[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

Hao Hao (Code Review) Tue, 19 Mar 2019 12:09:42 -0700

Hello Tidy Bot, Alexey Serbin, Dan Burkert, Kudu Jenkins, Andrew Wong, Adar 
Dembo,


I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/11797

to look at the new patch set (#12).

Change subject: [sentry] Integrate AuthzProvider into CatalogManager
......................................................................

[sentry] Integrate AuthzProvider into CatalogManager

This commit enables master RPC authorization enforcement by connecting
the CatalogManager to the Sentry service via the SentryAuthzProvider.
When the Sentry integration is enabled (by setting the
--sentry_service_rpc_addresses flag), DDLs such as table creation,
alteration, deletion are validated to see if the connected user has
the permission to perform such operations. Note that the coarse-grained
access control is still applied to these endpoints. A --trusted_user_acl
flag is introduced to allow the trusted user, e.g. 'impala', to skip the
authorization enforcement.

Testing: This commit adds a new integration test (master_sentry-itest)
which tests that the integration works as expected with all exposed
table operations. More coverage on DDL stress tests with Sentry
integration enabled will be in a follow up patch.

Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8
---
M src/kudu/client/client-test.cc
M src/kudu/common/table_util-test.cc
M src/kudu/integration-tests/CMakeLists.txt
M src/kudu/integration-tests/alter_table-test.cc
M src/kudu/integration-tests/cluster_itest_util.cc
M src/kudu/integration-tests/cluster_itest_util.h
M src/kudu/integration-tests/consistency-itest.cc
M src/kudu/integration-tests/create-table-stress-test.cc
M src/kudu/integration-tests/delete_table-itest.cc
M src/kudu/integration-tests/flex_partitioning-itest.cc
A src/kudu/integration-tests/hms_itest-base.cc
A src/kudu/integration-tests/hms_itest-base.h
M src/kudu/integration-tests/master_hms-itest.cc
M src/kudu/integration-tests/master_sentry-itest.cc
M src/kudu/integration-tests/raft_config_change-itest.cc
M src/kudu/integration-tests/raft_consensus_nonvoter-itest.cc
M src/kudu/integration-tests/registration-test.cc
M src/kudu/integration-tests/tablet_copy-itest.cc
M src/kudu/integration-tests/tombstoned_voting-itest.cc
M src/kudu/master/CMakeLists.txt
A src/kudu/master/authz_provider.cc
M src/kudu/master/authz_provider.h
M src/kudu/master/catalog_manager.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/master-test-util.h
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
A src/kudu/master/sentry_authz_provider-test-base.h
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/mini_sentry.cc
M src/kudu/tools/rebalancer_tool-test.cc
33 files changed, 1,528 insertions(+), 486 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/97/11797/12
--
To view, visit http://gerrit.cloudera.org:8080/11797
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8
Gerrit-Change-Number: 11797
Gerrit-PatchSet: 12
Gerrit-Owner: Hao Hao <hao....@cloudera.com>
Gerrit-Reviewer: Adar Dembo <a...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Hao Hao <hao....@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

Reply via email to