Ranger:
- Goal: Bring it on par with sentry
- High level design for tag based policies
Revisit Authorization Model:
- Currently read on Dataset requires permission on Namespace
- How will UI show NS if privilege is just on DS ?
- Need for non hierarchical privileges ?
Sentry:
- Reduce number of roles created by Sentry
- User does not have its own group
- Cache Invalidation
General
- CDAP start time because of security
- https://issues.cask.co/browse/CDAP-11659
- One possibility to solve this will be to don't do any auth for cdap user in cdap namespace.
- Add new config for system admin on system namespace
- Revoking from admin users when they are removed from list
- Role for instance and system admins and every restart we remove all groups and add again.
- Cleanup all privileges on namespace delete
- Debugging security issues
- Logger for every logged in user or MDC
ITN
- Review all pending PRs (Rohit)
- How many new test cases to add and how many are done (Yaojie)
- Refactoring to run same tests in
- Impersonation
- Namespace Level
- App Level
- Classic (No impersonation, authorization)
- Custom Mapping (Hive, Hbase, HDFS)
- Authorization : More tests
- Artifact
- Dataset types
- Dataset modules
- Secure keys
Moving out of 4.3
- startTLS for LDAP
- Service Authorization
- Tag based enforcement in Ranger