Hao Hao has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/11797 )
Change subject: [sentry] Integrate AuthzProvider into CatalogManager ...................................................................... [sentry] Integrate AuthzProvider into CatalogManager This commit enables master RPC authorization enforcement by connecting the CatalogManager to the Sentry service via the SentryAuthzProvider. When the Sentry integration is enabled (by setting the --sentry_service_rpc_addresses flag), DDLs such as table creation, alteration, deletion are validated to see if the connected user has the permission to perform such operations. Note that the coarse-grained access control is still applied to these endpoints. A --trusted_user_acl flag is introduced to allow the trusted user, e.g. 'impala', to skip the authorization enforcement. Testing: This commit adds a new integration test (master_sentry-itest) which tests that the integration works as expected with all exposed table operations. More coverage on DDL stress tests with Sentry integration enabled will be in a follow up patch. Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8 Reviewed-on: http://gerrit.cloudera.org:8080/11797 Tested-by: Hao Hao <[email protected]> Reviewed-by: Andrew Wong <[email protected]> --- M src/kudu/client/client-test.cc M src/kudu/common/table_util-test.cc M src/kudu/integration-tests/CMakeLists.txt M src/kudu/integration-tests/alter_table-test.cc M src/kudu/integration-tests/cluster_itest_util.cc M src/kudu/integration-tests/cluster_itest_util.h M src/kudu/integration-tests/consistency-itest.cc M src/kudu/integration-tests/create-table-stress-test.cc M src/kudu/integration-tests/delete_table-itest.cc M src/kudu/integration-tests/flex_partitioning-itest.cc A src/kudu/integration-tests/hms_itest-base.cc A src/kudu/integration-tests/hms_itest-base.h M src/kudu/integration-tests/master_hms-itest.cc M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/integration-tests/raft_config_change-itest.cc M src/kudu/integration-tests/raft_consensus_nonvoter-itest.cc M src/kudu/integration-tests/registration-test.cc M src/kudu/integration-tests/tablet_copy-itest.cc M src/kudu/integration-tests/tombstoned_voting-itest.cc M src/kudu/master/CMakeLists.txt A src/kudu/master/authz_provider.cc M src/kudu/master/authz_provider.h M src/kudu/master/catalog_manager.cc M src/kudu/master/catalog_manager.h M src/kudu/master/master-test-util.h M src/kudu/master/master.proto M src/kudu/master/master_service.cc A src/kudu/master/sentry_authz_provider-test-base.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h M src/kudu/sentry/mini_sentry.cc M src/kudu/tools/rebalancer_tool-test.cc 33 files changed, 1,549 insertions(+), 481 deletions(-) Approvals: Hao Hao: Verified Andrew Wong: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/11797 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8 Gerrit-Change-Number: 11797 Gerrit-PatchSet: 17 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
