IMPALA-4000 we added basic authorization support for Kudu tables, but it had several limitations:
- Only the ALL privilege level can be granted to Kudu tables.
(Finer-grained levels such as only SELECT or only INSERT are not supported.)
- Column level permissions on Kudu tables are not supported.
- Only users with ALL privileges on SERVER may create external Kudu tables.
It looks like we could make the following work:
- Allow column-level permissions
- Allow fine grained privileges SELECT and INSERT for those statement types.
However, DELETE/UPDATE/UPSERT would require ALL because Sentry doesn't have fine grained privilege actions for those types yet (work is planned though).
So Impala can do this work, probably without much effort, but the question is whether or not it makes sense to implement this short-term solution in the context of the mid-to-longer term Kudu, Sentry, and Impala authorization plans. Kudu is currently figuring out what their authorization story will look like. Sentry is also poised for some large upcoming changes.