[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

Hao Hao (Code Review) Sun, 09 Dec 2018 18:19:51 -0800

Hello Tidy Bot, Dan Burkert, Kudu Jenkins, Andrew Wong,

I'd like you to reexamine a change. Please visit


    http://gerrit.cloudera.org:8080/11797

to look at the new patch set (#3).

Change subject: [sentry] Integrate AuthzProvider into CatalogManager
......................................................................

[sentry] Integrate AuthzProvider into CatalogManager

This commit enables master RPC authorization enforcement by connecting
the CatalogManager to the Sentry service via the SentryAuthzProvider.
When the Sentry integration is enabled (by setting the
--sentry_service_rpc_addresses flag), DDLs as table creation, alteration,
deletion are validated to see if the connected user has the permission
to perform such operations. Note that the coarse-grained access control
is still applied to these endpoints. A --trusted_user_acl flag is
introduced to allow the trusted user, e.g. 'impala', to skip the
authorization enforcement. More authorization endpoints, e.g ListTables
RPC, will be addressed in a follow up patch.

Testing: This commit adds a new integration test (master_sentry-itest)
which tests that the integration works as expected with create/alter/drop
table operations. More coverage on DDL stress tests with Sentry
integration enabled will be in a follow up patch.

Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8
---
M src/kudu/client/client-test.cc
M src/kudu/common/table_util-test.cc
M src/kudu/integration-tests/consistency-itest.cc
M src/kudu/integration-tests/create-table-stress-test.cc
A src/kudu/integration-tests/hms_itest-base.h
M src/kudu/integration-tests/master_hms-itest.cc
M src/kudu/integration-tests/master_sentry-itest.cc
M src/kudu/integration-tests/registration-test.cc
M src/kudu/master/CMakeLists.txt
A src/kudu/master/authz_provider.cc
M src/kudu/master/authz_provider.h
M src/kudu/master/catalog_manager.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/default_authz_provider.h
M src/kudu/master/master-test-util.h
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
A src/kudu/master/sentry_authz_provider-test-base.h
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/mini_sentry.cc
M src/kudu/sentry/sentry_policy_service.thrift
23 files changed, 1,030 insertions(+), 451 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/97/11797/3
--
To view, visit http://gerrit.cloudera.org:8080/11797
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8
Gerrit-Change-Number: 11797
Gerrit-PatchSet: 3
Gerrit-Owner: Hao Hao <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

Reply via email to