[kudu-CR] [master] introduce SentryPrivilegesFetcher
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. [master] introduce SentryPrivilegesFetcher This patch incorporates a TTL-based cache into the data paths of SentryAuthzProvider by introducing a new entity responsible for fetching and caching the information received from Sentry authz authority: SentryPrivilegesFetcher. A cache's entry contains sanitized and transformed information received as TListSentryPrivilegesResponse from Sentry. Set the newly introduced `--sentry_authz_cache_capacity_mb` command-line flag to 0 to disable caching of authz privilege information returned from Sentry. Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Reviewed-on: http://gerrit.cloudera.org:8080/12833 Reviewed-by: Hao Hao Reviewed-by: Andrew Wong Tested-by: Kudu Jenkins --- M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h A src/kudu/master/sentry_privileges_cache_metrics.cc A src/kudu/master/sentry_privileges_cache_metrics.h A src/kudu/master/sentry_privileges_fetcher.cc A src/kudu/master/sentry_privileges_fetcher.h M src/kudu/sentry/sentry_authorizable_scope.cc M src/kudu/sentry/sentry_authorizable_scope.h 12 files changed, 1,232 insertions(+), 642 deletions(-) Approvals: Hao Hao: Looks good to me, approved Andrew Wong: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 14 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 13: Code-Review+2 (1 comment) http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78 PS9, Line 78: s = privileges_branch.privileges(); > > But I think this is confusing because this means that "privilege" would r :) Indeed, SGTM -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 22:45:26 + Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 13: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 22:32:54 + Gerrit-HasComments: No
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/12833 to look at the new patch set (#13). Change subject: [master] introduce SentryPrivilegesFetcher .. [master] introduce SentryPrivilegesFetcher This patch incorporates a TTL-based cache into the data paths of SentryAuthzProvider by introducing a new entity responsible for fetching and caching the information received from Sentry authz authority: SentryPrivilegesFetcher. A cache's entry contains sanitized and transformed information received as TListSentryPrivilegesResponse from Sentry. Set the newly introduced `--sentry_authz_cache_capacity_mb` command-line flag to 0 to disable caching of authz privilege information returned from Sentry. Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe --- M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h A src/kudu/master/sentry_privileges_cache_metrics.cc A src/kudu/master/sentry_privileges_cache_metrics.h A src/kudu/master/sentry_privileges_fetcher.cc A src/kudu/master/sentry_privileges_fetcher.h M src/kudu/sentry/sentry_authorizable_scope.cc M src/kudu/sentry/sentry_authorizable_scope.h 12 files changed, 1,232 insertions(+), 642 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/33/12833/13 -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 13: (10 comments) > Patch Set 12: Code-Review+1 > > (6 comments) http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc File src/kudu/master/sentry_authz_provider-test.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@182 PS9, Line 182: rivileges_cach > Ah, missed the fact that it'd be recursive naming. Yep, the function look-up rules in C++ turned to be non-intuitive in this particular case. I initially wrote that without namespace specifiers and got that compiler error. http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@426 PS9, Line 426: for (const auto& action : SelectRandomSubset( : kAllActions, 0, )) { : > Sorry for the conflicts. Thanks for being accommodating. np, thanks for putting up a path to address that feedback. It seems I kept this patch around for too long, so I should have expected something like that anyways :) http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider-test.cc File src/kudu/master/sentry_authz_provider-test.cc: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider-test.cc@697 PS12, Line 697: caching > nit: Cache? Done http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78 PS9, Line 78: s = privileges_branch.privileges(); > But I think this is confusing because this means that "privilege" would refer > to both the struct itself and a member internal to the struct. And so a clear > way to distinguish these two "privileges" is to call the member "privilege" > "action" instead. Continuing this bike-shedding venue, I could propose to rename AuthorizablePrivileges into AuthorizableAccessInfo or AuthorizableAccessRules. However, I think we need this patch to land eventually, so I hope renaming this into 'allowed_action' will be a reasonable solution :) http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@182 PS9, Line 182: > SGTM Great, thanks for being open for this alternative naming approach. http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc@50 PS12, Line 50: // action ('required_action') in the specified scope ('required_scope') > nit: missing ' Done http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.h File src/kudu/master/sentry_privileges_fetcher.h: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.h@194 PS12, Line 194: Send > nit: Sends. Done http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.h@201 PS12, Line 201: Reset > nit: Resets Done http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h File src/kudu/master/sentry_privileges_fetcher.h: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h@100 PS9, Line 100: std::string table_name; > Thanks for doing that Alexey. np :) probably we will come up with something better in next revisions while iterating on the signatures of methods used as interface between SentryAuthzProvider and SentryAuthzFetcher. http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc File src/kudu/master/sentry_privileges_fetcher.cc: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc@219 PS12, Line 219: i > Nit: got two spaces here. Done -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 22:20:31 + Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 12: Code-Review+1 (6 comments) http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc File src/kudu/master/sentry_authz_provider-test.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@182 PS9, Line 182: rivileges_cach > Nope, that's left for a purpose: if dropping that here and below, compilati Ah, missed the fact that it'd be recursive naming. http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@426 PS9, Line 426: for (const auto& action : SelectRandomSubset( : kAllActions, 0, )) { : > All right, it seem it's already taken care of (that bring many conflicts in Sorry for the conflicts. Thanks for being accommodating. http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78 PS9, Line 78: s = privileges_branch.privileges(); > Yeah, just another bikeshade-able point of this changelist :) It seems I s I think I understand where you're coming from and I agree that there is no contention that privileges are units that can be granted from a Sentry POV. That said, I think if we don't make the conscious decision to clarify different terms, it might be confusing. In Sentry, you can have "a privilege on a scope" (per those docs), but what this really means is "a privilege to perform an action at a given scope". I don't think those docs do a great job making this distinction because an end-user of Sentry doesn't really need to make that distinction -- the "privilege" _is_ the action, and you can grant a privilege on a scope. When it comes down to these code structs, we want our struct to encapsulate (in terms from the docs) a privilege that has been granted on a scope. A simple way to do this would to have a GrantedPrivilege be a struct. But I think this is confusing because this means that "privilege" would refer to both the struct itself and a member internal to the struct. And so a clear way to distinguish these two "privileges" is to call the member "privilege" "action" instead, so a Privilege is a struct. This corresponds roughly to what's in TSentryPrivilege in sentry/sentry_policy_service.thrift. In that way, we care about keeping track of the Privileges (ie. the structs), and a user can be granted many of these Privileges. And so when I think of "granting a privilege", I think of "granting a struct", and by extension, a "granted action" in the context of these Privileges, is the actions on which the privilege has been granted. But if you're caught up on the "granted" aspect of it, I'd also be fine calling this "actions". http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@182 PS9, Line 182: > I moved this away from SentryPrivilegesBranch since I didn't want to bring SGTM http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc@50 PS12, Line 50: // action ('required_action) in the specified scope ('required_scope') nit: missing ' http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h File src/kudu/master/sentry_privileges_fetcher.h: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h@100 PS9, Line 100: std::string table_name; > Yep, the newly added SentryPrivilegesBranch::Init() method addresses that. Thanks for doing that Alexey. -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 12 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 18:04:51 + Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 12: Code-Review+1 (1 comment) http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc File src/kudu/master/sentry_privileges_fetcher.cc: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc@219 PS12, Line 219: Nit: got two spaces here. -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 12 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 16:49:01 + Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 11: (31 comments) http://gerrit.cloudera.org:8080/#/c/12833/11//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/12833/11//COMMIT_MSG@7 PS11, Line 7: WIP > This is no longer a WIP? Done http://gerrit.cloudera.org:8080/#/c/12833/11//COMMIT_MSG@10 PS11, Line 10: raw responses : received from Sentry > We actually store sanitized response from Sentry (SentryPrivilegesBranch), Done http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc File src/kudu/master/sentry_authz_provider-test.