Discussion Bhooshan & Rohit 02/17

for a given user/group and type of access
	if allowed:
		perform operation
	else:
		throw AuthException

Discussion with Gokul 02/08

• Push down ACLs  - No HBase support in Sentry
• Custom datasets - how do you recognize read/writes
• How do you distinguish between read/write
• Sentry Integration - needs follow-ups
• Performance (num RPC calls)
• Sentry Persistent Storage - PolicyStoreProvider
• Interactions with Auth system
• Sentry web-app for UI may need customizations in Hue
• How does switching between authorization enabled/disabled work

Out-of-scope User Stories (3.5 and beyond)

1. As a CDAP admin, I should be able to authorize reads/writes to datasets
2. As a CDAP admin, I should be able to authorize metadata changes to CDAP entities
3. As a CDAP system, I should be able to push down ACLs to storage providers
4. As a CDAP admin, I should be able to authorize reads/writes to custom datasets
5. As a CDAP system, I should be able to judge, document and improve the performance impact of authorization
6. As a CDAP authorization system, I should be able to interact with an external authentication system
7. As a CDAP admin, I should be able to use external UIs like Hue for ACL Management
8. As a CDAP admin, I should be able to see an audit log of all authorization-related changes in CDAP
9. As a CDAP admin, I should be able to authorize all thrift-based traffic, so transaction management is also authorized.