Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15436 )
Change subject: [ranger] fix incorrect authz enforcement in Ranger authz provider ...................................................................... Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/15436/1/src/kudu/ranger/ranger_client.h File src/kudu/ranger/ranger_client.h: http://gerrit.cloudera.org:8080/#/c/15436/1/src/kudu/ranger/ranger_client.h@57 PS1, Line 57: enum Scope { > Yeah, in the Ranger context, this is what we want. Other Ranger integrated Isn't that a huge departure from users who are used to Sentry? Does that mean that policy migrations will have to expand all DATABASE into TABLE and COLUMN privileges? That seems extremely user unfriendly. Also if that's the case, I don't see how we can have a consistent policy with authz tokens. For instance, if I have SELECT ON TABLE, what columns should I be able to see? Doesn't the SELECT ON TABLE imply SELECT ON COLUMN for all of my columns? And if so, shouldn't SELECT ON DATABASE imply that too? -- To view, visit http://gerrit.cloudera.org:8080/15436 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I267aabc5f224ee7ceeffd6187785595dd6f16487 Gerrit-Change-Number: 15436 Gerrit-PatchSet: 3 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Sun, 15 Mar 2020 01:58:20 +0000 Gerrit-HasComments: Yes
