...
- Currently read on Dataset requires permission on Namespace
- How will UI show NS if privilege is just on DS ?Disadvantages:
- Dataset READ/WRITE require some permission on the namespace like READ. But since privileges are hierarchical this will lead to READ on every entity inside the namespace.
- How will UI show NS if privilege is just on DS ?Disadvantages:
- Having EXECUTE on a program does not allow user to run the program unless he has some privilege on the Application.
- To see the program in UI some privilege is needed on the application
- Need for non hierarchical privileges ?
- Managing non-hierarchical privileges can be cumbersome
- Managing non-hierarchical privileges can be cumbersome
Sentry:
- Reduce number of roles created by Sentry
- User does not have its own group
- Cache Invalidation
- Revoke all from an entity leads to entity with no privilege which cannot be used
General
- CDAP start time because of security
- https://issues.cask.co/browse/CDAP-11659
- One possibility to solve this will be to don't do any auth for cdap user in cdap namespace.
- Add new config for system admin on system namespace
- Revoking from admin users when they are removed from list
- Role for instance and system admins and every restart we remove all groups and add again.
- Cleanup all privileges on namespace delete
- Debugging security issues
- Logger for every logged in user or MDC
...