sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sravya Tirukkovalur (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SENTRY-1079) Sentry server should not require users to be in a static list "allow.connect" to be able to talk to sentry
Date Thu, 18 Feb 2016 20:15:18 GMT

     [ https://issues.apache.org/jira/browse/SENTRY-1079?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sravya Tirukkovalur updated SENTRY-1079:
----------------------------------------
    Description: 
This is important now that we have sentry shell, no not just super users like "hive,impala,hue"
connect but end users can also connect to sentry to grant/revoke/list privileges.

One way to do it is:
1. If it is not part of allow.connect: Fill the requestorName field with the user connecting.
That way we restrict impersonation if the user is not part of this super group. And hence
we ignore the requestorName set by the client.
2. Rename allow.connect to super.users or something like that to make it clear that these
users can super privileges like impersonating other users.

> Sentry server should not require users to be in a static list "allow.connect" to be able
to talk to sentry
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-1079
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1079
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Sravya Tirukkovalur
>            Assignee: Sravya Tirukkovalur
>
> This is important now that we have sentry shell, no not just super users like "hive,impala,hue"
connect but end users can also connect to sentry to grant/revoke/list privileges.
> One way to do it is:
> 1. If it is not part of allow.connect: Fill the requestorName field with the user connecting.
That way we restrict impersonation if the user is not part of this super group. And hence
we ignore the requestorName set by the client.
> 2. Rename allow.connect to super.users or something like that to make it clear that these
users can super privileges like impersonating other users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message