Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/12919 )
Change subject: sentry: sanitize and parse privileges from Sentry ...................................................................... sentry: sanitize and parse privileges from Sentry Currently, we pass around the Thrift privileges received from Sentry, which can be both expensive memory-wise and cumbersome to use. This patch: - sanitizes the responses from Sentry, only keeping those that are well-formed and potentially Kudu-related, - stores them in a more ergonomic form, e.g. keeping around enums rather than strings for SentryActions, etc. This form may be updated in the future to facilitate privilege evaluation -- for now, my goal is just to make it easier to work with Sentry privileges, - encapsulates the above in an abstracted version of a Sentry response that corresponds to the hierarchy tree for a given table, with the hope that it will make changing the in-memory format more painless, - switches the SentryAuthorizableScope and SentryAction enum classes to enums, to avoid having to use the extra enum class typename everywhere (e.g. now SentryAuthorizableScope::SERVER instead of SentryAuthorizableScope::Scope::SERVER will suffice), - tests that the sanitization does what it purports to do, - tests authorizing "create tables" with OWNER privileges, due to an issue caught in review. Change-Id: Ib6de6814f99abfbee4f030298b74f21f4e7c729b Reviewed-on: http://gerrit.cloudera.org:8080/12919 Tested-by: Kudu Jenkins Reviewed-by: Hao Hao <hao....@cloudera.com> Reviewed-by: Alexey Serbin <aser...@cloudera.com> --- M src/kudu/gutil/map-util.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h M src/kudu/sentry/sentry_action.h M src/kudu/sentry/sentry_authorizable_scope.h 6 files changed, 724 insertions(+), 94 deletions(-) Approvals: Kudu Jenkins: Verified Hao Hao: Looks good to me, but someone else must approve Alexey Serbin: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/12919 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ib6de6814f99abfbee4f030298b74f21f4e7c729b Gerrit-Change-Number: 12919 Gerrit-PatchSet: 11 Gerrit-Owner: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
