Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2865

Relax the requirements to get an authorization token

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.10.0
    • None
    • authz
    • None

    Description

      Currently in order to do any DML with Kudu, a user must have any (i.e. "METADATA") privilege on a table so the user can get an authorization token. This is because authz token generation is piggy-backed on the GetTableSchema endpoint, which does all-or-nothing authorization for the table.

      This isn't a great user experience, e.g. if a user only has column-level privileges. Unless such a user also had a table-level privilege (e.g. insert privileges on the table), the user would be unable to scan the columns through direct Kudu APIs. We should consider perhaps modifying the GetTableSchema endpoint to return only the sub-schema and the privileges for which the user has column-level privileges or higher.

      This user experience would be closer to what is supported by Apache Impala.

      Attachments

        Activity

          People

            Unassigned Unassigned
            awong Andrew Wong
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: