[kudu-CR] [sentry] add mini Sentry to the external mini cluster

2018-12-09 Thread Hao Hao (Code Review) 
Hao Hao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/11956 )

Change subject: [sentry] add mini Sentry to the external mini cluster
..


Patch Set 3:

(11 comments)

http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/CMakeLists.txt
File src/kudu/integration-tests/CMakeLists.txt:

http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/CMakeLists.txt@91
PS3, Line 91: ADD_KUDU_TEST(master_sentry-itest RUN_SERIAL true PROCESSORS 4)
> How did you arrive at the PROCESSORS value? And why use RUN_SERIAL here?
I think this is similar to the test in master_hms-itest, so I used its config 
as a reference.


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc
File src/kudu/integration-tests/master_sentry-itest.cc:

http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc@55
PS3, Line 55:   const ExternalMiniCluster::BindMode bind_mode;
> Looks like you're not using this param in SetUp(). Nor do I think you need
Done


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc@71
PS3, Line 71: opts.enable_sentry = true;
> What happens if enable_sentry=true but enable_kerberos=false? The MiniSentr
Yes. In the follow up patch I removed the situation when enable_kerberos=false 
since it doesn't make much sense for Sentry integration test.


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc@74
PS3, Line 74: opts.num_masters = 1;
: opts.num_tablet_servers = 1;
> These are the defaults; you can omit this.
Done


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc@93
PS3, Line 93: TestFoo
> Rename to something more useful.
I revised this test to have a meaningful test in 
https://gerrit.cloudera.org/#/c/11797/3/src/kudu/integration-tests/master_sentry-itest.cc


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc@111
PS3, Line 111: exist
> Nit: exists
Done


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/integration-tests/master_sentry-itest.cc@116
PS3, Line 116:   const auto& params = GetParam();
> Only used in one place below, so just inline GetParam().
Done


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/mini-cluster/mini_cluster.cc
File src/kudu/mini-cluster/mini_cluster.cc:

http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/mini-cluster/mini_cluster.cc@52
PS3, Line 52: int idx;
:   switch (type) {
: case MASTER:
:   idx = kServersMaxNum - index;
:   break;
: case TSERVER:
:   idx = index + 1;
:   break;
: case EXTERNAL_SERVER:
:   idx = kServersMaxNum / 3 + index;
:   break;
> Not really your fault, but could you add a comment here walking through wha
Done


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/util/test_util.cc
File src/kudu/util/test_util.cc:

http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/util/test_util.cc@a421
PS3, Line 421:
 :
> This structure of the pairs is lost in the new comment. Mind keeping it aro
Done


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/util/test_util.cc@402
PS3, Line 402: // The '-Ffn' flag gets lsof to output something like:
 :   //   p5801
 :   //   f548
 :   //   n127.0.0.1:43954->127.0.0.1:43617
 :   //   f549
 :   //   n*:8038
> Hrm, I think I'm missing something. The command didn't change, right? Why d
The output format didn't change, but the way we parse the output is only good 
for wildcard binding (n*).


http://gerrit.cloudera.org:8080/#/c/11956/3/src/kudu/util/test_util.cc@425
PS3, Line 425: Status s = Subprocess::Call(cmd, "", _out).AndThen([&] 
() {
 :   StripTrailingNewline(_out);
 :   vector lines = strings::Split(lsof_out, "\n");
 :   for (int index = 2; index < lines.size(); index += 2) {
 : StringPiece cur_line(lines[index]);
 : if (HasPrefixString(cur_line.ToString(), addr_pattern) &&
 : !cur_line.contains("->")) {
 :   if 
(!safe_strto32(lines[index].substr(addr_pattern.size()), )) {
 : return Status::RuntimeError("unexpected lsof 
output", lsof_out);
 :   }
 :
 :   return Status::OK();
 : }
 :   }
 :
 :   return Status::RuntimeError("unexpected lsof output", 
lsof_out);
 : });
> nit: merge these `if`s into one conditional block? Also mind adding a comme
The explanation is added in the previous

[kudu-CR] [sentry] add mini Sentry to the external mini cluster

2018-12-09 Thread Hao Hao (Code Review) 
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo,

I'd like you to reexamine a change. Please visit

http://gerrit.cloudera.org:8080/11956

to look at the new patch set (#8).

