Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kudu-impala security

Labels:
avatar
author-rank Pavel_kostyukov
Explorer

Created ‎12-07-2020 02:41 AM

Hi, community!

I am exploring Kudu - Impala interaction and I can't find a good way to secure kudu table from impala.

 

Let's say, I have Kudu table "test" created from CLI. Then, I login into impala-shell with user "u1", which have an access to database "db1" and create table in this database like this:

CREATE EXTERNAL TABLE db1.test_kudu1 STORED AS kudu TBLPROPERTIES ('kudu.table_name' = 'test');

I logout from "u1" user and login as "u2" user which does not have access to database db1, but do have access to database "db2" and this user create table in the "db2" database same way "u1" created table db1.test_kudu1:

 

CREATE EXTERNAL TABLE db2.test_kudu2 STORED AS kudu TBLPROPERTIES ('kudu.table_name' = 'test');

 

Now, both users have access to kudu table "test", they both can modify this table, delete and insert data. Is there any way to avoid such insecurity with kudu tables?

 

It seems like if we gain access to kudu tables to impala service user, any impala user that have access to creation tables in any database can create table above kudu table and then modify it. Is it really true?

1,029 Views
0 Kudos
1 REPLY 1

avatar
author-rank Tim Armstrong author-rank
Guru

Created ‎12-07-2020 09:17 AM

These are good questions that come up frequently.

 

https://docs.cloudera.com/runtime/7.2.2/administering-kudu/topics/kudu-security-trusted-users.html discusses the issue. In summary, Hive/Impala tables (i.e. those with entries in the Hive Metastore) are authorized in the same way, regardless of whether backing storage is HDFS, S3, Kudu, HBase, etc - the SQL interface does the authorization to confirm that the end user has access to the table, columns, etc, then the service accesses the storage as the privileged user (Impala in this case).

 

In this model, if you create an external Kudu table in Impala and give permissions to a user to access the table via Impala, then they will have permissions to access the data in the underlying Kudu table.

The thing that closes the loophole here is that creating the external Kudu table requires very high privileges - ALL permission on SERVER - a regular user can't create an external Kudu table pointed at an arbitrary Kudu cluster or table.

1,007 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements