Restricting Global Table Catalog Metadata Refreshes

By default Arcadia bypasses Sentry’s Server level authorization invalidating table metadata (i.e. INVALIDATE METADATA), which allows privledged users to easily clear Arcadia’s Catalog metadata quickly by clicking the “Refresh” button at the top of the Data page when you click “Connection Explorer”:

12%20PM

In busier environments it is not best practice to allow a global metadata refresh as this can lead to queries slowing down for all of users and also exacerbate the metadata loading process that can occur while trying to match Analytical Views to running queries. To restrict this setting once again, you can add this flag to this setting to the Arcadia Analytics Engine Advanced Configuration Snippet (Safety Valve) for flagfile in Cloudera Manager, or in the Optional parameters for Arcadia Analytic Engine box in Ambari:

--restrict_invalidate_metadata=true

Cloudera Manager config:

Ambari config:

NOTE: Adding this setting will not hide the “Refresh” button. It will only stop bypassing Sentry authorization for users trying to run ‘INVALIDATE METADATA’ which is a Server level permission. In other words, if users have this Server level permission, they will still be able to run the command by clicking the “Refresh” button. However, if they only have table or database level privileges, then they can only click the “Refresh” button next to the tables in the Connection Explorer and have it work successfully. Clicking the “Refresh” button here is the equivalent of running something like this - INVALIDATE METADATA default.superstore_sales

1 Like