[
https://issues.apache.org/jira/browse/KUDU-2865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125046#comment-17125046
]
Grant Henke commented on KUDU-2865:
-----------------------------------
Has this changed at all as a result of the Ranger integration?
> Relax the requirements to get an authorization token
> ----------------------------------------------------
>
> Key: KUDU-2865
> URL: https://issues.apache.org/jira/browse/KUDU-2865
> Project: Kudu
> Issue Type: Improvement
> Components: authz
> Affects Versions: 1.10.0
> Reporter: Andrew Wong
> Priority: Major
>
> Currently in order to do any DML with Kudu, a user must have any (i.e.
> "METADATA") privilege on a table so the user can get an authorization token.
> This is because authz token generation is piggy-backed on the GetTableSchema
> endpoint, which does all-or-nothing authorization for the table.
> This isn't a great user experience, e.g. if a user only has column-level
> privileges. Unless such a user _also_ had a table-level privilege (e.g.
> insert privileges on the table), the user would be unable to scan the columns
> through direct Kudu APIs. We should consider perhaps modifying the
> GetTableSchema endpoint to return only the sub-schema and the privileges for
> which the user has column-level privileges or higher.
> This user experience would be closer to what is supported by Apache Impala.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
