[ https://issues.apache.org/jira/browse/KUDU-2865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125046#comment-17125046 ]
Grant Henke commented on KUDU-2865: ----------------------------------- Has this changed at all as a result of the Ranger integration? > Relax the requirements to get an authorization token > ---------------------------------------------------- > > Key: KUDU-2865 > URL: https://issues.apache.org/jira/browse/KUDU-2865 > Project: Kudu > Issue Type: Improvement > Components: authz > Affects Versions: 1.10.0 > Reporter: Andrew Wong > Priority: Major > > Currently in order to do any DML with Kudu, a user must have any (i.e. > "METADATA") privilege on a table so the user can get an authorization token. > This is because authz token generation is piggy-backed on the GetTableSchema > endpoint, which does all-or-nothing authorization for the table. > This isn't a great user experience, e.g. if a user only has column-level > privileges. Unless such a user _also_ had a table-level privilege (e.g. > insert privileges on the table), the user would be unable to scan the columns > through direct Kudu APIs. We should consider perhaps modifying the > GetTableSchema endpoint to return only the sub-schema and the privileges for > which the user has column-level privileges or higher. > This user experience would be closer to what is supported by Apache Impala. -- This message was sent by Atlassian Jira (v8.3.4#803005)