Change subject: [sentry] add mini Sentry to the external mini cluster
..

[sentry] add mini Sentry to the external mini cluster

This commit enables external mini cluster to be able to start with both
mini sentry and mini hms. A major challenge is the circular dependency
between the HMS and Sentry in terms of configuring each with the other's
address, including port which is currently discovered by polling lsof.
To work around it, one approach would be to:

  1. Start the Sentry service. Find out which port it's on. At this
 stage, the Sentry service has no knowledge of any HMS service.
  2. Start the HMS, configured to talk to Sentry's port. Find out which
 port it's on.
  3. Restart the Sentry service on the same port, reconfigured to talk
 to the HMS's port.

However, there could be a race condition where another program binds to
the same port during the restart in step 3. One option is to use
SO_REUSEPORT socket option, which permits multiple sockets to be bound
to an identical socket address. Although both Sentry and HMS are written
in Java, only JDK9 (and above) supports this socket option[1]. Methods
such as Java reflection can be used to invoke private methods to set up
this option, but they are hacky.

This patch extends the UNIQUE_LOOPBACK usage in mini cluster, so that
external servers such as Sentry can pick up a unique bind address,
knowing that in doing so there'll never be any danger of a port
collision.

[1]: 
https://docs.oracle.com/javase/9/docs/api/java/net/StandardSocketOptions.html#SO_REUSEPORT

Change-Id: I7f02e6085bd239570d10ec629f48856d37ed6e59
---
M src/kudu/hms/mini_hms.cc
M src/kudu/hms/mini_hms.h
M src/kudu/integration-tests/CMakeLists.txt
A src/kudu/integration-tests/master_sentry-itest.cc
M src/kudu/mini-cluster/CMakeLists.txt
M src/kudu/mini-cluster/external_mini_cluster.cc
M src/kudu/mini-cluster/external_mini_cluster.h
M src/kudu/mini-cluster/mini_cluster.cc
M src/kudu/mini-cluster/mini_cluster.h
M src/kudu/security/test/mini_kdc.cc
M src/kudu/sentry/mini_sentry.cc
M src/kudu/sentry/mini_sentry.h
M src/kudu/sentry/sentry-test-base.h
M src/kudu/tools/tool.proto
M src/kudu/util/test_util.cc
M src/kudu/util/test_util.h
16 files changed, 517 insertions(+), 69 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/56/11956/8
--
To view, visit http://gerrit.cloudera.org:8080/11956
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I7f02e6085bd239570d10ec629f48856d37ed6e59
Gerrit-Change-Number: 11956
Gerrit-PatchSet: 8
Gerrit-Owner: Hao Hao 
Gerrit-Reviewer: Adar Dembo 
Gerrit-Reviewer: Andrew Wong 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [sentry] add mini Sentry to the external mini cluster

2018-12-09 Thread Hao Hao (Code Review) 
Hao Hao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/11956 )

Change subject: [sentry] add mini Sentry to the external mini cluster
..


Patch Set 7:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/security/test/mini_kdc.cc
File src/kudu/security/test/mini_kdc.cc:

http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/security/test/mini_kdc.cc@157
PS2, Line 157: kdc_
> Doc with inline comment.
Done



--
To view, visit http://gerrit.cloudera.org:8080/11956
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I7f02e6085bd239570d10ec629f48856d37ed6e59
Gerrit-Change-Number: 11956
Gerrit-PatchSet: 7
Gerrit-Owner: Hao Hao 
Gerrit-Reviewer: Adar Dembo 
Gerrit-Reviewer: Andrew Wong 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 10 Dec 2018 02:16:27 +
Gerrit-HasComments: Yes

[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

2018-12-09 Thread Hao Hao (Code Review) 
Hao Hao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/11797 )

Change subject: [sentry] Integrate AuthzProvider into CatalogManager
..


Patch Set 2:

(31 comments)

http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/hms_itest-base.h
File src/kudu/integration-tests/hms_itest-base.h:

http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/hms_itest-base.h@56
PS2, Line 56: using client::KuduTableAlterer;
> warning: using decl 'KuduTableAlterer' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/hms_itest-base.h@59
PS2, Line 59: using cluster::ExternalMiniClusterOptions;
> warning: using decl 'ExternalMiniClusterOptions' is unused [misc-unused-usi
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/hms_itest-base.h@63
PS2, Line 63: using std::vector;
> warning: using decl 'vector' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_hms-itest.cc
File src/kudu/integration-tests/master_hms-itest.cc:

http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_hms-itest.cc@49
PS2, Line 49: using client::KuduTableCreator;
> warning: using decl 'KuduTableCreator' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc
File src/kudu/integration-tests/master_sentry-itest.cc:

http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@49
PS2, Line 49: using sentry::TAlterSentryRoleAddGroupsRequest;
> warning: using decl 'TAlterSentryRoleAddGroupsRequest' is unused [misc-unus
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@50
PS2, Line 50: using sentry::TAlterSentryRoleAddGroupsResponse;
> warning: using decl 'TAlterSentryRoleAddGroupsResponse' is unused [misc-unu
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@51
PS2, Line 51: using sentry::TAlterSentryRoleGrantPrivilegeRequest;
> warning: using decl 'TAlterSentryRoleGrantPrivilegeRequest' is unused [misc
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@52
PS2, Line 52: using sentry::TAlterSentryRoleGrantPrivilegeResponse;
> warning: using decl 'TAlterSentryRoleGrantPrivilegeResponse' is unused [mis
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@53
PS2, Line 53: using sentry::TCreateSentryRoleRequest;
> warning: using decl 'TCreateSentryRoleRequest' is unused [misc-unused-using
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@55
PS2, Line 55: using sentry::TSentryGroup;
> warning: using decl 'TSentryGroup' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@61
PS2, Line 61: using client::KuduTable;
> warning: using decl 'KuduTable' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@63
PS2, Line 63: using client::KuduTableCreator;
> warning: using decl 'KuduTableCreator' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/integration-tests/master_sentry-itest.cc@68
PS2, Line 68: using std::set;
> warning: using decl 'set' is unused [misc-unused-using-decls]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/master/authz_provider.cc
File src/kudu/master/authz_provider.cc:

http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/master/authz_provider.cc@33
PS2, Line 33: "Comma-separated list of trusted users who may access the 
cluster "/master_sentry-itest.cc
> error: use of undeclared identifier 'master_sentry' [clang-diagnostic-error
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/master/authz_provider.cc@33
PS2, Line 33: "Comma-separated list of trusted users who may access the 
cluster "/master_sentry-itest.cc
> error: use of undeclared identifier 'itest' [clang-diagnostic-error]
Done


http://gerrit.cloudera.org:8080/#/c/11797/2/src/kudu/master/authz_provider.cc@34
PS2, Line 34: "without being authorized.");
> error: expected ')' [clang-diagnostic-error]
Done


http://gerrit.cloudera.org:8080/#/c/11797/1/src/kudu/master/catalog_manager.cc
File src/kudu/master/catalog_manager.cc:

http://gerrit.cloudera.org:8080/#/c/11797/1/src/kudu/master/catalog_manager.cc@101
PS1, Line 101: #include "kudu/master/default_authz_provider.h"
> missing authz_provider.h?
Done


http://gerrit.cloudera.org:8080/#/c/11797/1/src/kudu/master/catalog_manager.cc@257
PS1, Line 257: DECLARE_bool(raft_prepare_replacement_before_eviction);
> spitballing: in order to keep as much of

[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

2018-12-09 Thread Hao Hao (Code Review) 
Hello Tidy Bot, Dan Burkert, Kudu Jenkins, Andrew Wong,

I'd like you to reexamine a change. Please visit

http://gerrit.cloudera.org:8080/11797

to look at the new patch set (#3).

