Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/13681 )
Change subject: KUDU-2870: use coarse-grained authz for Checksum ...................................................................... Patch Set 2: (2 comments) http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tablet_service.cc File src/kudu/tserver/tablet_service.cc: http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tablet_service.cc@887 PS2, Line 887: bool TabletServiceImpl::AuthorizeChecksum(const google::protobuf::Message* req, : google::protobuf::Message* resp, : rpc::RpcContext* context) { : if (FLAGS_tserver_enforce_access_control) { : return server_->Authorize(context, ServerBase::SUPER_USER); : } : return AuthorizeClient(req, resp, context); : } This looks a bit strange to me. Basically, it says that in case of fine-grained authz we suddenly require two things: 1) caller to be a super-user 2) caller to have authz token if --checksum_require_authz_token=true While in non-authz case, it can be called by a regular user without any other prerequisites. Maybe, make it always require the SUPER_USER verification? Or move SUPER_USER verification as an alternative to VerifyAuthzTokenOrRespond() unless --checksum_require_authz_token is set? http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tserver_service.proto File src/kudu/tserver/tserver_service.proto: http://gerrit.cloudera.org:8080/#/c/13681/2/src/kudu/tserver/tserver_service.proto@54 PS2, Line 54: it retrieves and renews : // authorization tokens I'm not sure I understand what this means. You mean the tserver that handles the call should retrive and renew authz tokens? -- To view, visit http://gerrit.cloudera.org:8080/13681 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9da21f41702da747a081ab037d75865748d981a8 Gerrit-Change-Number: 13681 Gerrit-PatchSet: 2 Gerrit-Owner: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Grant Henke <granthe...@apache.org> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Mike Percy <mpe...@apache.org> Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 19 Jun 2019 23:15:03 +0000 Gerrit-HasComments: Yes