You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pegasus.apache.org by GitBox <gi...@apache.org> on 2022/08/15 09:24:11 UTC

[GitHub] [incubator-pegasus] acelyc111 commented on issue #1054: Feature: Integrate with Apache Ranger

acelyc111 commented on issue #1054:
URL: https://github.com/apache/incubator-pegasus/issues/1054#issuecomment-1214810552

   The current ACL is described in https://github.com/apache/incubator-pegasus/issues/170 and [Pegasus 安全认证](https://mp.weixin.qq.com/s?__biz=MzkzNzAzNDgyNg==&mid=2247483801&idx=1&sn=0516fcdfb3667b85d03eb5a40293e6de&chksm=c294d4bcf5e35daa67a4eb3317749c7a643e09a54c5c886be407a1105d96c6607c416cb4310c&token=1577740624&lang=en_US#rd)
   
   It can be summarized as following:
   
   
   operation \ user | super user | table owner | other users
   -- | -- | -- | --
   query cluster basic info | √ | √ | √
   table read and write | √ | √ | ×
   cluster control | √ | × | ×
   
   The extended ACL is based on the former design and detailed as following:
    
   
   
   operation \ details | ACL symbol | rpc code | resource example | --
   -- | -- | -- | -- | --
   Global level | -- | -- | -- |  
   query cluster,server | metadata | cluster:<br>RPC_CM_LIST_NODES<br>RPC_CM_CLUSTER_INFO<br>RPC_CM_LIST_APPS(can query all tables)<br>server:<br>RPC_QUERY_DISK_INFO |   | 
   control cluster,server,multi tables | control | cluster+server:<br>RPC_HTTP_SERVICE(http request,has no principal currently)<br>set LB level:<br>RPC_CM_CONTROL_META<br>recover meta server though replica servers:<br>RPC_CM_START_RECOVERY<br>on replica server: migrate replica between disks:<br>RPC_REPLICA_DISK_MIGRATE<br>on replica server:<br>add new disks:<br>RPC_ADD_NEW_DISK<br>on replica server:<br>detect hot key:<br>RPC_DETECT_HOTKEY<br>cluster+server: remote command(include many operations):<br>RPC_CLI_CLI_CALL<br>(multi-tables)backup policy's add,modify(maybe removed later):<br>RPC_CM_ADD_BACKUP_POLICY<br>RPC_CM_MODIFY_BACKUP_POLICY | -- | --
   Database级别权限* | -- | -- | -- | --
   查看集群/server | list | 集群:RPC_CM_LIST_APPS(只能查询到有权限的db下的表) | -- | --
   创建表格 | create | RPC_CM_CREATE_APP | db1 | 可创建db1_*开头的表格
   删除/召回 表格 | drop | RPC_CM_DROP_APPRPC_CM_RECALL_APP | -- | --
   管理表格-查看 | metadata | (多表)备份policy的查询(后续会删除,也有可替代方法,设计上直接禁用):RPC_CM_QUERY_BACKUP_POLICY(单表)表级backup的查询:RPC_CM_QUERY_BACKUP_STATUS(单表)从backup恢复表的查询:RPC_CM_QUERY_RESTORE_STATUS(单表)热备份的查询:RPC_CM_QUERY_DUPLICATION(单表)partition split的查询:RPC_CM_QUERY_PARTITION_SPLIT(单表)bulk load的查询:RPC_CM_QUERY_BULK_LOAD_STATUS(单表)manual compact的查询:RPC_CM_QUERY_MANUAL_COMPACT_STATUS(单表)表副本数的查询:RPC_CM_GET_MAX_REPLICA_COUNT | -- | --
   管理表格-控制 | control | (单表)backup的开始:RPC_CM_START_BACKUP_APP(单表)从backup恢复表的控制:RPC_CM_START_RESTORE(单表)做一个分片的迁移:RPC_CM_PROPOSE_BALANCER(单表)热备份的添加、修改:RPC_CM_ADD_DUPLICATIONRPC_CM_MODIFY_DUPLICATION(单表)更新表的env:RPC_CM_UPDATE_APP_ENV(单表)表的DDD诊断(故障恢复):RPC_CM_DDD_DIAGNOSE(单表)partition split的开始、控制:RPC_CM_START_PARTITION_SPLITRPC_CM_CONTROL_PARTITION_SPLIT(单表)bulk load的开始、控制、清理:RPC_CM_START_BULK_LOADRPC_CM_CONTROL_BULK_LOADRPC_CM_CLEAR_BULK_LOAD(单表)manual compact的开始:RPC_CM_START_MANUAL_COMPACT(单表)表副本数的修改:RPC_CM_SET_MAX_REPLICA_COUNT | -- | --
   Database/Table级别权限 | -- | -- | -- | --
   表读 | read | meta server:路由信息:RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEXlist:RPC_CM_LIST_APPS(只能查询到有权限的表)replica server:server级:replica_stub::on_client_readreplica级:replica::on_client_read | db1/table1 | 可读db1_table1这张表
   表写 | write | replica server:server级:replica_stub::on_client_writereplica级:replica::on_client_write | db1/* | 可写db1_*的表格
   server 内部的(不做控制) | N/A | RPC_CM_CONFIG_SYNCRPC_CM_UPDATE_PARTITION_CONFIGURATIONRPC_CM_REPORT_RESTORE_STATUSRPC_CM_DUPLICATION_SYNCRPC_CM_REGISTER_CHILD_REPLICARPC_CM_NOTIFY_STOP_SPLITRPC_CM_QUERY_CHILD_STATERPC_NEGOTIATIONRPC_CALL_RAW_MESSAGERPC_CALL_RAW_SESSION_DISCONNECTRPC_NFS_GET_FILE_SIZERPC_NFS_COPYRPC_FD_FAILURE_DETECTOR_PINGRPC_CALL_RAW_MESSAGERPC_CALL_RAW_SESSION_DISCONNECTRPC_CONFIG_PROPOSALRPC_GROUP_CHECKRPC_QUERY_PN_DECREE(?)RPC_QUERY_REPLICA_INFORPC_QUERY_LAST_CHECKPOINT_INFORPC_PREPARERPC_GROUP_CHECKRPC_QUERY_APP_INFORPC_LEARNRPC_LEARN_COMPLETION_NOTIFYRPC_LEARN_ADD_LEARNERRPC_REMOVE_REPLICARPC_COLD_BACKUPRPC_CLEAR_COLD_BACKUPRPC_SPLIT_NOTIFY_CATCH_UPRPC_SPLIT_UPDATE_CHILD_PARTITION_COUNTRPC_BULK_LOADRPC_GROUP_BULK_LOAD | -- | --
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For additional commands, e-mail: dev-help@pegasus.apache.org