[ https://issues.apache.org/jira/browse/KUDU-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dan Burkert updated KUDU-2542: ------------------------------ Description: As part of the Sentry integration, it will be necessary to flesh out the [AuthzTokenPB|https://github.com/apache/kudu/blob/master/src/kudu/security/token.proto#L28] structure with relevant fields: # The ID of the table which the token applies to # The username which the attached privileges belong to # The privileges Sentry has it's own privilege format [TSentryPrivilege|[https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58]|https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58], but we'll probably want to convert this into our own internal Protobuf-based format, for the following reasons: # The tokens will be used in the tablet servers to authorize client actions. Currently tablet servers don't use or link to Thrift libraries. # The Sentry privilege structure references columns by name, whereas we will need to reference columns by ID in order to be robust to columns being renamed. # Having our own format will make it easier to drop in alternate authorization providers in the future. was: As part of the Sentry integration, it will be necessary to flesh out the [AuthzTokenPB|https://github.com/apache/kudu/blob/master/src/kudu/security/token.proto#L28] structure with relevant fields: # The ID of the table which the token applies to # The username which the attached privileges belong to # The privileges Sentry has it's own privilege format [TSentryPrivilege|[https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58|https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58])]], but we'll probably want to convert this into our own internal Protobuf-based format, for the following reasons: # The tokens will be used in the tablet servers to authorize client actions. Currently tablet servers don't use or link to Thrift libraries. # The Sentry privilege structure references columns by name, whereas we will need to reference columns by ID in order to be robust to columns being renamed. # Having our own format will make it easier to drop in alternate authorization providers in the future. > Fill-out AuthzToken definition > ------------------------------ > > Key: KUDU-2542 > URL: https://issues.apache.org/jira/browse/KUDU-2542 > Project: Kudu > Issue Type: Sub-task > Components: security > Affects Versions: 1.8.0 > Reporter: Dan Burkert > Priority: Major > > As part of the Sentry integration, it will be necessary to flesh out the > [AuthzTokenPB|https://github.com/apache/kudu/blob/master/src/kudu/security/token.proto#L28] > structure with relevant fields: > # The ID of the table which the token applies to > # The username which the attached privileges belong to > # The privileges > Sentry has it's own privilege format > [TSentryPrivilege|[https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58]|https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift#L47-L58], > but we'll probably want to convert this into our own internal Protobuf-based > format, for the following reasons: > # The tokens will be used in the tablet servers to authorize client actions. > Currently tablet servers don't use or link to Thrift libraries. > # The Sentry privilege structure references columns by name, whereas we will > need to reference columns by ID in order to be robust to columns being > renamed. > # Having our own format will make it easier to drop in alternate > authorization providers in the future. -- This message was sent by Atlassian JIRA (v7.6.3#76005)