Hao Hao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/12058
Change subject: [sentry] Integrate AuthzProvider into CatalogManager ...................................................................... [sentry] Integrate AuthzProvider into CatalogManager This commit enables master RPC authorization enforcement by connecting the CatalogManager to the Sentry service via the SentryAuthzProvider. When the Sentry integration is enabled (by setting the --sentry_service_rpc_addresses flag), DDLs as table creation, alteration, deletion are validated to see if the connected user has the permission to perform such operations. Note that the coarse-grained access control is still applied to these endpoints. A --trusted_user_acl flag is introduced to allow the trusted user, e.g. 'impala', to skip the authorization enforcement. More authorization endpoints, e.g ListTables RPC, will be addressed in a follow up patch. Testing: This commit adds a new integration test (master_sentry-itest) which tests that the integration works as expected with create/alter/drop table operations. More coverage on DDL stress tests with Sentry integration enabled will be in a follow up patch. Change-Id: I7377193abec7b8ed33d7c9455bcc9ef44da94941 --- M src/kudu/client/client-test.cc M src/kudu/common/table_util-test.cc M src/kudu/integration-tests/consistency-itest.cc M src/kudu/integration-tests/create-table-stress-test.cc A src/kudu/integration-tests/hms_itest-base.h M src/kudu/integration-tests/master_hms-itest.cc M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/integration-tests/registration-test.cc M src/kudu/master/CMakeLists.txt A src/kudu/master/authz_provider.cc M src/kudu/master/authz_provider.h M src/kudu/master/catalog_manager.cc M src/kudu/master/catalog_manager.h M src/kudu/master/default_authz_provider.h M src/kudu/master/master-test-util.h M src/kudu/master/master.proto M src/kudu/master/master_service.cc A src/kudu/master/sentry_authz_provider-test-base.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h M src/kudu/sentry/mini_sentry.cc M src/kudu/sentry/sentry_policy_service.thrift 23 files changed, 1,030 insertions(+), 451 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/58/12058/1 -- To view, visit http://gerrit.cloudera.org:8080/12058 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I7377193abec7b8ed33d7c9455bcc9ef44da94941 Gerrit-Change-Number: 12058 Gerrit-PatchSet: 1 Gerrit-Owner: Hao Hao <hao....@cloudera.com>
