Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Ranger:

  • Goal: Bring it on par with sentry
  • High level design for tag based policies

Revisit Authorization Model:

  • Currently read on Dataset requires permission on Namespace
    • Disadvantages: 
      • Dataset READ/WRITE require some permission on the namespace like READ. But since privileges are hierarchical this will lead to READ on every entity inside the namespace.
  • Having EXECUTE on a program does not allow user to run the program unless he has some privilege on the Application. 
    • To see the program in UI some privilege is needed on the application
  • Need for non hierarchical privileges ?
    • Managing non-hierarchical privileges can be cumbersome for admins
  • Revoke all from an entity leads to entity with no privileges leading to an unusable entity
    • What happens if the only user who has ADMIN on the entity disappears from LDAP for some reason ?
  • Updating system artifacts is not possible since only cdap has access on system namespace.

Sentry:

  • Reduce number of roles created by Sentry
    • Backward compatibility
  • Handle cases where user does not have its own group
  • Cache invalidation in case of group privilege change
    • Performance testing
  • Grant on roles fail if the granting user does not have the same privilege (CDAP-9305)

General

  • Reduce CDAP start time because of security
  • Revoking privileges from admin users when they are removed from that instance.admin config
    • Role for instance and system admins and every restart we remove all groups and add again.
  • On namespace/entity delete some privileges are left over 
  • Debugging 
    • Security issues 
      • MDC based trace logging for a user (dynamic configuration)
    • Performance of security extensions
      • Instrumentation of security extension calls
  • Decouple grant/revoke from entity creation
    • Support granting/revoke outside CDAP (sentry cli)

ITN

  • Review all pending PRs (Rohit)
  • How many new test cases to add and how many are done (Yaojie)
  • Refactoring to run same tests in
    • Impersonation
      • Namespace Level
      • App Level
      • Classic (No impersonation, authorization)
    • Custom Mapping (Hive, Hbase, HDFS)
  • Authorization : More tests
    • Artifact
    • Pipeline
    • Dataset types
    • Dataset modules
    • Secure keys

Stretch goals for 4.3 

  1. Tag based enforcement in Ranger
  2. startTLS for LDAP
  3. Service Authorization
  4. Support using existing roles and group
  • No labels