Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A92EB10674 for ; Tue, 6 Aug 2013 14:58:03 +0000 (UTC) Received: (qmail 32222 invoked by uid 500); 6 Aug 2013 14:58:00 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 32080 invoked by uid 500); 6 Aug 2013 14:58:00 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 32072 invoked by uid 99); 6 Aug 2013 14:57:59 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Aug 2013 14:57:59 +0000 Received: from localhost (HELO mail-wi0-f182.google.com) (127.0.0.1) (smtp-auth username asavu, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Aug 2013 14:57:58 +0000 Received: by mail-wi0-f182.google.com with SMTP id hi8so523350wib.9 for ; Tue, 06 Aug 2013 07:57:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=LzXq1WxOEJ+kdhQSphvxwfsvxspjkUw3faTs7fRf6Nc=; b=ZsLYLOz3EfDVM9MxSeDz0UNJWz/4DUndmVhkjaG0Fajxoi2Plwa0CvKJe1tEhXwIjh 8RCffO56HEs9UZUYiSLpf4fyEev1K0ydsGLZzJhZx15IynWZAXNs1GHO1IC8S3RjbVZD s9qdtfF06l321ovsipHLSFVCbscb8zCriQ2Ytyn8EPz3gC0iKKDIiY8RIjNLhmZO4gLt Cg50OgDTKTiev91bSHgJJ5DFSq/9vpI3U/FRoNwGJtF2po3otWGMT6VHgcAvK9r10DrF s98RsiCn/Gf3130ZTAVpaNOgUozfbfHiZo80dQBwXDZQzIkpSD+TqV4t8PnyRu/a7Hv5 Qq6Q== X-Received: by 10.194.109.104 with SMTP id hr8mr1399866wjb.32.1375801076707; Tue, 06 Aug 2013 07:57:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.217.8 with HTTP; Tue, 6 Aug 2013 07:57:36 -0700 (PDT) In-Reply-To: References: From: Andrei Savu Date: Tue, 6 Aug 2013 17:57:36 +0300 Message-ID: Subject: Re: [VOTE]: Accept Sentry in Apache Incubator To: general@incubator.apache.org Content-Type: multipart/alternative; boundary=047d7bf10aea75825804e348a658 --047d7bf10aea75825804e348a658 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable +1 (non-binding) -- Andrei Savu On Mon, Aug 5, 2013 at 4:23 PM, Shreepadma Venugopalan < shreepadma@cloudera.com> wrote: > Following the discussions last week, I'm calling a vote to accept Sentry = as > a new project in the Apache Incubator. > > The proposal draft is available at: > https://wiki.apache.org/incubator/SentryProposal and is also pasted to th= e > bottom of this email. It is identical to what was proposed except for a) > addition of two new mentors, and b) removal of the user list for now, per > Marvin's suggestion. The proposal thread is available at: > http://goo.gl/bvvJPh > > [ ] +1 Accept Sentry in the Incubator > [ ] +/-0 Don't care > [ ] -1 Don't accept Sentry in the Incubator because... > > Thanks. > Shreepadma > > > =3D Sentry - A fine-grained Authorization System for the Hadoop ecosystem= =3D > > =3D=3D Abstract =3D=3D > > Sentry is a highly modular system for providing fine grained role based > authorization to both data and metadata stored on an Apache Hadoop cluste= r. > Sentry can be used to enforce various access policy rules when accessing > data stored on Hadoop Distributed File System through various Hadoop > ecosystem components such as Apache Hive, Apache Pig or others. > > =3D=3D Proposal =3D=3D > > Traditionally, user access control in Apache Hadoop has been implemented > using file based permissions on HDFS. Following the UNIX permissions mode= l, > HDFS offers all or nothing semantics allowing administrator to configure > system to allow certain users or user groups read, write or perform both > operations on files. This system does not enable more fine grained > permissions that allow access policies for logical parts within one file. > Furthermore, this model can't be used to restrict access to the rich set = of > objects in the metadata catalog that are stored outside HDFS. > > Sentry will provide true role-based fine-grained user access control for > Apache Hadoop and its ecosystem components such as Hive, Pig or HBase. Th= is > includes providing fine- grained role based access to both data as well a= s > the metadata, which provides a rich object based abstraction such as > databases, tables or columns. > > =3D=3D Background =3D=3D > > Sentry was initially developed by Cloudera to allow users fine grained > access to data as well as the metadata in Apache Hadoop. > > Sentry has been maintained as an open source project on Cloudera=92s gith= ub. > Sentry was previously called =93Access=94. All code in Sentry is open sou= rce > and has been made publicly available under the Apache 2 license. During > this time, Sentry has been formally released two times as versions 1.0.0 > and 1.1.0. > > =3D=3D