Hello Tidy Bot, Alexey Serbin, Dan Burkert, Kudu Jenkins, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/11751
to look at the new patch set (#6).
Change subject: KUDU-2543: pass around default authz tokens
......................................................................
KUDU-2543: pass around default authz tokens
Adds authz token generation to the master's GetTableSchema endpoint,
with which clients can authorize themselves for specific tables. A
client will cache these tokens and use them appropriately for RPCs that
need them (e.g. Writes and Scans), reacquiring them when receiving word
that they are expired.
This adds a minimal amount privilege-checking (i.e. no privileges? no
can do) and introduces basic token verification (tokens should be well
formed, not expired, etc.) for authz tokens. I reused the authn
verification negotiation logic, but put it in the tablet server layer.
This is tested in the following ways:
- unit tests for the new client-side cache for authz tokens
- parameterized the token expiration test for authn and authz tokens to
have varying token expirations, testing when authn tokens expire but
not authz tokens, and vice versa
- added a test to ensure that requests with various invalid authz tokens
(malformed, missing, wrong user) will be retried with a new token from
the master, and that requests with no permissions don't
- added a test to ensure that the client retries attempts to get an
token authz token when the master is unavailable for various reasons
- added a test to ensure that clients retry when they get an unknown TSK
- added a test to ensure that clients are still compatible with old
servers
Change-Id: I99555e0ab2d09d4abcbc12b1100658a9a17590f4
---
M src/kudu/client/CMakeLists.txt
A src/kudu/client/authz_token_cache.cc
A src/kudu/client/authz_token_cache.h
M src/kudu/client/batcher.cc
M src/kudu/client/client-internal.cc
M src/kudu/client/client-internal.h
M src/kudu/client/client-test.cc
M src/kudu/client/client.h
M src/kudu/client/scanner-internal.cc
M src/kudu/client/scanner-internal.h
M src/kudu/integration-tests/CMakeLists.txt
M src/kudu/integration-tests/authn_token_expire-itest.cc
A src/kudu/integration-tests/authz_token-itest.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
M src/kudu/rpc/CMakeLists.txt
M src/kudu/rpc/retriable_rpc.h
M src/kudu/rpc/rpc.cc
M src/kudu/rpc/rpc.h
M src/kudu/rpc/rpc_header.proto
A src/kudu/rpc/rpc_verification_util.cc
A src/kudu/rpc/rpc_verification_util.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/security/token_verifier.cc
M src/kudu/tserver/tablet_service.cc
M src/kudu/tserver/tserver.proto
M src/kudu/tserver/tserver_service.proto
28 files changed, 1,491 insertions(+), 95 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/51/11751/6
--
To view, visit http://gerrit.cloudera.org:8080/11751
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I99555e0ab2d09d4abcbc12b1100658a9a17590f4
Gerrit-Change-Number: 11751
Gerrit-PatchSet: 6
Gerrit-Owner: Andrew Wong <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
