[kudu-CR] authz: verify tokens on scans

["Andrew Wong (Code Review)" <ge...@cloudera.org>]

Hello Dan Burkert, Kudu Jenkins, Hao Hao, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/11753

to look at the new patch set (#2).

Change subject: authz: verify tokens on scans
......................................................................

authz: verify tokens on scans

Adds privilege checking to enforce the following authorization
requirements are met when scan-like requests are received by tablet
servers:

Scans or checksum scans require:
  if no projected columns:
    SCAN ON TABLE || foreach (column): SCAN ON COLUMN
  else:
    if uses pk:
      foreach(primary key column): SCAN ON COLUMN
    foreach(projected column): SCAN ON COLUMN
    foreach(predicated column): SCAN ON COLUMN

Split-key requests require:
  if uses pk:
    foreach(primary key column): SCAN ON COLUMN
  foreach(requested column): SCAN ON COLUMN

All of the listed requests are also permitted if SCAN ON TABLE (i.e.
full scan privileges) are given.

Change-Id: I7a5d81cf215a5d936f8853feba05778038764905
---
M src/kudu/common/schema.h
M src/kudu/integration-tests/authz_token-itest.cc
M src/kudu/tserver/tablet_service.cc
3 files changed, 757 insertions(+), 49 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/11753/2
-- 
To view, visit http://gerrit.cloudera.org:8080/11753
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I7a5d81cf215a5d936f8853feba05778038764905
Gerrit-Change-Number: 11753
Gerrit-PatchSet: 2
Gerrit-Owner: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)