Rationale =3D=3D > > Currently, users don't have a way to achieve fine grained enforceable use= r > access control to data stored in HDFS and their associated metadata. Whil= e > users can use file based permissions to control access to specific > directories and files, it is insufficient because access can't be > restricted to file parts i.e., to specific lines or logical columns. In t= he > absence of such support, users have to resort to duplicating data. > Furthermore, file based permissions are insufficient to provide any form = of > access control to the metadata that provides an object abstraction such a= s > databases, tables, columns or partitions over the data stored in HDFS. > > Current Sentry developers subscribe to the mission of ASF and are familia= r > with the open source development process. Several members are already > committers and PMC members of various other Apache projects. > > =3D=3D Initial Goals =3D=3D > > Sentry is currently in its first major release with a considerable number > of enhancement requests, tasks, and issues recorded towards its future > development. The initial goal of this project will be to continue to buil= d > community in the spirit of the "Apache Way", and to address the highly > requested features and bug-fixes towards the next dot release. > > =3D=3D Current Status =3D=3D > =3D=3D=3D Meritocracy =3D=3D=3D > > Intent of the proposal is to build a diverse community of developers arou= nd > Sentry. Sentry started as a open source project on Github, driven in the > spirit of open source and we would like to continue in this spirit by, fo= r > example, encouraging contributors from a variety of organizations. > > =3D=3D=3D Community =3D=3D=3D > > Sentry stakeholders desire to expand the user and developer base of Sentr= y > further in the future. The current sets of developers in Sentry are > committed to building a strong user base and open source community around > the project. Development discussions within the current team have been on= a > public mailing [[ > https://groups.google.com/a/cloudera.org/forum/#!forum/access-dev | > list]]. > > =3D=3D=3D Core Developers =3D=3D=3D > > The core developers for the Sentry project are Brock Noland, Shreepadma > Venugopalan, Prasad Mujumdar and Jarek Jarcec Cecho. Other contributors > include Arvind Prabhakar and Xuefu Zhang. All engineers have deep experti= se > in Hadoop and various other ecosystem components. > > =3D=3D=3D Alignment =3D=3D=3D > > Sentry complements the access control feature of some projects in the > Apache Hadoop ecosystem, such as HDFS file permissions, by providing fine= r > grained access control to data and metadata. It supersedes the access > control capabilities of some other projects such as Apache Hive by > providing stronger guarantees against malicious access. Currently, Sentr= y > integrates with Apache Hive, however we are planning to provide support f= or > other components such as Apache Pig. > > While projects such as Apache Knox aim to provide perimeter security, the > goal of Sentry is to implement a fine-grained role-based access control > policy. Thus Sentry complements Apache Knox. > > =3D=3D Known Risks =3D=3D > > =3D=3D=3D Orphaned Products =3D=3D=3D > > Sentry is already deployed in production at a few well established > companies and they are actively sharing feature requests. The risks of it > being orphaned is negligible. > > =3D=3D=3D Inexperience with Open Source =3D=3D=3D > > All committers of the Sentry project are intimately familiar with the > Apache model for open-source development and are experienced with working > with various Apache open -source communities. > > =3D=3D=3D Homogeneous Developers =3D=3D=3D > > The initial set of committers includes developers from several > organizations - Cloudera, Oracle, Lab41, Nvidia and Wibidata. We expect > that once approved for incubation, the project will further attract new > contributors. > > =3D=3D=3D Reliance on Salaried Developers =3D=3D=3D > > It is expected that Sentry will be developed on both salaried and volunte= er > time, although all of the initial developers will work on it mainly on > salaried time. > > =3D=3D=3D Relationships with Other Apache Products =3D=3D=3D > > Sentry depends on other Apache Projects: Apache Hadoop, Apache Log4J, > Apache Hive, Apache Shiro, multiple Apache Commons components. Build is > orchestrated by