READ (Stream) 
   view lineageREAD (Stream) 
   emit metricsWRITE (question) (Stream) 
 

Namespace: 

NamespaceHttpHandler
getAllNamespaces
getNamespace
updateNamespaceProperties
create
delete
deleteDatasets

App:

AppLifecycleHttpHandler
deploy
deploy
getAllApps
getAppInfo
deleteApp
deleteAllApps
updateApp

 

Stream:

StreamHandler
init
destroy
getInfo
create
enqueue
asyncEnqueue
batch
truncate
delete
setConfig

 

Metadata:

getAppMetadata
getProgramMetadata
getArtifactMetadata
getDatasetMetadata
getStreamMetadata
getViewMetadata
getAppProperties
getArtifactProperties
getProgramProperties
getDatasetProperties
getStreamProperties
getViewProperties
addAppProperties
addArtifactProperties
addProgramProperties
addDatasetProperties
addStreamProperties
addViewProperties
removeAppMetadata
removeArtifactMetadata
removeProgramMetadata
removeDatasetMetadata
removeStreamMetadata
removeViewMetadata
removeAppProperties
removeAppProperty
removeArtifactProperties
removeArtifactProperty
removeProgramProperties
removeProgramProperty
removeDatasetProperties
removeDatasetProperty
removeStreamProperties
removeViewProperties
removeStreamProperty
removeViewProperty
addAppTags
addArtifactTags
addProgramTags
addDatasetTags
addStreamTags
addViewTags
getAppTags
getArtifactTags
getProgramTags
getDatasetTags
getStreamTags
getViewTags
removeAppTags
removeAppTag
removeArtifactTags
removeArtifactTag
removeProgramTags
removeProgramTag
removeDatasetTags
removeDatasetTag
removeStreamTags
removeViewTags
removeStreamTag
removeViewTag
searchMetadata

 

Lineage:

datasetLineage
streamLineage
getAccessesForRun

 

Log:

...

view metricsREAD (Stream) 
DatasetslistREAD (Namespace) 
 getREAD (Dataset) 
 createWRITE (Namespace)ADMIN (Dataset)
 updateADMIN (Dataset) 
 dropADMIN (Dataset) 
 executeAdmin (exists/truncate/upgrade)ADMIN (Dataset) 
 add metadataADMIN (Dataset) 
 get metadataREAD (Dataset) 
 view lineageREAD (Dataset) 
 emit metricsWRITE (question) (Dataset) 
 view metricsREAD (Dataset) 
Stream ViewcreateWRITE (Namespace) & ADMIN (Stream)ADMIN (Stream View)
 deleteADMIN (Stream View) 
 listREAD (Namespace) & READ (Stream)  
 getREAD (Stream View) 
 add metadataADMIN (Stream View) 
 get metadataREAD (Stream View) 

 

Integration with Apache Sentry

...

  1. How does CDAP get sentry-site.xml? Path provided via cConf?
  2. Distinguishing Read/Write access is perhaps out of scope of 3.4, since we will need changes to Dataset Framework
  3. Can access to all entities be authorized in one go? If so, how? 
  4. How does hierarchy work? e.g. write to stream requires READ perms on namespace + write perms on stream
  5. In a secure/kerberos environment, what does it take to communicate with the Sentry Server?
  6. In a secure/kerberos environment, what does it take to communicate with the Sentry Server?
  7. Given that Sentry has a slightly data-engine-based schema, will we need some updates to the policy store to contain CDAP specific tables for storing CDAP Privileges? SENTRY_CDAP_PRIVILEGE and SENTRY_CDAP_PRIVILEGE_MAP tables?
  8. What about instance-level authorization? Would users need to be authorized to a given CDAP instance as well, along with the namespace and entity?
  9. Do we need EXECUTE operation just for Programs entity. Can we say that any user who has READ can run the program ? 

Discussion Bhooshan & Rohit 02/17

 

CDAP SpecificExternal Auth Service: SentryACL Management
  1. Provide Authorization Hooks in CDAP
    1. Intercept all HTTP calls
    2. Thrift calls
    3. Access to data from programs
  1. Modules to implement
    1. Binding
    2. Model
    3. Policy
    4. E2E Tests
  1. Should CDAP do ACL Management
    1. CLI
    2. HTTP Handlers

    3. If we assume ACLs are set in Sentry through Sentry
      what if we switch to Dataset based store.

2. Authorization Checks

Code Block
titleCheck
for a given user/group and type of access
	if allowed:
		perform operation
	else:
		throw AuthException

2. Figuring out how to interact with Sentry

    • SentryGenericServiceClient
    • How to know where Sentry is running?

 

 

 
3. We need an Authorization interface  

Discussion with Gokul 02/08

  • Push down ACLs  - No HBase support in Sentry
  • Custom datasets - how do you recognize read/writes
  • How do you distinguish between read/write
  • Sentry Integration - needs follow-ups
  • Performance (num RPC calls)
  • Sentry Persistent Storage - PolicyStoreProvider
  • Interactions with Auth system
  • Sentry web-app for UI may need customizations in Hue
  • How does switching between authorization enabled/disabled work

Out-of-scope User Stories (3.5 and beyond)

  1. As a CDAP admin, I should be able to authorize reads/writes to datasets
  2. As a CDAP admin, I should be able to authorize metadata changes to CDAP entities
  3. As a CDAP system, I should be able to push down ACLs to storage providers
  4. As a CDAP admin, I should be able to authorize reads/writes to custom datasets
  5. As a CDAP system, I should be able to judge, document and improve the performance impact of authorization
  6. As a CDAP authorization system, I should be able to interact with an external authentication system
  7. As a CDAP admin, I should be able to use external UIs like Hue for ACL Management
  8. As a CDAP admin, I should be able to see an audit log of all authorization-related changes in CDAP

...