Re: [I] [Subtask] Add privilege support for model [gravitino]

Mon, 31 Mar 2025 07:54:54 -0700 


zhoukangcn commented on issue #6346:
URL: https://github.com/apache/gravitino/issues/6346#issuecomment-2766500322

    @jerqi In your design, it’s difficult to grant others access to share the 
entire schema.
   
   I think the scenario is described as follows: The user creates a 
`metalake.catalog.public_llm` schema to store publicly shared models. He set 
schema `public_llm` as public, so everyone can read/download model. 
   
   Later, when adding new models, they do not need to individually modify the 
model permissions each time.
   
   
   And, I have a advice. We can design the model’s permissions by referencing 
the Hive table permissions, which will provide sufficient flexibility.
   
   > Some surveys about privilege of the model. For Databricks, An [MLflow 
registered 
model](https://docs.databricks.com/aws/en/machine-learning/manage-model-lifecycle/)
 is a specific type of function. Models are listed separately from other 
functions in Catalog Explorer, but when you grant a privilege on a model using 
SQL, you use GRANT ON FUNCTION.
   > 
   > For registered models, EXECUTE grants the ability to view metadata for all 
versions of the registered model, and to download model files.
   > 
   > There are other privileges `CREATE MODEL` and `CREATE MODEL VERSION`.
   > 
   > For Snowlake, there are two privileges `USAGE` and `CREATE MODEL`.
   > 
   > In summary, I will add three privileges
   > 
   > ```
   > NAME                                                         Object
   > CREATE_MODEL                                       SCHEMA, CATALOG,METALAKE
   > CREATE_MODEL_VERSION                      MODEL, SCHEMA, CATALOG, METALAKE
   > USE_MODEL                                              MODEL, SCHEMA, 
CATALOG, METALAKE
   > ```
   > 
   > USE_MODEL can view the meta of the model and all the versions of model. At 
the same time, it can download all the versions of the model. 
CREATE_MODEL_VERSION can control associate a model with a specific version. 
CREATE MODEL can control to create a model. Owner can alter and drop the 
model.Only owner can set and delete the alias of the model.
   > 
   > 
https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges
 https://docs.snowflake.com/en/user-guide/security-access-control-privileges
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to