Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-3077

Have client scanners prune the default projection based on the contents of their authz tokens

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • client, security

    Description

      Today, if a scan is sent that contains a column that, per the sender's authz token, the sender isn't authorized to see, the entire scan is rejected. This is all well and good, but users may not be privy to what columns they are or aren't allowed to scan. So, when the default projection is used (which scans all columns), the scan is bound to be rejected if there are any privilege restrictions.

      It'd be significantly more user-friendly if clients opaquely pruned the default projection of unauthorized columns so that (assuming the authz token is valid) default scans always succeed with just the columns the user is authorized to see.

      Special care should be taken for if the user has no column privileges though; passing an empty projection is taken to return the count of rows (which requires the same privileges as COUNT which requires the same privileges as SELECT, i.e. SELECT ON TABLE) rather than an empty set of rows. In such a case, clients should probably fail immediately, since there are no table privileges an no column privileges in the authz token so any scan would be bound to fail.

      Attachments

        Activity

          People

            Unassigned Unassigned
            awong Andrew Wong
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: