User based privilege

It’s standard in traditional database security to allow both groups and users to be assigned to roles. And hive supports to grant role to user.

So the following command should be supported in sentry:

GRANT role_name TO USER user

The feature implemented in SENTRY-711 is not complete. We complete this feature 

 
The current user-based privilege missed some items:
 

• Sentry policy has two service API: SentryPolicyService and SentryGenericPolicyService. The current implementation does not support user-based privilege for SentryGenericPolicyService
• Fix bug. SENTRY-2091: User-based Privilege is broken by SENTRY-769. The patch is available for review.
• Name Node need change to generate ACL using user privilege.
  • The full snapshot update only contains authorization to roles mapping and role to group mapping. Need to add role to user mapping in SentryStore.retrieveFullRoleImageCore
  • The delta updates are taken from table SENTRY_PERM_CHANGE, which does not distinguish group based permission or user based permission. No change is needed
  • The user changes to a role is not included when sending delta update from Sentry to NN. Need to add AddUsers and DropUsers in TRoleChanges. 
  • Sentry only create ACL for group with ACL type as AclEntryType.GROUP. Need to add code to create ACL with type as AclEntryType.USER

• • • SentryINodeAttributesProvider.checkPermission -> FSPermissionChecker.checkPermission -> SentryINodeAttributesProvider.getAclFeature -> SentryAuthorizationInfo.getAclEntries -> SentryPermissions.constructAclEntry
• SentryStore.grantOptionCheck() has to be changed to find user level privilege.