[IMPALA-5489] Improve Sentry authorization for Kudu tables - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: Impala 2.8.0
Fix Version/s: Impala 2.10.0
Component/s: Frontend
Labels:
- authorization
- kudu
- security
- sentry

Target Version:

Impala 2.10.0
Epic Color:
ghx-label-9

Description

In ~~IMPALA-4000~~ we added basic authorization support for Kudu tables, but it had several limitations:

Only the ALL privilege level can be granted to Kudu tables.
(Finer-grained levels such as only SELECT or only INSERT are not supported.)
Column level permissions on Kudu tables are not supported.
Only users with ALL privileges on SERVER may create external Kudu tables.

It looks like we could make the following work:

Allow column-level permissions
Allow fine grained privileges SELECT and INSERT for those statement types.

However, DELETE/UPDATE/UPSERT would require ALL because Sentry doesn't have fine grained privilege actions for those types yet (work is planned though).

So Impala can do this work, probably without much effort, but the question is whether or not it makes sense to implement this short-term solution in the context of the mid-to-longer term Kudu, Sentry, and Impala authorization plans. Kudu is currently figuring out what their authorization story will look like. Sentry is also poised for some large upcoming changes.

Attachments

Activity

People

Assignee:: Matthew Jacobs

Reporter:: Matthew Jacobs

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 12/Jun/17 21:53

Updated:: 28/Sep/17 22:26

Resolved:: 26/Jul/17 13:23