[kudu-CR] rpc: add basic service and method-level authorization

Mon, 31 Oct 2016 19:29:45 -0700 

Hello Dan Burkert, Alexey Serbin,

I'd like you to do a code review.  Please visit

    http://gerrit.cloudera.org:8080/4897

to review the following change.

Change subject: rpc: add basic service and method-level authorization
......................................................................

rpc: add basic service and method-level authorization

This adds some basic authorization support to the RPC system. The goal
here is to implement service-level and method-level coarse grained
authorization. This can be used for use cases like:

- check that only tablet servers can register or heartbeat to the master
- check that only users in an administrative group can call 'SetFlag'
- check that only other tablet servers can call UpdateConsensus

This facility is quite simple and is not meant to extend to entity-level
authorization checks ("can user X access table Y"). Those checks are
necessarily more complex since they involve inspecting the request, the
target object, etc, and will be implemented in a more ad-hoc manner in
the relevant RPCs.

This patch follows something similar to the "option 3" approach outlined
in a mailing list post[1], except does compile-time binding and checking
that the specified authorization methods are properly defined.

[1] 
https://lists.apache.org/thread.html/e31bacbe39a099bc538057ccbe7f96f00a9711dfbbbefaa1c99c97f3@%3Cdev.kudu.apache.org%3E
Change-Id: Ia9206f5f89391d8bccfa30952d2b252900ab6566
---
M docs/design-docs/rpc.md
M src/kudu/rpc/protoc-gen-krpc.cc
M src/kudu/rpc/rpc-test-base.h
M src/kudu/rpc/rpc_header.proto
M src/kudu/rpc/rpc_stub-test.cc
M src/kudu/rpc/rtest.proto
M src/kudu/rpc/service_if.cc
M src/kudu/rpc/service_if.h
8 files changed, 197 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/97/4897/1
-- 
To view, visit http://gerrit.cloudera.org:8080/4897
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia9206f5f89391d8bccfa30952d2b252900ab6566
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>

Reply via email to