[
https://issues.apache.org/jira/browse/KUDU-3077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Wong updated KUDU-3077:
------------------------------
Component/s: security
client
> Have client scanners prune the default projection based on the contents of
> their authz tokens
> ---------------------------------------------------------------------------------------------
>
> Key: KUDU-3077
> URL: https://issues.apache.org/jira/browse/KUDU-3077
> Project: Kudu
> Issue Type: Improvement
> Components: client, security
> Reporter: Andrew Wong
> Priority: Major
>
> Today, if a scan is sent that contains a column that, per the sender's authz
> token, the sender isn't authorized to see, the entire scan is rejected. This
> is all well and good, but users may not be privy to what columns they are or
> aren't allowed to scan. So, when the default projection is used (which scans
> all columns), the scan is bound to be rejected if there are any privilege
> restrictions.
> It'd be significantly more user-friendly if clients opaquely pruned the
> default projection of unauthorized columns so that (assuming the authz token
> is valid) default scans always succeed with just the columns the user is
> authorized to see.
> Special care should be taken for if the user has no column privileges though;
> passing an empty projection is taken to return the count of rows (which
> requires the same privileges as {{COUNT(*)}} which requires the same
> privileges as {{SELECT(*)}}, i.e. {{SELECT ON TABLE}}) rather than an empty
> set of rows. In such a case, clients should probably fail immediately, since
> there are no table privileges an no column privileges in the authz token so
> any scan would be bound to fail.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
