[DISCUSS] On removing Cube ACL

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[DISCUSS] On removing Cube ACL

mahongbin
Current ACL design is based on very early versions where kylin merely had
simple concepts like projects and cubes.
With the advent of Kylin v2.0, and several new concepts like Data Model (
http://kylin.apache.org/docs/gettingstarted/concepts.html) and Query
Pushdown (KYLIN-2515), the original cube-centric ACL design is becoming
outdated. The reasons are two-fold: 1. cubes are no longer the only
entities we want to take control within each projects.  2. Cube-level ACL
cannot protect underlying tables from being queries by unwanted users.

In fact, cubes is merely a special kind of index on the original table.
It's not straightforward to apply ACL on indexes rather than original
tables. That said, we need table-level ACL instead of cube-level ACL. We
have elaborated the detailed plans in KYLIN-2760 and KYLIN-2761. Please
comment on those issues or reply this email if you have any concerns.

--
Regards,

*Bin Mahone | 马洪宾*
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] On removing Cube ACL

shaofengshi
It makes sense for me. Will the Cube ACL info be migrated (from Cube to
Table) when it is done?

2017-08-07 10:37 GMT+08:00 hongbin ma <[hidden email]>:

> Current ACL design is based on very early versions where kylin merely had
> simple concepts like projects and cubes.
> With the advent of Kylin v2.0, and several new concepts like Data Model (
> http://kylin.apache.org/docs/gettingstarted/concepts.html) and Query
> Pushdown (KYLIN-2515), the original cube-centric ACL design is becoming
> outdated. The reasons are two-fold: 1. cubes are no longer the only
> entities we want to take control within each projects.  2. Cube-level ACL
> cannot protect underlying tables from being queries by unwanted users.
>
> In fact, cubes is merely a special kind of index on the original table.
> It's not straightforward to apply ACL on indexes rather than original
> tables. That said, we need table-level ACL instead of cube-level ACL. We
> have elaborated the detailed plans in KYLIN-2760 and KYLIN-2761. Please
> comment on those issues or reply this email if you have any concerns.
>
> --
> Regards,
>
> *Bin Mahone | 马洪宾*
>



--
Best regards,

Shaofeng Shi 史少锋
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] On removing Cube ACL

Yang
So we can still control who can (or cannot) access a cube by defining ACL
on tables, right?

On Mon, Aug 7, 2017 at 2:26 PM, ShaoFeng Shi <[hidden email]> wrote:

> It makes sense for me. Will the Cube ACL info be migrated (from Cube to
> Table) when it is done?
>
> 2017-08-07 10:37 GMT+08:00 hongbin ma <[hidden email]>:
>
> > Current ACL design is based on very early versions where kylin merely had
> > simple concepts like projects and cubes.
> > With the advent of Kylin v2.0, and several new concepts like Data Model (
> > http://kylin.apache.org/docs/gettingstarted/concepts.html) and Query
> > Pushdown (KYLIN-2515), the original cube-centric ACL design is becoming
> > outdated. The reasons are two-fold: 1. cubes are no longer the only
> > entities we want to take control within each projects.  2. Cube-level ACL
> > cannot protect underlying tables from being queries by unwanted users.
> >
> > In fact, cubes is merely a special kind of index on the original table.
> > It's not straightforward to apply ACL on indexes rather than original
> > tables. That said, we need table-level ACL instead of cube-level ACL. We
> > have elaborated the detailed plans in KYLIN-2760 and KYLIN-2761. Please
> > comment on those issues or reply this email if you have any concerns.
> >
> > --
> > Regards,
> >
> > *Bin Mahone | 马洪宾*
> >
>
>
>
> --
> Best regards,
>
> Shaofeng Shi 史少锋
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] On removing Cube ACL

Luke Han
Administrator
Data Model level is better than Cube level.

How about to leave extend point there for people who want to keep Cube
Level ACL?




Best Regards!
---------------------

Luke Han

On Tue, Aug 15, 2017 at 5:30 PM, Li Yang <[hidden email]> wrote:

> So we can still control who can (or cannot) access a cube by defining ACL
> on tables, right?
>
> On Mon, Aug 7, 2017 at 2:26 PM, ShaoFeng Shi <[hidden email]>
> wrote:
>
> > It makes sense for me. Will the Cube ACL info be migrated (from Cube to
> > Table) when it is done?
> >
> > 2017-08-07 10:37 GMT+08:00 hongbin ma <[hidden email]>:
> >
> > > Current ACL design is based on very early versions where kylin merely
> had
> > > simple concepts like projects and cubes.
> > > With the advent of Kylin v2.0, and several new concepts like Data
> Model (
> > > http://kylin.apache.org/docs/gettingstarted/concepts.html) and Query
> > > Pushdown (KYLIN-2515), the original cube-centric ACL design is becoming
> > > outdated. The reasons are two-fold: 1. cubes are no longer the only
> > > entities we want to take control within each projects.  2. Cube-level
> ACL
> > > cannot protect underlying tables from being queries by unwanted users.
> > >
> > > In fact, cubes is merely a special kind of index on the original table.
> > > It's not straightforward to apply ACL on indexes rather than original
> > > tables. That said, we need table-level ACL instead of cube-level ACL.
> We
> > > have elaborated the detailed plans in KYLIN-2760 and KYLIN-2761. Please
> > > comment on those issues or reply this email if you have any concerns.
> > >
> > > --
> > > Regards,
> > >
> > > *Bin Mahone | 马洪宾*
> > >
> >
> >
> >
> > --
> > Best regards,
> >
> > Shaofeng Shi 史少锋
> >
>
Loading...