Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/11753 )
Change subject: authz: verify tokens on scans ...................................................................... Patch Set 8: (9 comments) http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_server_authorization-test.cc File src/kudu/tserver/tablet_server_authorization-test.cc: http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_server_authorization-test.cc@443 PS8, Line 443: ScanPrivilegeAuthzTest Are you planning to have another patch for integration tests? http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_server_authorization-test.cc@444 PS8, Line 444: bool Add a comment that the boolean is to indicate whether to use primary key? http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc File src/kudu/tserver/tablet_service.cc: http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@426 PS8, Line 426: col_idx == Schema::kColumnNotFound We may want to log such case for debugging? Same below. http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@1521 PS8, Line 1521: context->RespondRpcFailure(rpc::ErrorStatusPB::FATAL_UNAUTHORIZED, May want to log a warning about is not authorized on what for debugging purpose? http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@1657 PS8, Line 1657: context nit: extra space. http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@1662 PS8, Line 1662: authorization token is for the wrong table ID Just for clarification, when do you think this could happen? http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@1686 PS8, Line 1686: schema.find_column I am not sure why here is guaranteed that kColumnNotFound is not returned? http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@1831 PS8, Line 1831: c nit: extra space. http://gerrit.cloudera.org:8080/#/c/11753/8/src/kudu/tserver/tablet_service.cc@1848 PS8, Line 1848: const auto& schema = replica->tablet_metadata()->schema(); : unordered_set<ColumnId> required_column_privileges; : bool is_authorized = true; : if (!GetRequiredColumnPrivilegesForNewScan(new_req, schema, &required_column_privileges)) { : is_authorized = false; : } : for (const auto& required_col_id : required_column_privileges) { : if (!ContainsKey(authorized_column_ids, required_col_id)) { : is_authorized = false; : break; : } : } : if (!is_authorized) { : context->RespondRpcFailure(rpc::ErrorStatusPB::FATAL_UNAUTHORIZED, : Status::NotAuthorized("not authorized to checksum")); : return; : } This looks like exact the same as L1530 to L1545. Maybe wrap this into a separate function? -- To view, visit http://gerrit.cloudera.org:8080/11753 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I7a5d81cf215a5d936f8853feba05778038764905 Gerrit-Change-Number: 11753 Gerrit-PatchSet: 8 Gerrit-Owner: Andrew Wong <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Tue, 19 Mar 2019 21:55:48 +0000 Gerrit-HasComments: Yes
