impala-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Jacobs (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (IMPALA-5489) Improve Sentry authorization for Kudu tables
Date Wed, 26 Jul 2017 13:24:00 GMT

     [ https://issues.apache.org/jira/browse/IMPALA-5489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Matthew Jacobs resolved IMPALA-5489.
------------------------------------
       Resolution: Fixed
    Fix Version/s: Impala 2.10.0

1aa3a5c616ec058ab50e2185472beb9aff306b1e

> Improve Sentry authorization for Kudu tables
> --------------------------------------------
>
>                 Key: IMPALA-5489
>                 URL: https://issues.apache.org/jira/browse/IMPALA-5489
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Frontend
>    Affects Versions: Impala 2.8.0
>            Reporter: Matthew Jacobs
>            Assignee: Matthew Jacobs
>              Labels: authorization, kudu, security, sentry
>             Fix For: Impala 2.10.0
>
>
> In IMPALA-4000 we added basic authorization support for Kudu tables, but it had several
limitations:
> * Only the ALL privilege level can be granted to Kudu tables.
>   (Finer-grained levels such as only SELECT or only INSERT are not supported.)
> * Column level permissions on Kudu tables are not supported.
> * Only users with ALL privileges on SERVER may create external Kudu tables.
> It looks like we could make the following work:
> * Allow column-level permissions
> * Allow fine grained privileges SELECT and INSERT for those statement types.
> However, DELETE/UPDATE/UPSERT would require ALL because Sentry doesn't have fine grained
privilege actions for those types yet (work is planned though).
> So Impala can do this work, probably without much effort, but the question is whether
or not it makes sense to implement this short-term solution in the context of the mid-to-longer
term Kudu, Sentry, and Impala authorization plans. Kudu is currently figuring out what their
authorization story will look like. Sentry is also poised for some large upcoming changes.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message