Andrew Wong has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/11751 )
Change subject: KUDU-2543 pt 1: basic checks for authz tokens ...................................................................... KUDU-2543 pt 1: basic checks for authz tokens In preparation for passing around authorization tokens, the tservers are now fitted with minimal token-verifying logic that protects the write and the various scan-like endpoints (i.e. scans, checksum scans, and split-key requests), optionally enforcing that the client has provided a valid authz token. I put the negotiation authn token verification logic into its own function for reuse in the tserver layer. It's worth noting that scan-like requests that have a concept of a "new" request vs a "continue" request (i.e. scans, checksum scans) will only need verification on "new" requests. "Continue" requests are handled in that a scanner cannot be hijacked by a user who didn't create it. A test is added to test various scenarios at the tserver level. Change-Id: I99555e0ab2d09d4abcbc12b1100658a9a17590f4 Reviewed-on: http://gerrit.cloudera.org:8080/11751 Tested-by: Andrew Wong <[email protected]> Reviewed-by: Adar Dembo <[email protected]> Reviewed-by: Hao Hao <[email protected]> Reviewed-by: Alexey Serbin <[email protected]> --- M src/kudu/rpc/CMakeLists.txt M src/kudu/rpc/rpc_header.proto A src/kudu/rpc/rpc_verification_util.cc A src/kudu/rpc/rpc_verification_util.h M src/kudu/rpc/server_negotiation.cc M src/kudu/security/token_verifier.cc M src/kudu/tserver/CMakeLists.txt M src/kudu/tserver/tablet_server-test-base.h A src/kudu/tserver/tablet_server_authorization-test.cc M src/kudu/tserver/tablet_service.cc M src/kudu/tserver/tserver.proto M src/kudu/tserver/tserver_service.proto 12 files changed, 600 insertions(+), 37 deletions(-) Approvals: Andrew Wong: Verified Adar Dembo: Looks good to me, but someone else must approve Hao Hao: Looks good to me, approved Alexey Serbin: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/11751 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I99555e0ab2d09d4abcbc12b1100658a9a17590f4 Gerrit-Change-Number: 11751 Gerrit-PatchSet: 13 Gerrit-Owner: Andrew Wong <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
