Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-7334

Option to apply standard Sentry privileges to "default" database

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Open
    • Major
    • Resolution: Unresolved
    • Impala 2.9.0
    • None
    • Security
    • ghx-label-7

    Description

      In a Sentry-secured environment, the "default" database is a special exception to the database privilege model. The "default" database is always returned by "show databases", and "use default" always succeeds, regardless of what privileges the user has on "default." However, Hive has an option to disable this exception. When sentry.hive.restrict.defaultDB = true, users must have privileges on the "default" database to show it or use it, just as with other databases in Hive.

      Impala does not have such an option. This feature request is for an equivalent option in Impala, allowing the database privilege model to be applied uniformly to the "default" database.

      Although the security impact isn't enormous, some users do see the special behavior of the "default" database as a security hole, so it's worth implementing.

      Attachments

        Activity

          People

            Unassigned Unassigned
            bbreakstone Ben Breakstone
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: