[kudu-CR] KUDU-2870: use coarse-grained authz for Checksum

Wed, 19 Jun 2019 16:15:44 -0700 

Alexey Serbin has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/13681 )

Change subject: KUDU-2870: use coarse-grained authz for Checksum
......................................................................


Patch Set 2:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tablet_service.cc
File src/kudu/tserver/tablet_service.cc:

http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tablet_service.cc@887
PS2, Line 887: bool TabletServiceImpl::AuthorizeChecksum(const 
google::protobuf::Message* req,
             :                                           
google::protobuf::Message* resp,
             :                                           rpc::RpcContext* 
context) {
             :   if (FLAGS_tserver_enforce_access_control) {
             :     return server_->Authorize(context, ServerBase::SUPER_USER);
             :   }
             :   return AuthorizeClient(req, resp, context);
             : }
This looks a bit strange to me.  Basically, it says that in case of 
fine-grained authz we suddenly require two things: 1) caller to be a super-user 
2) caller to have authz token if --checksum_require_authz_token=true

While in non-authz case, it can be called by a regular user without any other 
prerequisites.

Maybe, make it always require the SUPER_USER verification?  Or  move SUPER_USER 
verification as an alternative to VerifyAuthzTokenOrRespond() unless 
--checksum_require_authz_token is set?


http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tserver_service.proto
File src/kudu/tserver/tserver_service.proto:

http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tserver_service.proto@54
PS2, Line 54: it retrieves and renews
            :   // authorization tokens
I'm not sure I understand what this means.  You mean the tserver that handles 
the call should retrive and renew authz tokens?



--
To view, visit http://gerrit.cloudera.org:8080/13681
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I9da21f41702da747a081ab037d75865748d981a8
Gerrit-Change-Number: 13681
Gerrit-PatchSet: 2
Gerrit-Owner: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <granthe...@apache.org>
Gerrit-Reviewer: Hao Hao <hao....@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Mike Percy <mpe...@apache.org>
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 19 Jun 2019 23:15:03 +0000
Gerrit-HasComments: Yes

Reply via email to