Kudu security limitations

Here are some limitations related to data encryption and authorization in Kudu.

  • Data encryption at rest is not directly built into Kudu. Encryption of Kudu data at rest can be achieved through the use of local block device encryption software such as dmcrypt.

  • Row-level authorization is not available.

  • Kudu uses an internal PKI system to issue X.509 certificates to servers in the cluster. As a result you cannot run Kudu with public IPs.

  • Server certificates generated by Kudu IPKI are incompatible with bouncycastle version 1.52 and earlier.

  • When you are creating a new Kudu service using the Ranger web UI, the Test Connection button is displayed. However, the TestConnection tab is not implemented in the Kudu Ranger plugin. As a result if you try to use it with Kudu it will fails, but that does not mean that the service is not working.