[kudu-CR] security: authorize all RPCs against coarse-grained ACLs

Wed, 22 Feb 2017 22:02:40 -0800 

Hello Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/5998

to look at the new patch set (#6).

Change subject: security: authorize all RPCs against coarse-grained ACLs
......................................................................

security: authorize all RPCs against coarse-grained ACLs

This adds two new flags: 'superuser_acl' and 'client_acl'.
Cluster-admin operations (eg things like SetFlags) are authorized
against superuser_acl, and read/write/DDL type operations are authorized
against client_acl.

Internal-facing RPCs are authorized against the service user, which is
assumed to be a matching principal across all of the hosts.

Most of the "service" RPCs are also allowed to be accessed by
superusers, so that operator tools can take advantage of them. The one
exception is TSHeartbeat, which is locked down to _only_ the service
user, since it's the endpoint that exports signed IPKI certs.

A new unit test smoke tests the various authorization levels using a
combination of the real client and hand-crafted RPCs.

Change-Id: Id24a6429273aff355e70e127086a26b7e4a03cd8
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/consensus/consensus.proto
M src/kudu/integration-tests/CMakeLists.txt
M src/kudu/integration-tests/external_mini_cluster-test.cc
M src/kudu/integration-tests/external_mini_cluster.cc
A src/kudu/integration-tests/security-itest.cc
M src/kudu/master/master.cc
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
M src/kudu/master/master_service.h
M src/kudu/rpc/messenger.h
M src/kudu/rpc/rpc_context.cc
M src/kudu/rpc/rpc_context.h
M src/kudu/security/CMakeLists.txt
M src/kudu/security/init.cc
M src/kudu/security/init.h
A src/kudu/security/kerberos_util.cc
A src/kudu/security/kerberos_util.h
A src/kudu/security/simple_acl.cc
A src/kudu/security/simple_acl.h
M src/kudu/server/generic_service.cc
M src/kudu/server/generic_service.h
M src/kudu/server/server_base.cc
M src/kudu/server/server_base.h
M src/kudu/server/server_base.proto
M src/kudu/tserver/tablet_copy.proto
M src/kudu/tserver/tablet_copy_service.cc
M src/kudu/tserver/tablet_copy_service.h
M src/kudu/tserver/tablet_server.cc
M src/kudu/tserver/tablet_service.cc
M src/kudu/tserver/tablet_service.h
M src/kudu/tserver/tserver_admin.proto
M src/kudu/tserver/tserver_service.proto
33 files changed, 725 insertions(+), 66 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/98/5998/6
-- 
To view, visit http://gerrit.cloudera.org:8080/5998
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id24a6429273aff355e70e127086a26b7e4a03cd8
Gerrit-PatchSet: 6
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot

Reply via email to