Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Authorization Design

Definitions

Sentry: Provides a service for managing privileges and propagating those privileges to third-party systems like Hive and HDFS.
Group: Can be associated with multiple users.
Role: Can be associated with multiple groups. E.g. admin, guest.
Privilege: Entity and action pair, can be associated with a role.

HTTP Handler Integration

  1. For the UI and CLI to hide unauthorized actions, need a way to associate an HTTP path to a set of required privileges. E.g. "GET /namespaces/foo" -> (entity="namespace:foo", action=SELECT).
  2. Need a non-repetitive way to perform authorization in the HTTP handler methods.

*Handler: Converts HTTP requests into method calls on *Managers. Converts the method call result into an HTTP response.
*Manager: Performs operations on entities like namespaces and applications.

  • No labels