Ranger policies for Kudu

There are two Kudu related Ranger policies which are applied based on how you are accessing Kudu.

There are two resource-based services in Ranger that are used in relation to Kudu: cm_kudu and Hadoop SQL.

The Kudu service and its connected clients, such as Spark, native C++, and Java clients, use the cm_kudu resource-based service.

The Hadoop SQL resource-based service is used by Hive and Impala when Kudu is accessed through them.

When Kudu is accessed by Impala, the Impala service performs actions as the impala user in Kudu. The impala user is set as a trusted user in Kudu, meaning that privilege checks are completely bypassed and the impala user is granted full access. As a result, the cm_kudu resource-based service is not applied, only the Hadoop SQL resource-based service is used to check for permission and privileges.

As a result, when you are accessing Kudu through Hive or Impala, you must ensure that all applicable permission and privileges are configured in the Hadoop SQL resource-based service.