[kudu-CR] KUDU-2542: add initial authorization token impl

Wed, 24 Oct 2018 16:58:47 -0700 

Hello Tidy Bot, Alexey Serbin, Dan Burkert, Kudu Jenkins, Hao Hao,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/11750

to look at the new patch set (#2).

Change subject: KUDU-2542: add initial authorization token impl
......................................................................

KUDU-2542: add initial authorization token impl

This patch adds adds an authorization token that echoes the
authentication token implementation. These tokens contain privileges
that will be used authorize specific tablet server requests.

By in large, tablet server requests are scoped to a single table, and as
such, so are authz tokens. In cases where this is not true (e.g.
ListTablets), a reasonable assumption is that the call is being made via
tooling, and coarse-grained access control should be used instead of
fine-grained. If this ends up being less the case in the future, we can
always amend the authz token to support multiple tables.

The tokens leverage the same token signer as the authentication tokens,
though with the token validity interval configured via the new flag
--authz_token_validity_seconds.

Change-Id: Id28747ec38675abdf50dce1e7c176d29213e370f
---
M src/kudu/integration-tests/authn_token_expire-itest.cc
M src/kudu/integration-tests/security-unknown-tsk-itest.cc
M src/kudu/integration-tests/token_signer-itest.cc
M src/kudu/master/master.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token.proto
M src/kudu/security/token_signer.cc
M src/kudu/security/token_signer.h
9 files changed, 385 insertions(+), 76 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/50/11750/2
--
To view, visit http://gerrit.cloudera.org:8080/11750
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id28747ec38675abdf50dce1e7c176d29213e370f
Gerrit-Change-Number: 11750
Gerrit-PatchSet: 2
Gerrit-Owner: Andrew Wong <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

Reply via email to