[kudu-CR] authz: verify tokens on scans

Fri, 15 Mar 2019 19:49:00 -0700 

Hello Tidy Bot, Dan Burkert, Kudu Jenkins, Adar Dembo, Hao Hao,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/11753

to look at the new patch set (#4).

Change subject: authz: verify tokens on scans
......................................................................

authz: verify tokens on scans

Adds privilege checking to enforce the following authorization
requirements are met when scan-like requests are received by tablet
servers:

Scans or checksum scans require:
  if no projected columns:
    SCAN ON TABLE || foreach (column): SCAN ON COLUMN
  else:
    if uses pk:
      foreach(primary key column): SCAN ON COLUMN
    foreach(projected column): SCAN ON COLUMN
    foreach(predicated column): SCAN ON COLUMN

Split-key requests require:
  if uses pk:
    foreach(primary key column): SCAN ON COLUMN
  foreach(requested column): SCAN ON COLUMN

Notes:
  Empty projections
  - Kudu uses this to implement counting rows, which is semantically
    equivalent to counting rows with a projection on all columns.
  Primary keys
  - Scans in ORDERED mode (i.e. fault-tolerant scans) pass around
    primary keys to keep track of scan progress.
  - Scans that include a start or stop primary key wil use the bounds as
    a range predicate on the primary key columns. Split-key requests use
    similar fields.

All of the listed requests are also permitted if SCAN ON TABLE (i.e.
full scan privileges) are given.

Change-Id: I7a5d81cf215a5d936f8853feba05778038764905
---
M src/kudu/common/schema.h
M src/kudu/integration-tests/authz_token-itest.cc
M src/kudu/tserver/tablet_server_authorization-test.cc
M src/kudu/tserver/tablet_service.cc
4 files changed, 823 insertions(+), 51 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/11753/4
--
To view, visit http://gerrit.cloudera.org:8080/11753
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I7a5d81cf215a5d936f8853feba05778038764905
Gerrit-Change-Number: 11753
Gerrit-PatchSet: 4
Gerrit-Owner: Andrew Wong <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

Reply via email to