Andrew Wong created KUDU-3077:
---------------------------------
Summary: Have client scanners prune the default projection based
on the contents of their authz tokens
Key: KUDU-3077
URL: https://issues.apache.org/jira/browse/KUDU-3077
Project: Kudu
Issue Type: Improvement
Reporter: Andrew Wong
Today, if a scan is sent that contains a column that, per the sender's authz
token, the sender isn't authorized to see, the entire scan is rejected. This is
all well and good, but users may not be privy to what columns they are or
aren't allowed to scan. So, when the default projection is used (which scans
all columns), the scan is bound to be rejected if there are any privilege
restrictions.
It'd be significantly more user-friendly if clients opaquely pruned the default
projection of unauthorized columns so that (assuming the authz token is valid)
default scans always succeed with just the columns the user is authorized to
see.
Special care should be taken for if the user has no column privileges though;
passing an empty projection is taken to return the count of rows (which
requires the same privileges as {{COUNT(*)}} which requires the same privileges
as {{SELECT(*)}}, i.e. {{SELECT ON TABLE}}) rather than an empty set of rows.
In such a case, clients should probably fail immediately, since there are no
table privileges an no column privileges in the authz token so any scan would
be bound to fail.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