Change subject: [sentry] Integrate AuthzProvider into CatalogManager
..

[sentry] Integrate AuthzProvider into CatalogManager

This commit enables master RPC authorization enforcement by connecting
the CatalogManager to the Sentry service via the SentryAuthzProvider.
When the Sentry integration is enabled (by setting the
--sentry_service_rpc_addresses flag), DDLs as table creation, alteration,
deletion are validated to see if the connected user has the permission
to perform such operations. Note that the coarse-grained access control
is still applied to these endpoints. A --trusted_user_acl flag is
introduced to allow the trusted user, e.g. 'impala', to skip the
authorization enforcement. More authorization endpoints, e.g ListTables
RPC, will be addressed in a follow up patch.

Testing: This commit adds a new integration test (master_sentry-itest)
which tests that the integration works as expected with create/alter/drop
table operations. More coverage on DDL stress tests with Sentry
integration enabled will be in a follow up patch.

Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8
---
M src/kudu/client/client-test.cc
M src/kudu/common/table_util-test.cc
M src/kudu/integration-tests/consistency-itest.cc
M src/kudu/integration-tests/create-table-stress-test.cc
A src/kudu/integration-tests/hms_itest-base.h
M src/kudu/integration-tests/master_hms-itest.cc
M src/kudu/integration-tests/master_sentry-itest.cc
M src/kudu/integration-tests/registration-test.cc
M src/kudu/master/CMakeLists.txt
A src/kudu/master/authz_provider.cc
M src/kudu/master/authz_provider.h
M src/kudu/master/catalog_manager.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/default_authz_provider.h
M src/kudu/master/master-test-util.h
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
A src/kudu/master/sentry_authz_provider-test-base.h
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/mini_sentry.cc
M src/kudu/sentry/sentry_policy_service.thrift
23 files changed, 1,030 insertions(+), 451 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/97/11797/3
--
To view, visit http://gerrit.cloudera.org:8080/11797
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Iab4aa027ae6eb4520db48ce348db552c9feec2a8
Gerrit-Change-Number: 11797
Gerrit-PatchSet: 3
Gerrit-Owner: Hao Hao 
Gerrit-Reviewer: Andrew Wong 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [sentry] add mini Sentry to the external mini cluster

2018-12-09 Thread Hao Hao (Code Review) 
Hao Hao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/11956 )

Change subject: [sentry] add mini Sentry to the external mini cluster
..


Patch Set 7:

(42 comments)

http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG
Commit Message:

http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@13
PS2, Line 13: one appro
> nit: this reads a bit like this is what's implemented. Mind changing it to
Done


http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@15
PS2, Line 15:   1. Start the Sentry service. Find out which port it's on. At 
this
> Good explanation, but I'd make two small tweaks to improve readability:
Done


http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@21
PS2, Line 21:
> Nit: where
Done


http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@22
PS2, Line 22: ver, there could be
> Nit: "same port during the restart in step 3."
Done


http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@24
PS2, Line 24: SO_REUSEPORT socket option, which permits multiple sockets to be 
bound
: to an identical socket address
> Nit: I'd rewrite as "Although both Sentry and HMS are written in Java, only
Done


http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@26
PS2, Line 26: [1]. Meth
> Nit: "they are hacky"
Done


http://gerrit.cloudera.org:8080/#/c/11956/2//COMMIT_MSG@33
PS2, Line 33: collision.
> Wrong link here; didn't you mean the SO_REUSEPORT anchor?
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.h
File src/kudu/hms/mini_hms.h:

http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.h@54
PS2, Line 54: d EnableSentry(const HostPort& sentry_address,
> nit: doc what 'sentry_service_principal' is? What happens when it's boost::
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc
File src/kudu/hms/mini_hms.cc:

http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@81
PS2, Line 81: ess_ = sentry_address.ToSt
> nit: maybe add the sentry address?
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@84
PS2, Line 84:
> If you're going to go through the trouble to wrap sentry_service_principal
Sorry for the confusion. I found it is more straightforward to always pass the 
service_principal and use keytab_file as an indicator of if Kerberos is 
enabled, the same as all other places are doing.


