Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-9035

cdap sentry listPrivileges used to build privilege cache does not list priviliges for the user's group

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.1.0, 4.0.0, 3.6.0, 3.5.0
    • Fix Version/s: 4.1.1
    • Component/s: Security
    • Labels:
    • Release Notes:
      Fixed an issue where the CDAP Sentry Extension was not able to fetch privileges associated with a user's group.
    • Rank:
      1|hzzy33:

      Description

      CDAP uses a privilege cache model for authorization enforcement. This cache is populated by listingPrivileges for a principal.
      Sentry only supports adding groups to roles and the other way that is listing roles for a group and then from the roles getting the privilege. We are using our sentry integration listPrivilege to list listPrivileges with a Principal where principal type is a user so sentry just lists the privileges for the user's group.
      For example, if we list privileges for Principal(name=ali, type=user) sentry listing privileges for group ali.

      If ali belongs to some other group say developers then the privileges from developers are not populated in the cache.

        Attachments

          Activity

            People

            • Assignee:
              rsinha Rohit Sinha
              Reporter:
              rsinha Rohit Sinha
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: