[kudu-CR] authz: verify tokens on writes

Wed, 27 Mar 2019 15:29:20 -0700 

Hello Tidy Bot, Alexey Serbin, Dan Burkert, Kudu Jenkins, Adar Dembo, Hao Hao,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/11754

to look at the new patch set (#8).

Change subject: authz: verify tokens on writes
......................................................................

authz: verify tokens on writes

Adds tserver-side privilege checking for write requests. Unlike the case
for scans, the privileges required for a given write request can only be
determined after the request is decoded, which currently happens in the
prepare phase of a write transaction. As such, this patch pushes
authorization into the prepare phase, right after decoding the
operations.

I also considered a couple of other approaches:
- Frontloading the decoding and doing the authorization at the front of
  the Write endpoint. This would need to take into consideration the
  taking of the schema lock when decoding, which currently happens on
  the prepare thread, which seems tricky.
- Decoding just the operation types up front and performing
  authorization at the front of the Write endpoinat. I decided that the
  extra plumbing required to avoid doing two passes over the write
  request wouldn't be worth the added complexity.

Change-Id: Iefa2215d528a64f525e04bec111b25f8bc17c086
---
M src/kudu/common/row_operations.h
M src/kudu/tablet/transactions/write_transaction.cc
M src/kudu/tablet/transactions/write_transaction.h
M src/kudu/tserver/tablet_server_authorization-test.cc
M src/kudu/tserver/tablet_service.cc
5 files changed, 474 insertions(+), 116 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/54/11754/8
--
To view, visit http://gerrit.cloudera.org:8080/11754
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Iefa2215d528a64f525e04bec111b25f8bc17c086
Gerrit-Change-Number: 11754
Gerrit-PatchSet: 8
Gerrit-Owner: Andrew Wong <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

Reply via email to