[kudu-CR] [sentry] add privilege scope validation to SentryAuthzProvider

Fri, 15 Feb 2019 12:06:30 -0800 

Hao Hao has uploaded this change for review. ( 
http://gerrit.cloudera.org:8080/12500


Change subject: [sentry] add privilege scope validation to SentryAuthzProvider
......................................................................

[sentry] add privilege scope validation to SentryAuthzProvider

Currently, SentryAuthzProvider performs authorization based on the
following rules:

a privilege implies another when,
 1. the authorizable from the former implies the authorizable from the
    latter,
 2. the action from the former implies the action from the latter,
 3. and grant option from the former implies the grant option from the
    latter.

We rely on Sentry API list_sentry_privileges_by_user_and_itsgroups to
enforce rule (1). This works fine when validating authorizables with
lower privilege scope on the hierarchy, but not for authorizables with
higher scope.

For example, user Alice is granted with 'ALTER ON TABLE default.a'. She
tries to alter table 'default.a' (this requires 'ALTER ON TABLE' privilege),
During authorization, list_sentry_privileges_by_user_and_itsgroups will
return any privileges that matches:

'server == server1 && (db == default || db == NULL) && (table == a || table == 
NULL)'.

This can correctly filter the applied authorizables. But when Alice tries
to create table 'default.b' (this requires 'CREATE ON DATABASE' privilege),
the sentry API will return anything that matches:

'server == server1 && (db == default || db == NULL)',

which means the table level privilege will also be returned.

This patch adds privilge scope validation to SentryAuthzProvider to
ensure only authorizable with a higher privilege scope on the hierarchy
can imply authorizables with a lower scope on the hierarchy.

Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a
---
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/CMakeLists.txt
M src/kudu/sentry/sentry-test-base.h
M src/kudu/sentry/sentry_action.h
M src/kudu/sentry/sentry_client-test.cc
A src/kudu/sentry/sentry_privilege_scope-test.cc
A src/kudu/sentry/sentry_privilege_scope.cc
A src/kudu/sentry/sentry_privilege_scope.h
10 files changed, 510 insertions(+), 101 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/00/12500/1
--
To view, visit http://gerrit.cloudera.org:8080/12500
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a
Gerrit-Change-Number: 12500
Gerrit-PatchSet: 1
Gerrit-Owner: Hao Hao <[email protected]>

Reply via email to