Hello Alexey Serbin, Kudu Jenkins, Andrew Wong, Adar Dembo,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/12500
to look at the new patch set (#3).
Change subject: [sentry] add privilege scope validation to SentryAuthzProvider
......................................................................
[sentry] add privilege scope validation to SentryAuthzProvider
Currently, SentryAuthzProvider performs authorization based on the
following rules,
a privilege implies another when:
1. the authorizable from the former implies the authorizable from the
latter, and
2. the action from the former implies the action from the latter, and
3. grant option from the former implies the grant option from the latter.
We relied on Sentry API list_sentry_privileges_by_user_and_itsgroups to
enforce rule (1), which can result in privilege escalation (see the
comment in SentryAuthzProvider::Authorize()).
This patch adds privilege scope validation to SentryAuthzProvider to
ensure only authorizable with a higher privilege scope on the hierarchy
can imply authorizables with a lower scope on the hierarchy.
Theoretically speaking, an alternative is to add privilege scope filering
in Sentry server. However, list_sentry_privileges_by_user_and_itsgroups
API also needs to work with the default Sentry client policy validation
(org.apache.sentry.policy.common.CommonPrivilege), which supports wildcard
privilege matching (e.g. authorizable 'server=server1->db=*' can imply
authorizable 'server=server1'). In such case, privilege scope filering
is not appropriate. On the other hand, wildcard privilege matching is
dropped in SentryAuthzProvider (see the comment in
SentryAuthzProvider::Authorize()).
Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a
---
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/CMakeLists.txt
M src/kudu/sentry/sentry-test-base.h
M src/kudu/sentry/sentry_action.h
M src/kudu/sentry/sentry_client-test.cc
M src/kudu/sentry/sentry_client.h
A src/kudu/sentry/sentry_privilege_scope-test.cc
A src/kudu/sentry/sentry_privilege_scope.cc
A src/kudu/sentry/sentry_privilege_scope.h
11 files changed, 506 insertions(+), 108 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/00/12500/3
--
To view, visit http://gerrit.cloudera.org:8080/12500
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a
Gerrit-Change-Number: 12500
Gerrit-PatchSet: 3
Gerrit-Owner: Hao Hao <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
