Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-4000

Restricted Sentry authorization for Kudu Tables

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • Kudu_Impala
    • Impala 2.8.0
    • Security

    Description

      Today there is no comprehensive way of enforcing a Sentry authorization policy against tables stored in Kudu. The underlying reason is that Kudu itself does not yet support authorization, so it is always possible to access data directly via the Kudu API or other services that do not adhere to Sentry policy.

      However, we still want to allow Kudu to be used in a meaningful way in Sentry-enabled clusters. We came up with the following desired behavior:

      • Access to Kudu tables must be granted to roles as usual.
      • Access to a Kudu table is all or nothing. We will not support finer grained permissions (e.g. column level) or permissions on certain operations only (e.g. only INSERT).
      • Only users with ALL privileges on SERVER may create external Kudu tables.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            tarasbob Taras Bobrovytsky
            mjacobs Matthew Jacobs
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment