[
https://issues.apache.org/jira/browse/KUDU-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Burkert updated KUDU-2542:
------------------------------
Description:
As part of the Sentry integration, it will be necessary to flesh out the
[AuthzTokenPB|https://github.com/apache/kudu/blob/master/src/kudu/security/token.proto#L28]
structure with relevant fields:
# The ID of the table which the token applies to
# The username which the attached privileges belong to
# The privileges
Sentry has it's own privilege format
[TSentryPrivilege|[https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58]|https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58],
but we'll probably want to convert this into our own internal Protobuf-based
format, for the following reasons:
# The tokens will be used in the tablet servers to authorize client actions.
Currently tablet servers don't use or link to Thrift libraries.
# The Sentry privilege structure references columns by name, whereas we will
need to reference columns by ID in order to be robust to columns being renamed.
# Having our own format will make it easier to drop in alternate authorization
providers in the future.
was:
As part of the Sentry integration, it will be necessary to flesh out the
[AuthzTokenPB|https://github.com/apache/kudu/blob/master/src/kudu/security/token.proto#L28]
structure with relevant fields:
# The ID of the table which the token applies to
# The username which the attached privileges belong to
# The privileges
Sentry has it's own privilege format
[TSentryPrivilege|[https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58|https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58])]],
but we'll probably want to convert this into our own internal Protobuf-based
format, for the following reasons:
# The tokens will be used in the tablet servers to authorize client actions.
Currently tablet servers don't use or link to Thrift libraries.
# The Sentry privilege structure references columns by name, whereas we will
need to reference columns by ID in order to be robust to columns being renamed.
# Having our own format will make it easier to drop in alternate authorization
providers in the future.
> Fill-out AuthzToken definition
> ------------------------------
>
> Key: KUDU-2542
> URL: https://issues.apache.org/jira/browse/KUDU-2542
> Project: Kudu
> Issue Type: Sub-task
> Components: security
> Affects Versions: 1.8.0
> Reporter: Dan Burkert
> Priority: Major
>
> As part of the Sentry integration, it will be necessary to flesh out the
> [AuthzTokenPB|https://github.com/apache/kudu/blob/master/src/kudu/security/token.proto#L28]
> structure with relevant fields:
> # The ID of the table which the token applies to
> # The username which the attached privileges belong to
> # The privileges
> Sentry has it's own privilege format
> [TSentryPrivilege|[https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58]|https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58],
> but we'll probably want to convert this into our own internal Protobuf-based
> format, for the following reasons:
> # The tokens will be used in the tablet servers to authorize client actions.
> Currently tablet servers don't use or link to Thrift libraries.
> # The Sentry privilege structure references columns by name, whereas we will
> need to reference columns by ID in order to be robust to columns being
> renamed.
> # Having our own format will make it easier to drop in alternate
> authorization providers in the future.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
