[kudu-CR] WIP: authorize all RPCs against coarse-grained ACLs

Wed, 22 Feb 2017 02:23:57 -0800 

Hello Dan Burkert, Alexey Serbin, Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/5998

to look at the new patch set (#3).

Change subject: WIP: authorize all RPCs against coarse-grained ACLs
......................................................................

WIP: authorize all RPCs against coarse-grained ACLs

This adds two new flags: 'superuser_acl' and 'client_acl'.
Cluster-admin operations (eg things like SetFlags) are authorized
against superuser_acl, and read/write/DDL type operations are authorized
against client_acl.

Internal-facing RPCs are authorized against the service user, which is
assumed to be a matching principal across all of the hosts.

WIP: needs testing, docs, etc.

Change-Id: Id24a6429273aff355e70e127086a26b7e4a03cd8
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/consensus/consensus.proto
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/master/master.cc
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
M src/kudu/master/master_service.h
M src/kudu/rpc/rpc_context.cc
M src/kudu/rpc/rpc_context.h
M src/kudu/security/CMakeLists.txt
A src/kudu/security/kerberos_util.cc
A src/kudu/security/kerberos_util.h
A src/kudu/security/simple_acl.cc
A src/kudu/security/simple_acl.h
M src/kudu/server/generic_service.cc
M src/kudu/server/generic_service.h
M src/kudu/server/server_base.cc
M src/kudu/server/server_base.h
M src/kudu/server/server_base.proto
M src/kudu/tserver/tablet_copy.proto
M src/kudu/tserver/tablet_copy_service.cc
M src/kudu/tserver/tablet_copy_service.h
M src/kudu/tserver/tablet_server.cc
M src/kudu/tserver/tablet_service.cc
M src/kudu/tserver/tablet_service.h
M src/kudu/tserver/tserver_admin.proto
M src/kudu/tserver/tserver_service.proto
27 files changed, 504 insertions(+), 53 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/98/5998/3
-- 
To view, visit http://gerrit.cloudera.org:8080/5998
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id24a6429273aff355e70e127086a26b7e4a03cd8
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot

Reply via email to