Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-4000

Restricted Sentry authorization for Kudu Tables

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Kudu_Impala
    • Fix Version/s: Impala 2.8.0
    • Component/s: Security
    • Labels:
    • Docs Text:
      Sentry policy file is not supported.
    • Target Version:

      Description

      Today there is no comprehensive way of enforcing a Sentry authorization policy against tables stored in Kudu. The underlying reason is that Kudu itself does not yet support authorization, so it is always possible to access data directly via the Kudu API or other services that do not adhere to Sentry policy.

      However, we still want to allow Kudu to be used in a meaningful way in Sentry-enabled clusters. We came up with the following desired behavior:

      • Access to Kudu tables must be granted to roles as usual.
      • Access to a Kudu table is all or nothing. We will not support finer grained permissions (e.g. column level) or permissions on certain operations only (e.g. only INSERT).
      • Only users with ALL privileges on SERVER may create external Kudu tables.

        Activity

        Hide
        mjacobs Matthew Jacobs added a comment -

        Dimitris Tsirogiannis does our plan to remove columns from HMS mean even the "workaround" won't work? If so, I guess it's a clear decision to remove.

        Show
        mjacobs Matthew Jacobs added a comment - Dimitris Tsirogiannis does our plan to remove columns from HMS mean even the "workaround" won't work? If so, I guess it's a clear decision to remove.
        Hide
        tarasbob Taras Bobrovytsky added a comment -

        Alexander Behm, Matthew Jacobs, how should we handle the case where we have a Sentry policy file with a non-ALL permission on a Kudu table?

        Show
        tarasbob Taras Bobrovytsky added a comment - Alexander Behm , Matthew Jacobs , how should we handle the case where we have a Sentry policy file with a non-ALL permission on a Kudu table?
        Hide
        tarasbob Taras Bobrovytsky added a comment -
        IMPALA-4000: Restricted Sentry authorization for Kudu Tables
        At this time, there is no comprehensive way of enforcing a Sentry
        authorization policy against tables stored in Kudu. The following
        behavior was implemented in this patch:
        - Only the ALL privilege level can be granted to Kudu tables.
          Finer-grained levels such as only SELECT or only INSERT are not
          supported.
        - Column level permissions on Kudu tables are not supported.
        - Only users with ALL privileges on SERVER may create external Kudu
          tables.
        
        Change-Id: I183f08ad8ce80deee011a6b90ad67b9cefc0452c
        Reviewed-on: http://gerrit.cloudera.org:8080/5047
        Reviewed-by: Taras Bobrovytsky <tbobrovytsky@cloudera.com>
        Tested-by: Internal Jenkins
        
        Show
        tarasbob Taras Bobrovytsky added a comment - IMPALA-4000: Restricted Sentry authorization for Kudu Tables At this time, there is no comprehensive way of enforcing a Sentry authorization policy against tables stored in Kudu. The following behavior was implemented in this patch: - Only the ALL privilege level can be granted to Kudu tables. Finer-grained levels such as only SELECT or only INSERT are not supported. - Column level permissions on Kudu tables are not supported. - Only users with ALL privileges on SERVER may create external Kudu tables. Change-Id: I183f08ad8ce80deee011a6b90ad67b9cefc0452c Reviewed-on: http: //gerrit.cloudera.org:8080/5047 Reviewed-by: Taras Bobrovytsky <tbobrovytsky@cloudera.com> Tested-by: Internal Jenkins
        Hide
        torres.marcelo Marcelo Torres de Albuquerque added a comment -

        There is no prevision for grains access on sentry to work?

        Show
        torres.marcelo Marcelo Torres de Albuquerque added a comment - There is no prevision for grains access on sentry to work?
        Hide
        mjacobs Matthew Jacobs added a comment -

        Marcelo Torres de Albuquerque fine-grained access? Not on this commit, that topic is tracked by IMPALA-3840

        Show
        mjacobs Matthew Jacobs added a comment - Marcelo Torres de Albuquerque fine-grained access? Not on this commit, that topic is tracked by IMPALA-3840

          People

          • Assignee:
            tarasbob Taras Bobrovytsky
            Reporter:
            mjacobs Matthew Jacobs
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development