Ranger client caching
Ranger provides client side cache that use privileges and can periodically poll the privilege store for any changes. When a change is detected, the cache is automatically updated.
Update the ranger.plugin.kudu.policy.pollIntervalMs property specified in
ranger-kudu-security.xml to set how often the Ranger client cache refreshes the
privileges from the Ranger service.
Policy for Kudu masters
The following authorization policy is enforced by Kudu masters:
| Operation | Required Privilege |
|---|---|
CreateTable |
CREATE ON DATABASE |
CreateTable with a different owner specified than the requesting
user |
ALL ON DATABASE with the Sentry GRANT
OPTION. |
DeleteTable |
DROP ON TABLE |
AlterTable (with no rename) |
ALTER ON TABLE |
AlterTable (with rename) |
ALL ON TABLE <old-table> and CREATE ON DATABASE
<new-database> |
IsCreateTableDone |
METADATA ON TABLE |
IsAlterTableDone |
METADATA ON TABLE |
ListTables |
METADATA ON TABLE |
GetTableLocations |
METADATA ON TABLE |
GetTableSchema |
METADATA ON TABLE |
GetTabletLocations |
METADATA ON TABLE |
Policy for Kudu tablet servers
The following authorization policy is enforced by Kudu tablet servers:
| Operation | Required Privilege |
|---|---|
Scan |
|
Scan (no projected columns, equivalent to
COUNT(*)) |
|
Scan (with virtual columns) |
|
Scan (in ORDERED mode) |
<privileges required for a Scan> and SELECT ON
COLUMN for each primary key column |
Insert |
INSERT ON TABLE |
Update |
UPDATE ON TABLE |
Upsert |
INSERT ON TABLE and UPDATE ON TABLE |
Delete |
DELETE ON TABLE |
SplitKeyRange |
SELECT ON COLUMN for each primary key column and SELECT ON
COLUMNfor each projected column |
Checksum |
User must be configured in --superuser_acl |
ListTablets |
User must be configured in --superuser_acl |
