Ranger policies for Kudu
There are two Kudu related Ranger policies which are applied based on how you are accessing Kudu.
There are two resource-based services in Ranger that are used in relation to Kudu:
cm_kudu
and Hadoop SQL
.
The Kudu service and its connected clients, such as Spark, native C++, and Java clients, use
the cm_kudu
resource-based service.
The Hadoop SQL
resource-based service is used by Hive and Impala when Kudu is
accessed through them.
When Kudu is accessed by Impala, the Impala service performs actions as the
impala
user in Kudu. The impala
user is set as a trusted user
in Kudu, meaning that privilege checks are completely bypassed and the impala user is granted
full access. As a result, the cm_kudu
resource-based service is not applied,
only the Hadoop SQL
resource-based service is used to check for permission and
privileges.
As a result, when you are accessing Kudu through Hive or Impala, you must ensure that all
applicable permission and privileges are configured in the Hadoop SQL
resource-based service.