Versions Compared

Old Version 29

changes.mady.by.user shenggu

Saved on

compared with

New Version Current

changes.mady.by.user andreas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Task marked complete

...

  •  User stories documented (Shenggu)
  •  User stories reviewed (Nitin)
  •  Design documented (Shenggu)
  •  Design reviewed (Andreas)
  •  Feature merged (Shenggu)
  •  Integration tests (Shenggu)
  •  Documentation for feature (Shenggu)
  •  Blog post (Shenggu)

...

  • As a Hue admin, I should be able to easily configure CDAP as a plugin app in the Hue system
  • As a CDAP user or a CDAPadmin, I should be able to explore the entities of CDAP (Namespace->Application->Program(->subprogram), Namespace->Stream/Dataset/Aritifacts) in Cloudera Hue's UI.
  • As a CDAP user, I should be able to perform all the ACL management operations provided by Apache Sentry through Cloudera Hue's admin UI.
    • CDAP superusers can manage all the rules
    • A user/groups who have ADMIN on one entity can give ACL on that entity to other users/groups

 

Scenerios

#Scenario 1

A user (typically a CDH user) is using Hue for exploring and managing ACL and other operations for all the different services on their cluster. He would prefer to use Hue and the consistent UI to manage ACLs for CDAP from a central place rather than separately in CDAP UI. 

...

Communication with Apache SENTRY is enabled by SENTRY's thrift service. When admin grants/ revokes certain privileges through the Hue UI, it will be propagated to the SENTRY system and take effects on the further request coming from CDAP. In design one Hue will talk to the Sentry directly while design two take advantage of the Sentry Client apis built in CDAP to do so. We prefer the second one since it Although the second design involves less code modification in Hue and it favors future change of security functionalities (as we have to change both in Hue and in CDAP for the first design in this case)to be implemented, we will still implement design one as it is compatible with the behaviors of other plugins(hive/hdfs) in Hue and it is suitable for more cases(a security breach for instance). To work on design one, the Hue itself will also talk to sentry and have a separate keytab file to get authenticated with kerberos

UI Mockup

One possible UI layout is shown below. All the entities in CDAP can be listed hierarchically in the left. When click on one specific entity, user is able to view the detailed properties of this entity and manage the acl rules associated with this entity. The actual UI may vary in colors and relative layout of elements but stick to this concept.

...

URLResponse
GET /cdap/index.mako (main page)
GET /cdap/details/path/to/entity/entity_idjson of entity properties
GET /cdap/acl/path/to/entity/entity_idjson of entity ACLs
POST /cdap/acl/add/entity_id/ --data {groupid, operationoperations}200 ok / 500 error
POST /cdap/acl/revoke/entity_id/ --data {groupid, operations}200 ok / 500 error
  
  
 

 

The operations here include {READ | WRITE | EXECUTE | ADMIN | ALL}. Multiple operations can be granted/revoked at once.

 

Out of Scope

In the above design, the system only supports listing all entities in CDAP and perform ACL management on these entities, while there is no full-support for managing the entities. These cases are listed as below and might be supported in the future.

...