[ https://issues.apache.org/jira/browse/KUDU-3077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Wong updated KUDU-3077: ------------------------------ Component/s: security client > Have client scanners prune the default projection based on the contents of > their authz tokens > --------------------------------------------------------------------------------------------- > > Key: KUDU-3077 > URL: https://issues.apache.org/jira/browse/KUDU-3077 > Project: Kudu > Issue Type: Improvement > Components: client, security > Reporter: Andrew Wong > Priority: Major > > Today, if a scan is sent that contains a column that, per the sender's authz > token, the sender isn't authorized to see, the entire scan is rejected. This > is all well and good, but users may not be privy to what columns they are or > aren't allowed to scan. So, when the default projection is used (which scans > all columns), the scan is bound to be rejected if there are any privilege > restrictions. > It'd be significantly more user-friendly if clients opaquely pruned the > default projection of unauthorized columns so that (assuming the authz token > is valid) default scans always succeed with just the columns the user is > authorized to see. > Special care should be taken for if the user has no column privileges though; > passing an empty projection is taken to return the count of rows (which > requires the same privileges as {{COUNT(*)}} which requires the same > privileges as {{SELECT(*)}}, i.e. {{SELECT ON TABLE}}) rather than an empty > set of rows. In such a case, clients should probably fail immediately, since > there are no table privileges an no column privileges in the authz token so > any scan would be bound to fail. -- This message was sent by Atlassian Jira (v8.3.4#803005)