Ranger:
- Goal: Bring it up with sentry
- High level design for tag based policies
Revisit Authorization Model:
- Read on Dataset required permission on NS
- How will UI show NS if privilege is just on DS
- Need for non hierarichal privleges
- Can users use roles and group if they want - entity creation should not lead to .dot role creation.
How does hbase shows list_namespace if permission is only on the tableā¦
Sentry:
- Reduce roles
- User does not have its own group
- Cache Invalidation
General
- CDAP start time because of security
- https://issues.cask.co/browse/CDAP-11659
- One possibility to solve this will be to don't do any auth for cdap user in cdap namespace.
- Add new config for system admin on system namespace
- Revoking from admin users when they are reomved from list
- Role for instance and system admins and every restart we remove all groups and add again.
- Cleanup all privileges on namespace delete
- Debugging security issues
- Logger for every logged in user or MDC
ITN
- Review all pending PRs (Rohit)
- How many new test cases to add and how many are done (Yaojie)
- Refactoring to run same tests in
- Impersonation
- Namespace Level
- App Level
- Classic (No impersonation, authorization)
- Custom Mapping (Hive, Hbase, HDFS)
- Authorization : More tests
- Artifact
- Dataset types
- Dataset modules
- Secure keys
Moving out of 4.3
- startTLS for LDAP
- Service Authorization
- Tag based enforcement in Ranger