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@164
PS2, Line 164: if (!wait.ok()) {
> nit: Can you add a comment about why `none` is appropriate here?
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@164
PS2, Line 164:   if (!wait.ok()) {
> Should use /*foo=*/ inline comments to help explain what 'none' means.
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@306
PS2, Line 306:
 :   string sentry_properties;
 :   if (IsAuthorizationEnabled()) {
 :
> Shouldn't this also be conditioned on IsAuthorizationEnabled? Otherwise the
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@318
PS2, Line 318: authorization validation.
 : //
> I'm not sure I understand this. What is a "read result" in this context?
I am not super clear on this config as well, I cannot find any formal 
documentations on this. By reading the code, it only adds filtering for 
SHOWDATABASES and SHOWTABLES. I will make it more clear based on my 
understanding.


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@322
PS2, Line 322: which synchronizes the notification logs with the Sentry
 : // service. So that Sentry service is
> Just making sure I understand this, this is configured to ensure the HMS wi
Yeah.

For 'What is considered an authorization metadata operation?', do you mean what 
kinds of operation are considered to consult for authorization metadata?  
Similar to what we do in Kudu, mostly are DDL and DML operations. A complete 
list can be found here: 
https://www.cloudera.com/documentation/enterprise/latest/topics/sentry_privileges_hive_impala.html.


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@327
PS2, Line 327:
 :   hive.sentr
> Just making sure I understand this, this is synchronizing authz metadata en
This is to sync events in the HMS with Sentry service, so that Sentry knows 
about the tables has been renamed, or the location of the table has changed. 
And it updates these changes accordingly in Sentry. Update the comment to 
explain in more detail.


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@328
PS2, Line 328: ve.sentr
> nit: missing space
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@328
PS2, Line 328:   hive.sentry.conf.url
> Nit: indentation
Done


http://gerrit.cloudera.org:8080/#/c/11956/2/src/kudu/hms/mini_hms.cc@355
PS2, Line 355:

[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

2018-12-09 Thread Hao Hao (Code Review) 
Hao Hao has abandoned this change. ( http://gerrit.cloudera.org:8080/12058 )

Change subject: [sentry] Integrate AuthzProvider into CatalogManager
..


Abandoned
--
To view, visit http://gerrit.cloudera.org:8080/12058
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: abandon
Gerrit-Change-Id: I7377193abec7b8ed33d7c9455bcc9ef44da94941
Gerrit-Change-Number: 12058
Gerrit-PatchSet: 1
Gerrit-Owner: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] [sentry] Integrate AuthzProvider into CatalogManager

2018-12-09 Thread Hao Hao (Code Review) 
Hao Hao has uploaded this change for review. ( 
http://gerrit.cloudera.org:8080/12058


Change subject: [sentry] Integrate AuthzProvider into CatalogManager
..

[sentry] Integrate AuthzProvider into CatalogManager

This commit enables master RPC authorization enforcement by connecting
the CatalogManager to the Sentry service via the SentryAuthzProvider.
When the Sentry integration is enabled (by setting the
--sentry_service_rpc_addresses flag), DDLs as table creation, alteration,
deletion are validated to see if the connected user has the permission
to perform such operations. Note that the coarse-grained access control
is still applied to these endpoints. A --trusted_user_acl flag is
introduced to allow the trusted user, e.g. 'impala', to skip the
authorization enforcement. More authorization endpoints, e.g ListTables
RPC, will be addressed in a follow up patch.

Testing: This commit adds a new integration test (master_sentry-itest)
which tests that the integration works as expected with create/alter/drop
table operations. More coverage on DDL stress tests with Sentry
integration enabled will be in a follow up patch.

