...
TBD: either using CDAP CLI or via external systems like Sentry CLI or Hue
- After some digging we think we should rule out Sentry CLI as it's a relatively new feature added in Sentry 1.7 (https://issues.apache.org/jira/browse/SENTRY-749)
CDH 5.5 is still on Sentry 1.5 and it looks like they are not going to get to Sentry 1.7 anytime soon (http://repository.cloudera.com/cloudera/cloudera-repos/org/apache/sentry/sentry-core-common/)
Questions
- How does CDAP get
sentry-site.xml? Path provided viacConf? - Distinguishing Read/Write access is perhaps out of scope of 3.4, since we will need changes to Dataset Framework
- Can access to all entities be authorized in one go? If so, how?
- How does hierarchy work? e.g. write to stream requires READ perms on namespace + write perms on stream
- In a secure/kerberos environment, what does it take to communicate with the Sentry Server?
- In a secure/kerberos environment, what does it take to communicate with the Sentry Server?
- Given that Sentry has a slightly data-engine-based schema, will we need some updates to the policy store to contain CDAP specific tables for storing CDAP Privileges?
SENTRY_CDAP_PRIVILEGEandSENTRY_CDAP_PRIVILEGE_MAPtables? - What about instance-level authorization? Would users need to be authorized to a given CDAP instance as well, along with the namespace and entity?
- Do we need EXECUTE operation just for Programs entity. Can we say that any user who has READ can run the program ?
...