You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Matthew Jacobs (JIRA)" <ji...@apache.org> on 2017/07/26 13:24:00 UTC

[jira] [Resolved] (IMPALA-5489) Improve Sentry authorization for Kudu tables

     [ https://issues.apache.org/jira/browse/IMPALA-5489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matthew Jacobs resolved IMPALA-5489.
------------------------------------
       Resolution: Fixed
    Fix Version/s: Impala 2.10.0

1aa3a5c616ec058ab50e2185472beb9aff306b1e

> Improve Sentry authorization for Kudu tables
> --------------------------------------------
>
>                 Key: IMPALA-5489
>                 URL: https://issues.apache.org/jira/browse/IMPALA-5489
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Frontend
>    Affects Versions: Impala 2.8.0
>            Reporter: Matthew Jacobs
>            Assignee: Matthew Jacobs
>              Labels: authorization, kudu, security, sentry
>             Fix For: Impala 2.10.0
>
>
> In IMPALA-4000 we added basic authorization support for Kudu tables, but it had several limitations:
> * Only the ALL privilege level can be granted to Kudu tables.
>   (Finer-grained levels such as only SELECT or only INSERT are not supported.)
> * Column level permissions on Kudu tables are not supported.
> * Only users with ALL privileges on SERVER may create external Kudu tables.
> It looks like we could make the following work:
> * Allow column-level permissions
> * Allow fine grained privileges SELECT and INSERT for those statement types.
> However, DELETE/UPDATE/UPSERT would require ALL because Sentry doesn't have fine grained privilege actions for those types yet (work is planned though).
> So Impala can do this work, probably without much effort, but the question is whether or not it makes sense to implement this short-term solution in the context of the mid-to-longer term Kudu, Sentry, and Impala authorization plans. Kudu is currently figuring out what their authorization story will look like. Sentry is also poised for some large upcoming changes.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)