...
- Reduce number of roles created by Sentry
- Backward compatibility
- Handle cases where user does not have its own group
- Cache invalidation in case of group privilege change
- Performance testing
- Grant on roles fail if the granting user does not have the same privilege (CDAP-9305)
General
- Decouple grant/revoke from entity creation
- Support granting/revoke outside CDAP
- Sentry CLI for CDAP
- Support using existing roles and group
- Allow user to set roles
- Reduce CDAP start time because of security
- CDAP system service access to system datasets should bypass authorization. (https://issues.cask.co/browse/CDAP-11659)
- Revoking privileges from admin users when they are removed from that instance.admin config
- Role for instance and system admins and every restart we remove all groups and add again.
- On namespace/entity delete some privileges are left over
- Debugging
- Security issues
- MDC based trace logging for a user (dynamic configuration)
- Performance of security extensions
- Instrumentation of security extension calls
- Security issues
- Decouple grant/revoke from entity creation
- Support granting/revoke outside CDAP (sentry cli)
ITN
- Review all pending PRs (Rohit)
- How many new test cases to add and how many are done (Yaojie)
- Refactoring to run same tests in
- Impersonation
- Namespace Level
- App Level
- Classic (No impersonation, authorization)
- Custom Mapping (Hive, Hbase, HDFS)
- Authorization : More tests
- Artifact
- Pipeline
- Dataset types
- Dataset modules
- Secure keys
...
- Tag based enforcement in Ranger
- startTLS for LDAP
- Service AuthorizationSupport using existing roles and group
- Only work with push down privileges to underlying storage provider (for environments which does not have sentry or ranger)