[incubator-pegasus] branch master updated: feat(Ranger): Use Apache Ranger for ACL when replica master-slave learn (#1445)

Wed, 19 Apr 2023 19:46:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

laiyingchun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pegasus.git


The following commit(s) were added to refs/heads/master by this push:
     new ce0af37c1 feat(Ranger): Use Apache Ranger for ACL when replica 
master-slave learn (#1445)
ce0af37c1 is described below

commit ce0af37c15c337e86099afee34bd7cca2623c121
Author: WHBANG <[email protected]>
AuthorDate: Thu Apr 20 10:46:01 2023 +0800

    feat(Ranger): Use Apache Ranger for ACL when replica master-slave learn 
(#1445)
    
    https://github.com/apache/incubator-pegasus/issues/1054
    
    This patch add ACL to the learn action of replica.
    
    1. specifically, regard learn as a write action, and use the Ranger
        policy to determine whether the master-slave can learn.
---
 src/replica/replica_stub.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp
index 3b3c35e4c..5fc7bf439 100644
--- a/src/replica/replica_stub.cpp
+++ b/src/replica/replica_stub.cpp
@@ -72,6 +72,7 @@
 #include "replica_disk_migrator.h"
 #include "replica_stub.h"
 #include "runtime/api_layer1.h"
+#include "runtime/ranger/access_type.h"
 #include "runtime/rpc/rpc_message.h"
 #include "runtime/rpc/serialization.h"
 #include "runtime/security/access_controller.h"
@@ -1310,14 +1311,19 @@ void replica_stub::on_group_check(group_check_rpc rpc)
 
 void replica_stub::on_learn(dsn::message_ex *msg)
 {
+    learn_response response;
     learn_request request;
     ::dsn::unmarshall(msg, request);
 
     replica_ptr rep = get_replica(request.pid);
     if (rep != nullptr) {
+        if (!rep->access_controller_allowed(msg, ranger::access_type::kWrite)) 
{
+            response.err = ERR_ACL_DENY;
+            reply(msg, response);
+            return;
+        }
         rep->on_learn(msg, request);
     } else {
-        learn_response response;
         response.err = ERR_OBJECT_NOT_FOUND;
         reply(msg, response);
     }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to