jerqi commented on issue #6346: URL: https://github.com/apache/gravitino/issues/6346#issuecomment-2767904907
> [@jerqi](https://github.com/jerqi) In your design, it’s difficult to grant others access to share the entire schema. > > I think the scenario is described as follows: The user creates a `metalake.catalog.public_llm` schema to store publicly shared models. He set schema `public_llm` as public, so everyone can read/download model. > > Later, when adding new models, they do not need to individually modify the model permissions each time. > > And, I have a advice. We can design the model’s permissions by referencing the Hive table permissions, which will provide sufficient flexibility. > > > Some surveys about privilege of the model. For Databricks, An [MLflow registered model](https://docs.databricks.com/aws/en/machine-learning/manage-model-lifecycle/) is a specific type of function. Models are listed separately from other functions in Catalog Explorer, but when you grant a privilege on a model using SQL, you use GRANT ON FUNCTION. > > For registered models, EXECUTE grants the ability to view metadata for all versions of the registered model, and to download model files. > > There are other privileges `CREATE MODEL` and `CREATE MODEL VERSION`. > > For Snowlake, there are two privileges `USAGE` and `CREATE MODEL`. > > In summary, I will add three privileges > > ``` > > NAME Object > > CREATE_MODEL SCHEMA, CATALOG,METALAKE > > CREATE_MODEL_VERSION MODEL, SCHEMA, CATALOG, METALAKE > > USE_MODEL MODEL, SCHEMA, CATALOG, METALAKE > > ``` > > > > > > > > > > > > > > > > > > > > > > > > USE_MODEL can view the meta of the model and all the versions of model. At the same time, it can download all the versions of the model. CREATE_MODEL_VERSION can control associate a model with a specific version. CREATE MODEL can control to create a model. Owner can alter and drop the model.Only owner can set and delete the alias of the model. > > https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges https://docs.snowflake.com/en/user-guide/security-access-control-privileges We should grant others all the models easily. You just need to grant the others the privileges ``` GRANT USE MODEL ON SCHEMA TO ONE ROLE. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
