Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-4000

Restricted Sentry authorization for Kudu Tables

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Kudu_Impala
    • Fix Version/s: Impala 2.8.0
    • Component/s: Security
    • Labels:

      Description

      Today there is no comprehensive way of enforcing a Sentry authorization policy against tables stored in Kudu. The underlying reason is that Kudu itself does not yet support authorization, so it is always possible to access data directly via the Kudu API or other services that do not adhere to Sentry policy.

      However, we still want to allow Kudu to be used in a meaningful way in Sentry-enabled clusters. We came up with the following desired behavior:

      • Access to Kudu tables must be granted to roles as usual.
      • Access to a Kudu table is all or nothing. We will not support finer grained permissions (e.g. column level) or permissions on certain operations only (e.g. only INSERT).
      • Only users with ALL privileges on SERVER may create external Kudu tables.

        Attachments

          Activity

            People

            • Assignee:
              tarasbob Taras Bobrovytsky
              Reporter:
              mjacobs Matthew Jacobs
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: