Hello Tidy Bot, Dan Burkert, Kudu Jenkins, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/11753
to look at the new patch set (#15).
Change subject: authz: verify tokens on scans
......................................................................
authz: verify tokens on scans
Adds privilege checking to enforce the following authorization
requirements are met when scan-like requests are received by tablet
servers:
Scans or checksum scans require:
if no projected columns || projected columns has virtual column:
foreach (column): SCAN ON COLUMN
else:
if uses pk:
foreach(primary key column): SCAN ON COLUMN
foreach(projected column): SCAN ON COLUMN
foreach(predicated column): SCAN ON COLUMN
Split-key requests require:
if uses pk:
foreach(primary key column): SCAN ON COLUMN
foreach(requested column): SCAN ON COLUMN
Notes:
Empty projections
- Kudu uses this to implement counting rows, which is semantically
equivalent to counting rows with a projection on all columns.
Primary keys
- Scans in ORDERED mode (i.e. fault-tolerant scans) pass around
primary keys to keep track of scan progress.
- Scans that include a start or stop primary key will use the bounds
as a range predicate on the primary key columns. Split-key requests
use similar fields.
Virtual columns
- Diff scans are implemented by having users supply a column in the
projection that doesn't exist in the tablet schema. As an example,
in a table where the column "deleted" does not exist, a diff scan
looks like:
projection: ("col0", type:string), ("deleted", type:is_deleted)
whereas a projection with a column that doesn't exist might look
like the following (note the only difference is in the type):
projection: ("col0", type:string), ("deleted", type:string)
- In the latter case, in order to prevent leaking the existence (or
lack there of, in this case) of the column "deleted", we send back
an authorization error instead of a "not found" error.
- In the former case, we actually want the request to proceed. Even
though the column doesn't exist, we don't expect it to because it
has a virtual type. Therein lies room for a vulnerability -- if a
malicious user were to replace the types in the request with a
virtual column type, there wouldn't be a good way to distinguish
between these two cases.
- To reconcile this, we apply the most conservative policy we can and
require that virtual columns require privileges on all columns.
All of the listed requests are also permitted if SCAN ON TABLE (i.e.
full scan privileges) are given.
Change-Id: I7a5d81cf215a5d936f8853feba05778038764905
---
M src/kudu/common/schema.h
M src/kudu/tserver/CMakeLists.txt
M src/kudu/tserver/tablet_server_authorization-test.cc
M src/kudu/tserver/tablet_service.cc
4 files changed, 1,047 insertions(+), 57 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/11753/15
--
To view, visit http://gerrit.cloudera.org:8080/11753
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I7a5d81cf215a5d936f8853feba05778038764905
Gerrit-Change-Number: 11753
Gerrit-PatchSet: 15
Gerrit-Owner: Andrew Wong <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
