[GitHub] [incubator-pegasus] acelyc111 commented on a diff in pull request #1452: feat(Ranger): Use Apache Ranger for ACL when replica performs nfs copy

["acelyc111 (via GitHub)" <gi...@apache.org>]

acelyc111 commented on code in PR #1452:
URL: https://github.com/apache/incubator-pegasus/pull/1452#discussion_r1171043593


##########
src/replica/replica_stub.h:
##########
@@ -270,6 +274,38 @@ class replica_stub : public serverlet<replica_stub>, public ref_counter
 
     fs_manager *get_fs_manager() { return &_fs_manager; }
 
+    template <typename TReqType, typename TRespType>
+    bool check_status_and_authz_with_reply(const TReqType &request,
+                                           ::dsn::rpc_replier<TRespType> &reply)
+    {
+        if (!_access_controller->is_enable_ranger_acl()) {
+            return true;
+        }
+        const auto &pid = request.pid;
+        replica_ptr rep = get_replica(pid);
+
+        if (!rep) {
+            TRespType resp;
+            resp.error = ERR_OBJECT_NOT_FOUND;
+            reply(resp);
+            return false;
+        }
+        dsn::message_ex *msg = reply.response_message();
+        if (!rep->access_controller_allowed(msg, ranger::access_type::kWrite)) {

Review Comment:
   According to the function name, we can't infer it is used for write or read RPCs, so it's not enough to judge it's write allowed only.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For additional commands, e-mail: dev-help@pegasus.apache.org