Hao Hao has submitted this change and it was merged. (
http://gerrit.cloudera.org:8080/12500 )
Change subject: [sentry] add privilege scope validation to SentryAuthzProvider
......................................................................
[sentry] add privilege scope validation to SentryAuthzProvider
Currently, SentryAuthzProvider::Authorize() performs authorization based
on the rules that a privilege implies another when:
1. the authorizable from the former implies the authorizable from the
latter, and
2. the action from the former implies the action from the latter, and
3. grant option from the former implies the grant option from the latter.
We fetch from Sentry the privileges for the given user that might imply
the given authorizable and action (via
list_sentry_privileges_by_user_and_itsgroups
Sentry API). We then proceed to check the implication rules on the
returned actions. However, we rely on the API to enforce the implication
rules of the returned authorizables. This ignored the fact that the API
returns all privileges granted to the user that match the authorizable
of each scope in the input authorizable hierarchy (not just the implied
authorizables).
So when Alice tries to create table 'default.b' (this requires 'CREATE
ON DATABASE'), the Sentry API will return anything that matches:
server == "server1" && (db == "default" || db == NULL)
which may include 'ALL ON default.a'. Previously we would only take into
consideration the fact that 'ALL' is returned, and proceed to incorrectly
permit the create operation.
This patch adds privilege scope validation to SentryAuthzProvider to
ensure only authorizable with a higher scope on the hierarchy can imply
authorizables with a lower scope on the hierarchy.
Theoretically speaking, an alternative is to add authorizable scope
filtering in Sentry server. However, such an API is inherently a Kudu-only
API, which by necessity would filter out authorizable wildcard matching
(that Sentry's default client policy validation supports). Moreover,
client-side filtering can also help enabling more aggressive caching.
Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a
Reviewed-on: http://gerrit.cloudera.org:8080/12500
Tested-by: Kudu Jenkins
Reviewed-by: Adar Dembo <[email protected]>
Reviewed-by: Andrew Wong <[email protected]>
Reviewed-by: Alexey Serbin <[email protected]>
---
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/CMakeLists.txt
M src/kudu/sentry/sentry-test-base.h
M src/kudu/sentry/sentry_action.cc
M src/kudu/sentry/sentry_action.h
A src/kudu/sentry/sentry_authorizable_scope-test.cc
A src/kudu/sentry/sentry_authorizable_scope.cc
A src/kudu/sentry/sentry_authorizable_scope.h
M src/kudu/sentry/sentry_client-test.cc
M src/kudu/sentry/sentry_client.h
12 files changed, 653 insertions(+), 157 deletions(-)
Approvals:
Kudu Jenkins: Verified
Adar Dembo: Looks good to me, but someone else must approve
Andrew Wong: Looks good to me, approved
Alexey Serbin: Looks good to me, approved
--
To view, visit http://gerrit.cloudera.org:8080/12500
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a
Gerrit-Change-Number: 12500
Gerrit-PatchSet: 9
Gerrit-Owner: Hao Hao <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