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@157 PS9, Line 157: public: > Omit this? Done. http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@182 PS9, Line 182: y() { > Drop, here and below Nope, that's left for a purpose: if dropping that here and below, compilation fails (at least on macOS): /Users/aserbin/Projects/kudu/src/kudu/master/sentry_authz_provider-test.cc:215:19: error: too many arguments to function call, expected 0, have 2; did you mean '::kudu::master::DropRole'? RETURN_NOT_OK(DropRole(sentry_client_.get(), kRoleName)); ^~~~ ::kudu::master::DropRole http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@426 PS9, Line 426: SentryPrivilegesBranch privileges_info; : ASSERT_OK(sentry_authz_provider_->fetcher_.GetSentryPrivileges( : > I agree with limiting the test matrix, OTOH if we're limiting it, we might All right, it seem it's already taken care of (that bring many conflicts into this patch, BTW): https://github.com/apache/kudu/commit/16dc218b5a26fa18dee9e36e09e86c9c38f0d55c Also, since this test doesn't depend much on the caching/non-caching behavior of SentryPrivilegesFetcher, I'm leaving it in 'caching enabled' mode. http://gerrit.cloudera.org:8080/#/c/12833/11/src/kudu/master/sentry_authz_provider.h File src/kudu/master/sentry_authz_provider.h: http://gerrit.cloudera.org:8080/#/c/12833/11/src/kudu/master/sentry_authz_provider.h@98 PS11, Line 98: GetSentryPrivileges > nit: it looks like the comment is removed? This method is moved SentryAuthzProvider's interface, yes. http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.h File src/kudu/master/sentry_authz_provider.h: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.h@57 PS9, Line 57: privielge > privilege Done http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.h@98 PS9, Line 98: Status GetSentryPrivileges(sentry::SentryAuthorizableScope::Scope scope, > doc Done http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78 PS9, Line 78: bleScope(privilege.scope).Implies(scope)) { > I strongly feel that we should keep granted_action. Even if an action, with Yeah, just another bikeshade-able point of this changelist :) It seems I started it a few revisions ago with a request to change naming of one field in SentryPrivilegesBranch and now it continues on. After some consideration I realized that I'm not sure what 'granted action' means. How do you grant an action? I think that semantically 'action' in English is not something that can be granted. Also, I don't know of any notion of 'granting an action', and I could not find any notion of 'granted action' in user-facing Sentry's documentation at https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html What would 'granted action' mean in your terms? Maybe, there is some documentation on Sentry that clarifies on 'granting an action', but I could not find it. http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@182 PS9, Line 182: RETURN_NOT_OK(fetcher_.GetS > This reads weirdly ("if" and "do" never follow in an English sentence) and I moved this away from SentryPrivilegesBranch since I didn't want to bring too much of the implication logic into the Fetcher. It seems code conventions often contradict the rules of composition of sentences in English. In current Kudu codebase you can see names of functions like IsXxx, and that's the prevaling rules of naming such methods/functions. That's why I decided to name this function using the same pattern. I think it's better to have more or less uniform naming rules in the codebase. What do you think? http://gerrit.cloudera.org:8080/#/c/12833/11/src/kudu/master/sentry_authz_provider.cc File
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/12833 to look at the new patch set (#12). Change subject: [master] introduce SentryPrivilegesFetcher .. [master] introduce SentryPrivilegesFetcher This patch incorporates a TTL-based cache into the data paths of SentryAuthzProvider by introducing new entity responsible for fetching and caching the information received from Sentry authz authority. The cache's entry contains sanitized and transformed information received as TListSentryPrivilegesResponse from Sentry. Set the newly introduced `--sentry_authz_cache_capacity_mb` command-line flag to 0 to disable caching of authz privilege information returned from Sentry. Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe --- M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h A src/kudu/master/sentry_privileges_cache_metrics.cc A src/kudu/master/sentry_privileges_cache_metrics.h A src/kudu/master/sentry_privileges_fetcher.cc A src/kudu/master/sentry_privileges_fetcher.h M src/kudu/sentry/sentry_authorizable_scope.cc M src/kudu/sentry/sentry_authorizable_scope.h 12 files changed, 1,224 insertions(+), 632 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/33/12833/12 -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 12 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)