Andrew Wong created KUDU-2865:
---------------------------------
Summary: Relax the requirements to get an authorization token
Key: KUDU-2865
URL: https://issues.apache.org/jira/browse/KUDU-2865
Project: Kudu
Issue Type: Improvement
Components: authz
Affects Versions: 1.10.0
Reporter: Andrew Wong
Currently in order to do any DML with Kudu, a user must have any (i.e.
"METADATA") privilege on a table so the user can get an authorization token.
This is because authz token generation is piggy-backed on the GetTableSchema
endpoint, which does all-or-nothing authorization for the table.
This isn't a great user experience, e.g. if a user only has column-level
privileges. Unless such a user _also_ had a table-level privilege (e.g. insert
privileges on the table), the user would be unable to scan the columns through
direct Kudu APIs. We should consider perhaps modifying the GetTableSchema
endpoint to return only the sub-schema and the privileges for which the user
has column-level privileges or higher.
This user experience would be closer to what is supported by Apache Impala.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