Apache Maven. Sentry complements Apache Knox. > > =3D=3D=3D An Excessive Fascination with the Apache Brand =3D=3D=3D > > We would like Sentry to become an Apache project to further foster a > healthy community of users and developers around it. Since Sentry solves = an > important problem faced by Apache Hadoop users and interacts with other > components of the Apache Hadoop ecosystem, we believe that Apache is the > right home for Sentry. > > =3D=3D Documentation =3D=3D > > * Cloudera provides documentation specific to its distribution of Sentr= y > at: > > http://www.cloudera.com/content/cloudera-content/cloudera-docs/Sentry/Sen= try.pdf > * Sentry jira at Cloudera: https://issues.cloudera.org/browse/access > > =3D=3D Initial Source =3D=3D > > https://github.com/cloudera/access > > =3D=3D Source and Intellectual Property Submission Plan =3D=3D > > All of Sentry=92s code is under Apache 2 license already. > > =3D=3D External Dependencies =3D=3D > > All dependencies have licenses compatible with ASL. Dependencies that are > not directly using ASL are, > > * Junit - Eclipse Public License > > =3D=3D Cryptography =3D=3D > > Sentry currently doesn=92t directly use any cryptographic libraries. Howe= ver, > Sentry uses Apache Shiro, which provides support for cryptography feature= s > such as hash, cipher etc. > > =3D=3D Required Resources =3D=3D > > =3D=3D=3D Mailing Lists =3D=3D=3D > > * private@sentry.incubator.apache.org for private PMC discussions (with > moderated subscriptions) > * security@sentry.incubator.apache.org for private security related > discussions > * dev@sentry.incubator.apache.org > * commits@sentry.incubator.apache.org > > =3D=3D=3D Source code repository =3D=3D=3D > > Git repository running at http://git-wip-us.apache.org/. > > =3D=3D=3D Issue Tracking =3D=3D=3D > > JIRA Sentry (SENTRY) > > =3D=3D=3D Other Resources =3D=3D=3D > > The existing code already has unit and integration tests so we would like= a > Jenkins CI instance that would run the tests on reference environment. We > would also like to use Jenkins to run tests for every newly submitted pat= ch > (so called pre-commit hook), however this can be added after project > creation. > > =3D=3D Initial Committers =3D=3D > > * Ali Rizvi (ali.rizvi at oracle.com) > * Arvind Prabhakar (arvind at apache.org) > * Brock Noland (brock at apache.org) > * Chaoyu Tang (ctang at cloudera.com) > * Daisy Zhou (daisy at wibidata.com) > * David Nalley (ke4qqq at apache.org) > * Erick Tryzelaar(etryzelaar at iqt.org) > * Greg Chanan (gchanan at apache.org) > * Hadi Nahari (hnahari at nvidia.com) > * Jarek Jarcec Cecho (jarcec at apache.org) > * Johnny Zhang (xiaoyuz at cloudera.com) > * Karthik Ramachandran (kramachandran at iqt.org) > * Mark Grover (mgrover at cloudera.com) > * Milo Polte (milo at wibidata.com) > * Lenni Kuff (lskuff at cloudera.com) > * Patrick Daly (daly at cloudera.com) > * Patrick Hunt (phunt at apache.org) > * Prasad Mujumdar (prasadm at apache.org) > * Raghu Mani (raghu.mani at oracle.com) > * Sean Mackrory (sean at cloudera.com) > * Shreepadma Venugopalan (shreepadma at cloudera.com) > * Sravya Tirukkovalur (sravya at cloudera.com) > * Tom White (tomwhite at apache.org) > * Xuefu Zhang (xuefu at apache.org) > > =3D=3D Affiliations =3D=3D > > * Ali Rizvi (Oracle) > * Arvind Prabhakar (Cloudera) > * Brock Noland (Cloudera) > * Chaoyu Tang (Cloudera) > * Daisy Zhou (Wibidata) > * David Nalley (Citrix) > * Erick Tryzelaar (Lab41) > * Greg Chanan (Cloudera) > * Hadi Nahari (Nvidia) > * Jarek Jarcec Cecho (Cloudera) > * Johnny Zhang (Cloudera) > * Karthik Ramachandran (Lab41) > * Mark Grover (Cloudera) > * Milo Polte (Wibidata) > * Lenni Kuff (Cloudera) > * Patrick Daly (Cloudera) > * Patrick Hunt (Cloudera) > * Prasad Mujumdar (Cloudera) > * Raghu Mani (Oracle) > * Sean Mackrory (Cloudera) > * Shreepadma Venugopalan (Cloudera) > * Sravya Tirukkovalur (Cloudera) > * Tom White (Cloudera) > * Xuefu Zhang (Cloudera) > > =3D=3D Sponsors =3D=3D > > =3D=3D=3D Champion =3D=3D=3D > > * Arvind Prabhakar (Cloudera) > > =3D=3D=3D Nominated Mentors =3D=3D=3D > > * Arvind Prabhakar (Cloudera) > * David Nalley (Citrix) > * Joe Brockmeier (Citrix) > * Olivier Lamy (Ecetera) > * Patrick Hunt (Cloudera) > * Tom White (Cloudera) > > =3D=3D=3D Sponsoring Entity =3D=3D=3D > > We are requesting the Incubator to sponsor this project. > --047d7bf10aea75825804e348a658--