You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Grant Henke (Jira)" <ji...@apache.org> on 2020/06/03 15:19:00 UTC

[jira] [Commented] (KUDU-2865) Relax the requirements to get an authorization token

    [ https://issues.apache.org/jira/browse/KUDU-2865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125046#comment-17125046 ] 

Grant Henke commented on KUDU-2865:
-----------------------------------

Has this changed at all as a result of the Ranger integration? 

> Relax the requirements to get an authorization token
> ----------------------------------------------------
>
>                 Key: KUDU-2865
>                 URL: https://issues.apache.org/jira/browse/KUDU-2865
>             Project: Kudu
>          Issue Type: Improvement
>          Components: authz
>    Affects Versions: 1.10.0
>            Reporter: Andrew Wong
>            Priority: Major
>
> Currently in order to do any DML with Kudu, a user must have any (i.e. "METADATA") privilege on a table so the user can get an authorization token. This is because authz token generation is piggy-backed on the GetTableSchema endpoint, which does all-or-nothing authorization for the table.
> This isn't a great user experience, e.g. if a user only has column-level privileges. Unless such a user _also_ had a table-level privilege (e.g. insert privileges on the table), the user would be unable to scan the columns through direct Kudu APIs. We should consider perhaps modifying the GetTableSchema endpoint to return only the sub-schema and the privileges for which the user has column-level privileges or higher.
> This user experience would be closer to what is supported by Apache Impala.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)