impala-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Jacobs (JIRA)" <>
Subject [jira] [Resolved] (IMPALA-5489) Improve Sentry authorization for Kudu tables
Date Wed, 26 Jul 2017 13:24:00 GMT


Matthew Jacobs resolved IMPALA-5489.
       Resolution: Fixed
    Fix Version/s: Impala 2.10.0


> Improve Sentry authorization for Kudu tables
> --------------------------------------------
>                 Key: IMPALA-5489
>                 URL:
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Frontend
>    Affects Versions: Impala 2.8.0
>            Reporter: Matthew Jacobs
>            Assignee: Matthew Jacobs
>              Labels: authorization, kudu, security, sentry
>             Fix For: Impala 2.10.0
> In IMPALA-4000 we added basic authorization support for Kudu tables, but it had several
> * Only the ALL privilege level can be granted to Kudu tables.
>   (Finer-grained levels such as only SELECT or only INSERT are not supported.)
> * Column level permissions on Kudu tables are not supported.
> * Only users with ALL privileges on SERVER may create external Kudu tables.
> It looks like we could make the following work:
> * Allow column-level permissions
> * Allow fine grained privileges SELECT and INSERT for those statement types.
> However, DELETE/UPDATE/UPSERT would require ALL because Sentry doesn't have fine grained
privilege actions for those types yet (work is planned though).
> So Impala can do this work, probably without much effort, but the question is whether
or not it makes sense to implement this short-term solution in the context of the mid-to-longer
term Kudu, Sentry, and Impala authorization plans. Kudu is currently figuring out what their
authorization story will look like. Sentry is also poised for some large upcoming changes.

This message was sent by Atlassian JIRA

View raw message