Andrew Wong has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/11754 )
Change subject: authz: verify tokens on writes ...................................................................... authz: verify tokens on writes Adds tserver-side privilege checking for write requests. Unlike the case for scans, the privileges required for a given write request can only be determined after the request is decoded, which currently happens in the prepare phase of a write transaction. As such, this patch pushes authorization into the prepare phase, right after decoding the operations. I also considered a couple of other approaches: - Frontloading the decoding and doing the authorization at the front of the Write endpoint. This would need to take into consideration the taking of the schema lock when decoding, which currently happens on the prepare thread, which seems tricky. - Decoding just the operation types up front and performing authorization at the front of the Write endpoint. I decided that the extra plumbing required to avoid doing two passes over the write request wouldn't be worth the added complexity. Change-Id: Iefa2215d528a64f525e04bec111b25f8bc17c086 Reviewed-on: http://gerrit.cloudera.org:8080/11754 Tested-by: Kudu Jenkins Reviewed-by: Hao Hao <[email protected]> --- M src/kudu/common/row_operations.h M src/kudu/tablet/transactions/write_transaction.cc M src/kudu/tablet/transactions/write_transaction.h M src/kudu/tserver/tablet_server_authorization-test.cc M src/kudu/tserver/tablet_service.cc 5 files changed, 474 insertions(+), 116 deletions(-) Approvals: Kudu Jenkins: Verified Hao Hao: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/11754 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Iefa2215d528a64f525e04bec111b25f8bc17c086 Gerrit-Change-Number: 11754 Gerrit-PatchSet: 11 Gerrit-Owner: Andrew Wong <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