Change-Id: I7377193abec7b8ed33d7c9455bcc9ef44da94941
---
M src/kudu/client/client-test.cc
M src/kudu/common/table_util-test.cc
M src/kudu/integration-tests/consistency-itest.cc
M src/kudu/integration-tests/create-table-stress-test.cc
A src/kudu/integration-tests/hms_itest-base.h
M src/kudu/integration-tests/master_hms-itest.cc
M src/kudu/integration-tests/master_sentry-itest.cc
M src/kudu/integration-tests/registration-test.cc
M src/kudu/master/CMakeLists.txt
A src/kudu/master/authz_provider.cc
M src/kudu/master/authz_provider.h
M src/kudu/master/catalog_manager.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/default_authz_provider.h
M src/kudu/master/master-test-util.h
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
A src/kudu/master/sentry_authz_provider-test-base.h
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_authz_provider.cc
M src/kudu/master/sentry_authz_provider.h
M src/kudu/sentry/mini_sentry.cc
M src/kudu/sentry/sentry_policy_service.thrift
23 files changed, 1,030 insertions(+), 451 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/58/12058/1
--
To view, visit http://gerrit.cloudera.org:8080/12058
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7377193abec7b8ed33d7c9455bcc9ef44da94941
Gerrit-Change-Number: 12058
Gerrit-PatchSet: 1
Gerrit-Owner: Hao Hao

[kudu-CR] [sentry] add mini Sentry to the external mini cluster

2018-12-09 Thread Hao Hao (Code Review) 
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo,

I'd like you to reexamine a change. Please visit

http://gerrit.cloudera.org:8080/11956

to look at the new patch set (#7).

Change subject: [sentry] add mini Sentry to the external mini cluster
..

[sentry] add mini Sentry to the external mini cluster

This commit enables external mini cluster to be able to start with both
mini sentry and mini hms. A major challenge is the circular dependency
between the HMS and Sentry in terms of configuring each with the other's
address, including port which is currently discovered by polling lsof.
To work around it, one approach would be to:

  1. Start the Sentry service. Find out which port it's on. At this
 stage, the Sentry service has no knowledge of any HMS service.
  2. Start the HMS, configured to talk to Sentry's port. Find out which
 port it's on.
  3. Restart the Sentry service on the same port, reconfigured to talk
 to the HMS's port.

However, there could be a race condition where another program binds to
the same port during the restart in step 3. One option is to use
SO_REUSEPORT socket option, which permits multiple sockets to be bound
to an identical socket address. Although both Sentry and HMS are written
in Java, only JDK9 (and above) supports this socket option[1]. Methods
such as Java reflection can be used to invoke private methods to set up
this option, but they are hacky.

This patch extends the UNIQUE_LOOPBACK usage in mini cluster, so that
external servers such as Sentry can pick up a unique bind address,
knowing that in doing so there'll never be any danger of a port
collision.

[1]: 
https://docs.oracle.com/javase/9/docs/api/java/net/StandardSocketOptions.html#SO_REUSEPORT

Change-Id: I7f02e6085bd239570d10ec629f48856d37ed6e59
---
M src/kudu/hms/mini_hms.cc
M src/kudu/hms/mini_hms.h
M src/kudu/integration-tests/CMakeLists.txt
A src/kudu/integration-tests/master_sentry-itest.cc
M src/kudu/mini-cluster/CMakeLists.txt
M src/kudu/mini-cluster/external_mini_cluster.cc
M src/kudu/mini-cluster/external_mini_cluster.h
M src/kudu/mini-cluster/mini_cluster.cc
M src/kudu/mini-cluster/mini_cluster.h
M src/kudu/security/test/mini_kdc.cc
M src/kudu/sentry/mini_sentry.cc
M src/kudu/sentry/mini_sentry.h
M src/kudu/sentry/sentry-test-base.h
M src/kudu/tools/tool.proto
M src/kudu/util/test_util.cc
M src/kudu/util/test_util.h
16 files changed, 537 insertions(+), 69 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/56/11956/7
--
To view, visit http://gerrit.cloudera.org:8080/11956
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I7f02e6085bd239570d10ec629f48856d37ed6e59
Gerrit-Change-Number: 11956
Gerrit-PatchSet: 7
Gerrit-Owner: Hao Hao 
Gerrit-Reviewer: Adar Dembo 
Gerrit-Reviewer: Andrew Wong 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR](branch-1.7.x) kudu support ttl

2018-12-09 Thread YangSong (Code Review) 
YangSong has removed Kudu Jenkins from this change.  ( 
http://gerrit.cloudera.org:8080/12057 )

Change subject: kudu support ttl
..


