Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/16071 )
Change subject: KUDU-3090 Add delegate admin privilege ...................................................................... Patch Set 4: (4 comments) http://gerrit.cloudera.org:8080/#/c/16071/3/java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/authorization/RangerKuduAuthorizer.java File java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/authorization/RangerKuduAuthorizer.java: http://gerrit.cloudera.org:8080/#/c/16071/3/java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/authorization/RangerKuduAuthorizer.java@165 PS3, Line 165: = requ > Another reason to use a boolean, it seems we should be auditing this as the It will still be two separate requests (_ADMIN and ALL). On the other hand I think it makes sense for Ranger to audit the actual permission checks and once we have an audit feature/integration, audit the actual operations there. http://gerrit.cloudera.org:8080/#/c/16071/3/src/kudu/master/catalog_manager.cc File src/kudu/master/catalog_manager.cc: http://gerrit.cloudera.org:8080/#/c/16071/3/src/kudu/master/catalog_manager.cc@1827 PS3, Line 1827: auto authz_func = [&] (const string& username, const string& table_name) { > warning: parameter 'owner' is unused [misc-unused-parameters] Done http://gerrit.cloudera.org:8080/#/c/16071/3/src/kudu/master/ranger_authz_provider.cc File src/kudu/master/ranger_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/16071/3/src/kudu/master/ranger_authz_provider.cc@95 PS3, Line 95: bool admin = user != owner; > Can we plug the owner in here and require ALL and the delegate admin option Done http://gerrit.cloudera.org:8080/#/c/16071/3/src/kudu/ranger/ranger.proto File src/kudu/ranger/ranger.proto: http://gerrit.cloudera.org:8080/#/c/16071/3/src/kudu/ranger/ranger.proto@51 PS3, Line 51: } > I would much rather have this be decoupled from ActionPB entirely, e.g. thr Done -- To view, visit http://gerrit.cloudera.org:8080/16071 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: If8ba018dac568a1ab74cf2d5657221579636ac1c Gerrit-Change-Number: 16071 Gerrit-PatchSet: 4 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Thu, 25 Jun 2020 15:15:24 +0000 Gerrit-HasComments: Yes
