You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@kudu.apache.org by "Andrew Wong (Code Review)" <ge...@cloudera.org> on 2018/12/23 09:50:37 UTC

[kudu-CR] KUDU-2543 pt 1: basic checks for authz tokens

Hello Tidy Bot, Alexey Serbin, Kudu Jenkins, Hao Hao, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/11751

to look at the new patch set (#7).

Change subject: KUDU-2543 pt 1: basic checks for authz tokens
......................................................................

KUDU-2543 pt 1: basic checks for authz tokens

In preparation for passing around authorization tokens, the tservers are
now fitted with minimal token-verifying logic that protects the write
and the various scan-like endpoints (i.e. scans, checksum scans, and
split-key requests), optionally enforcing that the client has provided a
valid authz token. I put the negotiation authn token verification logic
into its own function for reuse in the tserver layer.

It's worth noting that scan-like requests that have a concept of a "new"
request vs a "continue" request (i.e. scans, checksum scans) will only
need verification on "new" requests. "Continue" requests are handled in
that a scanner cannot be hijacked by a user who didn't create it.

A test is added to test various scenarios at the tserver level.

Change-Id: I99555e0ab2d09d4abcbc12b1100658a9a17590f4
---
M src/kudu/rpc/CMakeLists.txt
M src/kudu/rpc/rpc_header.proto
A src/kudu/rpc/rpc_verification_util.cc
A src/kudu/rpc/rpc_verification_util.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/security/token_verifier.cc
M src/kudu/tserver/CMakeLists.txt
M src/kudu/tserver/tablet_service.cc
M src/kudu/tserver/tserver.proto
A src/kudu/tserver/tserver_authorization-test.cc
M src/kudu/tserver/tserver_service.proto
11 files changed, 557 insertions(+), 34 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/51/11751/7
-- 
To view, visit http://gerrit.cloudera.org:8080/11751
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I99555e0ab2d09d4abcbc12b1100658a9a17590f4
Gerrit-Change-Number: 11751
Gerrit-PatchSet: 7
Gerrit-Owner: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)