Removed reviewer Kudu Jenkins.
--
To view, visit http://gerrit.cloudera.org:8080/12057
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: branch-1.7.x
Gerrit-MessageType: deleteReviewer
Gerrit-Change-Id: I6503ca90ebca66d154e7084e0c93e94c9b0d9c0c
Gerrit-Change-Number: 12057
Gerrit-PatchSet: 1
Gerrit-Owner: YangSong

[kudu-CR](branch-1.7.x) kudu support ttl

2018-12-09 Thread YangSong (Code Review) 
YangSong has uploaded this change for review. ( 
http://gerrit.cloudera.org:8080/12057


Change subject: kudu support ttl
..

kudu support ttl

Change-Id: I6503ca90ebca66d154e7084e0c93e94c9b0d9c0c
---
M src/kudu/common/generic_iterators.cc
M src/kudu/common/generic_iterators.h
M src/kudu/common/row_operations.cc
M src/kudu/common/row_operations.h
M src/kudu/common/scan_spec.h
M src/kudu/common/schema.cc
M src/kudu/common/schema.h
M src/kudu/common/types.h
M src/kudu/master/catalog_manager.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/master.proto
M src/kudu/master/master_path_handlers.cc
M src/kudu/tablet/cfile_set.h
M src/kudu/tablet/compaction-test.cc
M src/kudu/tablet/compaction.cc
M src/kudu/tablet/compaction.h
M src/kudu/tablet/delta_applier.cc
M src/kudu/tablet/delta_applier.h
M src/kudu/tablet/delta_compaction.cc
M src/kudu/tablet/delta_compaction.h
M src/kudu/tablet/delta_iterator_merger.cc
M src/kudu/tablet/delta_iterator_merger.h
M src/kudu/tablet/delta_store.h
M src/kudu/tablet/delta_tracker.cc
M src/kudu/tablet/delta_tracker.h
M src/kudu/tablet/deltafile.cc
M src/kudu/tablet/deltafile.h
M src/kudu/tablet/deltamemstore.cc
M src/kudu/tablet/deltamemstore.h
M src/kudu/tablet/diskrowset-test.cc
M src/kudu/tablet/diskrowset.cc
M src/kudu/tablet/diskrowset.h
M src/kudu/tablet/memrowset.cc
M src/kudu/tablet/memrowset.h
M src/kudu/tablet/metadata.proto
M src/kudu/tablet/mock-rowsets.h
M src/kudu/tablet/rowset.cc
M src/kudu/tablet/rowset.h
M src/kudu/tablet/tablet.cc
M src/kudu/tablet/tablet.h
M src/kudu/tablet/tablet_metadata.cc
M src/kudu/tablet/tablet_metadata.h
M src/kudu/tablet/transactions/alter_schema_transaction.h
M src/kudu/tools/tool_action_table.cc
M src/kudu/tools/tool_action_tablet.cc
M src/kudu/tserver/scanners.h
M src/kudu/tserver/tablet_service.cc
M src/kudu/tserver/tserver.proto
M src/kudu/tserver/tserver_admin.proto
49 files changed, 768 insertions(+), 114 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/57/12057/1
--
To view, visit http://gerrit.cloudera.org:8080/12057
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: branch-1.7.x
Gerrit-MessageType: newchange
Gerrit-Change-Id: I6503ca90ebca66d154e7084e0c93e94c9b0d9c0c
Gerrit-Change-Number: 12057
Gerrit-PatchSet: 1
Gerrit-Owner: YangSong