Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-5489

Improve Sentry authorization for Kudu tables

    Details

      Description

      In IMPALA-4000 we added basic authorization support for Kudu tables, but it had several limitations:

      • Only the ALL privilege level can be granted to Kudu tables.
        (Finer-grained levels such as only SELECT or only INSERT are not supported.)
      • Column level permissions on Kudu tables are not supported.
      • Only users with ALL privileges on SERVER may create external Kudu tables.

      It looks like we could make the following work:

      • Allow column-level permissions
      • Allow fine grained privileges SELECT and INSERT for those statement types.

      However, DELETE/UPDATE/UPSERT would require ALL because Sentry doesn't have fine grained privilege actions for those types yet (work is planned though).

      So Impala can do this work, probably without much effort, but the question is whether or not it makes sense to implement this short-term solution in the context of the mid-to-longer term Kudu, Sentry, and Impala authorization plans. Kudu is currently figuring out what their authorization story will look like. Sentry is also poised for some large upcoming changes.

        Attachments

          Activity

            People

            • Assignee:
              mjacobs Matthew Jacobs
              Reporter:
              mjacobs Matthew Jacobs
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: