[kudu-CR] KUDU-2870: use coarse-grained authz for Checksum

Wed, 19 Jun 2019 16:33:48 -0700 

Hello Tidy Bot, Mike Percy, Alexey Serbin, Kudu Jenkins, Grant Henke, Hao Hao,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/13681

to look at the new patch set (#4).

Change subject: KUDU-2870: use coarse-grained authz for Checksum
......................................................................

KUDU-2870: use coarse-grained authz for Checksum

There were a number of proposed solutions in the ticket; this implements
the simple one to enforces that a user be a super-user to run Checksum.

Rather than removing fine-grained privilege checking and testing on the
Checksum endpoint altogether, I've gated the checking behind a new
hidden flag FLAGS_checksum_require_authz_tokens for now. These may be
restored when one of the fuller solutions mentioned in the ticket is
implemented.

Testing:
- A test is added to run the tool against a tserver that enforces
  fine-grained access control.
- A new test is added to test the super-user permissions for the
  Checksum endpoint.
- The existing tserver tests that check authorization for Checksums are
  updated to set FLAGS_checksum_require_authz_tokens to maintain test
  coverage.

Change-Id: I9da21f41702da747a081ab037d75865748d981a8
---
M src/kudu/integration-tests/security-itest.cc
M src/kudu/tools/kudu-tool-test.cc
M src/kudu/tserver/tablet_server_authorization-test.cc
M src/kudu/tserver/tablet_service.cc
M src/kudu/tserver/tablet_service.h
M src/kudu/tserver/tserver_service.proto
6 files changed, 131 insertions(+), 13 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/81/13681/4
--
To view, visit http://gerrit.cloudera.org:8080/13681
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I9da21f41702da747a081ab037d75865748d981a8
Gerrit-Change-Number: 13681
Gerrit-PatchSet: 4
Gerrit-Owner: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <granthe...@apache.org>
Gerrit-Reviewer: Hao Hao <hao....@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Mike Percy <mpe...@apache.org>
Gerrit-Reviewer: Tidy Bot (241)

Reply via email to