[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Bankim Bhavsar has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. KUDU-2612 allow system user to read list of table replicas It turned out that txn system client wasn't able to send BEGIN_COMMIT to participating tablets if fine-grained authz is enabled. Its request to get the list of tablets for a table was rejected: the system user isn't granted the METADATA privilege on any of user tables, of course. This patch addresses that deficiency, bypassing the fine-grained authz for the MasterService::GetTabletLocations() RPC if the caller is a service- or super-user. In addition, tests are added to make sure the multi-row transaction API works as expected even in the presence of fine-grained authorization. Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Reviewed-on: http://gerrit.cloudera.org:8080/17529 Tested-by: Alexey Serbin Reviewed-by: Andrew Wong (cherry picked from commit 4e724988fb9dc6eeb8cd4b91f46760a03cfa5fde) Reviewed-on: http://gerrit.cloudera.org:8080/17532 Reviewed-by: Grant Henke Reviewed-by: Bankim Bhavsar --- M src/kudu/integration-tests/ts_authz-itest.cc M src/kudu/master/catalog_manager.cc 2 files changed, 273 insertions(+), 10 deletions(-) Approvals: Grant Henke: Looks good to me, approved Andrew Wong: Looks good to me, approved Alexey Serbin: Verified Bankim Bhavsar: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: merged Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Bankim Bhavsar has posted comments on this change. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: comment Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 02 Jun 2021 18:58:12 + Gerrit-HasComments: No
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. Patch Set 1: > > Patch Set 1: Verified-1 > > > > Build Failed > > > > http://jenkins.kudu.apache.org/job/kudu-gerrit/23962/ : FAILURE > > Alexey, can you comment on the Java security test failures? Sure: that's a well known flake in org.apache.kudu.client.TestSecurity.testExternallyProvidedSubjectRefreshedExternally, with no relation to this patch: http://dist-test.cloudera.org:8080/test_drilldown?test_name=org.apache.kudu.client.TestSecurity.testExternallyProvidedSubjectRefreshedExternallyorg.apache.kudu.client.TestSecurity.testExternallyProvidedSubjectRefreshedExternally -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: comment Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 02 Jun 2021 18:55:05 + Gerrit-HasComments: No
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Alexey Serbin has removed a vote on this change. Change subject: KUDU-2612 allow system user to read list of table replicas .. Removed Verified-1 by Kudu Jenkins (120) -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: deleteVote Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. Patch Set 1: Verified+1 Unrelated test failure in org.apache.kudu.client.TestSecurity.testExternallyProvidedSubjectRefreshedExternally That's a well known flake, failing 1/20 in TSAN builds: http://dist-test.cloudera.org:8080/test_drilldown?test_name=org.apache.kudu.client.TestSecurity.testExternallyProvidedSubjectRefreshedExternally -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: comment Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 02 Jun 2021 18:53:47 + Gerrit-HasComments: No
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Bankim Bhavsar has posted comments on this change. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. Patch Set 1: > Patch Set 1: Verified-1 > > Build Failed > > http://jenkins.kudu.apache.org/job/kudu-gerrit/23962/ : FAILURE Alexey, can you comment on the Java security test failures? -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: comment Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 02 Jun 2021 18:46:43 + Gerrit-HasComments: No
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: comment Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 02 Jun 2021 17:48:05 + Gerrit-HasComments: No
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17532 ) Change subject: KUDU-2612 allow system user to read list of table replicas .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: comment Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Bankim Bhavsar Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 02 Jun 2021 17:47:27 + Gerrit-HasComments: No
[kudu-CR](branch-1.15.x) KUDU-2612 allow system user to read list of table replicas
Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17532 Change subject: KUDU-2612 allow system user to read list of table replicas .. KUDU-2612 allow system user to read list of table replicas It turned out that txn system client wasn't able to send BEGIN_COMMIT to participating tablets if fine-grained authz is enabled. Its request to get the list of tablets for a table was rejected: the system user isn't granted the METADATA privilege on any of user tables, of course. This patch addresses that deficiency, bypassing the fine-grained authz for the MasterService::GetTabletLocations() RPC if the caller is a service- or super-user. In addition, tests are added to make sure the multi-row transaction API works as expected even in the presence of fine-grained authorization. Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Reviewed-on: http://gerrit.cloudera.org:8080/17529 Tested-by: Alexey Serbin Reviewed-by: Andrew Wong (cherry picked from commit 4e724988fb9dc6eeb8cd4b91f46760a03cfa5fde) --- M src/kudu/integration-tests/ts_authz-itest.cc M src/kudu/master/catalog_manager.cc 2 files changed, 273 insertions(+), 10 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/32/17532/1 -- To view, visit http://gerrit.cloudera.org:8080/17532 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.15.x Gerrit-MessageType: newchange Gerrit-Change-Id: I26f06af17e5ee85522e2ef867d41cf0f3ddbe5d5 Gerrit-Change-Number: 17532 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin