Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.10.0
-
None
-
None
Description
Currently in order to do any DML with Kudu, a user must have any (i.e. "METADATA") privilege on a table so the user can get an authorization token. This is because authz token generation is piggy-backed on the GetTableSchema endpoint, which does all-or-nothing authorization for the table.
This isn't a great user experience, e.g. if a user only has column-level privileges. Unless such a user also had a table-level privilege (e.g. insert privileges on the table), the user would be unable to scan the columns through direct Kudu APIs. We should consider perhaps modifying the GetTableSchema endpoint to return only the sub-schema and the privileges for which the user has column-level privileges or higher.
This user experience would be closer to what is supported by Apache Impala.