[
https://issues.apache.org/jira/browse/KUDU-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867967#comment-16867967
]
Andrew Wong commented on KUDU-2870:
-----------------------------------
This is an artifact of the fact that the ksck checksum scan doesn't use a
KuduClient to send its checksum requests. Instead, it uses a proxy directly.
There are a few things we could do to work around this:
# Rather than doing fine-grained authz checking for Checksum, require
coarse-grained super-user privileges via the --super-user-acl flag. While
somewhat complicating the mental model for authorization, this seems relatively
straight-forward to implement. Given Checksum doesn't seem to be exposed as a
part of any client's public API, this seem's like the easiest path forward.
# Refactor the ksck checksummer to collect tokens from any OpenTable calls it
makes before checksumming, and then passing in the appropriate authz tokens
along with the requests. Extra plumbing would be required to handle retriable
token-related errors (e.g. authz token expired).
# Refactor the ksck checksummer to use a real client instead of a proxy, so it
can leverage the client's handling of token-related errors. This seems like a
larger piece to chew than #2, but seems more correct.
# Introduce the concept of a --trusted-user-acl to the tablet servers to
forego all fine-grained privilege checking, and perhaps add the
--super-user-acl to the --trusted-user-acl. In this way, tooling would be able
to do anything without relying on authz tokens. This may be desirable in
reasoning about the internals of authorization, since it standardizes semantics
for trusted-user-acls more than it is today (i.e. today, being a part of the
--trusted-user-acl means the Master will return to the user with an authz token
containing all privileges).
For now, I will implement #1 given it seems easy to implement and we can think
about the others moving forward.
> Checksum scan fails with "Not authorized" error when authz enabled
> ------------------------------------------------------------------
>
> Key: KUDU-2870
> URL: https://issues.apache.org/jira/browse/KUDU-2870
> Project: Kudu
> Issue Type: Bug
> Components: authz
> Affects Versions: 1.10.0
> Reporter: Mike Percy
> Assignee: Andrew Wong
> Priority: Critical
>
> While testing a Kudu 1.10.0 RC build with authorization enabled, I tried a
> checksum scan and it failed:
> {code:java}
> [mpercy@mpercy-c63s-0619-1 ~]$ kudu cluster ksck
> mpercy-c63s-0619-1.vpc.cloudera.com
> -tables=default.loadgen_auto_b527de07b2d842f3a3c82c5f85eb2854 -checksum_scan
> -sections=CHECKSUM_RESULTS
> Checksum finished in 0s: 0/8 replicas remaining (0B from disk, 0 rows summed)
> Checksum Summary
> -----------------------
> default.loadgen_auto_b527de07b2d842f3a3c82c5f85eb2854
> -----------------------
> T 09d0df0ca48c41bf94c6a3a03533b811 P 7d31913f6bbf4355a974c76e4f82c72a
> (mpercy-c63s-0619-4.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T 16cafc1e2e814b5fb988b22554ac306b P 11edb01b3b184a2da8586fa5cffda90c
> (mpercy-c63s-0619-3.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T 37d40c90b0614b5d9515d1458e31657c P de47be31840f4b349f970cf759097cec
> (mpercy-c63s-0619-2.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T 5da264a95d31474ea4b0b2e464a5b261 P de47be31840f4b349f970cf759097cec
> (mpercy-c63s-0619-2.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T 6acad06c945942b5af696f7f59b4d2ea P 7d31913f6bbf4355a974c76e4f82c72a
> (mpercy-c63s-0619-4.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T 949f20e82db1467fa9f968853c901f11 P 11edb01b3b184a2da8586fa5cffda90c
> (mpercy-c63s-0619-3.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T 9eda0d8c267c44efb9d76cf8fb911f93 P 921f4e7e28274a9189c978162d604f2e
> (mpercy-c63s-0619-5.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> T a1ec4565447c4628baa6a1c5f9765c7a P 11edb01b3b184a2da8586fa5cffda90c
> (mpercy-c63s-0619-3.vpc.cloudera.com:7050): Error: Remote error: Not
> authorized: no authorization token presented
> ==================
> Warnings:
> ==================
> Some masters have unsafe, experimental, or hidden flags set
> Some tablet servers have unsafe, experimental, or hidden flags set
> ==================
> Errors:
> ==================
> Aborted: checksum scan error: 8 errors were detected
> FAILED
> Runtime error: ksck discovered errors{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
