Ranger:
- Goal: Bring it up on par with sentry
- High level design for tag based policies
Revisit Authorization Model:
- Read Currently read on Dataset required requires permission on NSNamespace
- How will UI show NS if privilege is just on DS ?
- Need for non hierarichal privleges
- Can users use roles and group if they want - entity creation should not lead to .dot role creation.
- hierarchical privileges ?
Sentry:
- Reduce number of roles created by Sentry
- User does not have its own group
- Cache Invalidation
...
- CDAP start time because of security
- https://issues.cask.co/browse/CDAP-11659
- One possibility to solve this will be to don't do any auth for cdap user in cdap namespace.
- Add new config for system admin on system namespace
- Revoking from admin users when they are reomved removed from list
- Role for instance and system admins and every restart we remove all groups and add again.
- Cleanup all privileges on namespace delete
- Debugging security issues
- Logger for every logged in user or MDC
ITN
- Review all pending PRs (Rohit)
- How many new test cases to add and how many are done (Yaojie)
- Refactoring to run same tests in
- Impersonation
- Namespace Level
- App Level
- Classic (No impersonation, authorization)
- Custom Mapping (Hive, Hbase, HDFS)
- Authorization : More tests
- Artifact
- Dataset types
- Dataset modules
- Secure keys
...