[jira] [Commented] (IMPALA-11098) regular user which want to create kudu table using impala need unnecessary access on ranger

Thu, 14 Apr 2022 01:26:06 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-11098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17522155#comment-17522155
 ] 

Tamas Mate commented on IMPALA-11098:
-------------------------------------

[~duanjinnan], the snippet you linked referring to a Hive - Impala 
interoperability code part. I it is there because Hive does not support 
{{SERVER}} as a resource with privileges, therefore Impala works this around by 
giving {{ALL}} privileges to DB/TABLE/COLUMN. This should only happen when 
privileges are administered on a {{SERVER}} level.
 
It is possible to grant fine grained privileges with Impala/Hive:
https://blog.cloudera.com/fine-grained-authorization-with-apache-kudu-and-impala/
https://blog.cloudera.com/fine-grained-authorization-with-apache-kudu-and-apache-ranger/

Please let me know if this answers your question.

> regular user which want to create kudu table using impala need unnecessary 
> access on ranger
> -------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-11098
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11098
>             Project: IMPALA
>          Issue Type: Question
>          Components: Frontend
>    Affects Versions: Impala 3.4.0
>            Reporter: duanjinnan
>            Priority: Blocker
>         Attachments: Snipaste_2022-01-29_11-40-08.png
>
>
> With kerberos and ranger on for authentication and acl to impala, creating 
> kudu table using impala  by  a regular user will need "all access to all 
> resource sets" (quoted from comments from impala source code) on ranger for 
> this regular user. i think i have found the related implementation in impala 
> source code, as shown in the pic attached.
>  
> Since impala and hive share the same set of policies on ranger, this 
> implementation will need us to give a regular user all access to all reources 
> of hive, but the user just need to create a kudu table using impala.
>  
> my question is this:
> is the implemetation reasonable, do we need to improve it?
> or am i wrong with something?
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to