Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/12500 )
Change subject: [sentry] add privilege scope validation to SentryAuthzProvider ...................................................................... Patch Set 3: (3 comments) http://gerrit.cloudera.org:8080/#/c/12500/3//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/12500/3//COMMIT_MSG@18 PS3, Line 18: We relied on Sentry API list_sentry_privileges_by_user_and_itsgroups to : enforce rule (1), which can result in privilege escalation (see the : comment in SentryAuthzProvider::Authorize()). > I think it's worth describing the bug in the commit message a bit, and then Sounds good, I will add back the bug description based on your suggestion. The only thing that I want to point out is it is not "any authorizable of an equal or lower place in the input authorizable hierarchy". Instead it actually returns each scope/place in the authorizable hierarchy (including higher scope). http://gerrit.cloudera.org:8080/#/c/12500/3/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12500/3/src/kudu/master/sentry_authz_provider.cc@277 PS3, Line 277: wildcard privilege matching > We still have wildcard checking for actions though, right? Maybe specify "a Right, will update. http://gerrit.cloudera.org:8080/#/c/12500/3/src/kudu/sentry/sentry_privilege_scope.h File src/kudu/sentry/sentry_privilege_scope.h: http://gerrit.cloudera.org:8080/#/c/12500/3/src/kudu/sentry/sentry_privilege_scope.h@28 PS3, Line 28: // A carbon copy of Sentry privilege scope, which indicates the : // hierarchy of authorizables (server → database → table → column). : // : // A privilege scope can imply another following rules defined in : // Implies(). > Would probably help to explain what the scope is scoping? I.e. a given priv Yeah, I think AuthorizableScope probably is more precise. I will update. -- To view, visit http://gerrit.cloudera.org:8080/12500 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a Gerrit-Change-Number: 12500 Gerrit-PatchSet: 3 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Fri, 22 Feb 2019 20:08:25 +0000 Gerrit-HasComments: Yes
