[IMPALA-4000] Restricted Sentry authorization for Kudu Tables - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: Kudu_Impala
Fix Version/s: Impala 2.8.0
Component/s: Security
Labels:
- kudu
- sentry

Target Version:

Impala 2.8.0

Description

Today there is no comprehensive way of enforcing a Sentry authorization policy against tables stored in Kudu. The underlying reason is that Kudu itself does not yet support authorization, so it is always possible to access data directly via the Kudu API or other services that do not adhere to Sentry policy.

However, we still want to allow Kudu to be used in a meaningful way in Sentry-enabled clusters. We came up with the following desired behavior:

Access to Kudu tables must be granted to roles as usual.
Access to a Kudu table is all or nothing. We will not support finer grained permissions (e.g. column level) or permissions on certain operations only (e.g. only INSERT).
Only users with ALL privileges on SERVER may create external Kudu tables.

Attachments

Issue Links

relates to

IMPALA-10436 Investigate the need for granting ALL privilege on server when creating an external Kudu table

Resolved

IMPALA-10300 Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses

Closed

Activity

People

Assignee:: Taras Bobrovytsky

Reporter:: Matthew Jacobs

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 19/Aug/16 16:50

Updated:: 12/Jan/21 05:51

Resolved:: 30/Nov/16 19:14