You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Attila Bukor (Code Review)" <ge...@cloudera.org> on 2020/02/11 21:16:54 UTC
[kudu-CR] [WIP] Ranger client
Attila Bukor has uploaded this change for review. ( http://gerrit.cloudera.org:8080/15206
Change subject: [WIP] Ranger client
......................................................................
[WIP] Ranger client
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M CMakeLists.txt
A src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/client.h
M src/kudu/subprocess/server.h
10 files changed, 721 insertions(+), 12 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/1
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 1
Gerrit-Owner: Attila Bukor <ab...@apache.org>
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 12:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h
File src/kudu/ranger/ranger_action.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h@29
PS12, Line 29: INSERT,
: UPDATE,
: DELETE,
: ALTER,
: CREATE,
: DROP,
Drawing from CRUD for a minute, I'm curious why we chose to separate offer "create", "update", and "delete" actions for DDL and DML operations. Why not use the same set of actions for both, but require broader scoping for DDL (i.e. ON DATABASE vs. ON TABLE)?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 12
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 26 Feb 2020 21:33:01 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 9:
(9 comments)
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client-test.cc@161
PS8, Line 161: ASSERT_EQ(2, columns.size());
> Use ContainsKey() from gutil/map-util.h
Can't, it only works on collections that have a find method. Unfortunately vector doesn't have a find method, we need to pass the vectors begin & and pointers to std::find(). Changed it on the unordered_set above though.
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.h@46
PS8, Line 46: virtual Status Start() WARN_UNUSED_RESULT;
:
> Should also mention that this returns an error if the table name doesn't co
changed the behavior to not return errors in that case
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.h@70
PS8, Line 70: Status SendRequest(RangerRequestListPB* req, RangerResponseL
> Could you add a TODO to make this a unique_ptr or a member variable when we
Done
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@48
PS8, Line 48:
> warning: pass by value and use std::move [modernize-pass-by-value]
Done
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@112
PS8, Line 112: string db;
> warning: loop variable is copied but only used as const reference; consider
Done
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@153
PS8, Line 153: return Status::InvalidArgument("Empty set of tables");
> Should use const auto& here
Done
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@154
PS8, Line 154:
> nit: prefer emplace_back() instead of push_back(), here and elsewhere.
Done
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@158
PS8, Line 158: req_list.set_user(user_name);
> This means that if there are any tables at all that don't conform to the Ra
good point, maybe it's better to just skip authorizing them, rewrote it.
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@171
PS8, Line 171:
> We should probably validate that responses_size() == orig_table_names.size(
good idea, do you have a preference which one it should be?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 9
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 25 Feb 2020 17:44:40 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 13:
(18 comments)
http://gerrit.cloudera.org:8080/#/c/15206/12//COMMIT_MSG
Commit Message:
PS12:
> Could you comment in the commit message regarding the change to ParseRanger
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h
File src/kudu/ranger/ranger_action.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h@27
PS12, Line 27:
> Add a doc here?
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h@29
PS12, Line 29:
:
:
:
:
:
> Maybe I forgot that for Kudu's Ranger policy, there is no such entity scopi
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@55
PS12, Line 55: column_name == rhs.column_name;
> This seems like it could be stack allocated.
Partially done, but I think I'm missing something. How would I inject the mock subprocess server to the real client if it's stack allocated in RangerClient?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@124
PS12, Line 124: auto packed_resp = new Any();
: packed_resp->PackFrom(resp_list);
: resp->set_allocated_response(packed_resp);
:
: r
> Rewrite as AddResponse(table == "default.foobar");
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@38
PS12, Line 38: //
> Why do these functions need to be virtual? Is it for future mocking? If so,
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@41
PS12, Line 41:
> You can drop the kudu prefix and I think get by with one of the following:
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@54
PS12, Line 54:
> perform an
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@56
PS12, Line 56: perform an action on, it
> Why bother? Won't the NotAuthorized alone signal to the caller that the use
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@54
PS12, Line 54: return server_->Init();
> Doesn't seem all that interesting; maybe omit it? Or downgrade to VLOG?
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@67
PS12, Line 67:
> We should handle the return value in some way.
added a DCHECK, do you think that's enough?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@75
PS12, Line 75: Slice tbl;
:
: // ParseRangerTableIdentifier
> Let's move this down to where we actually need it (i.e. L86).
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@82
PS12, Line 82: if (PREDICT_FALSE(!s.ok())) {
: return Status::OK();
: }
> At the very least this warrants a comment: why should we ignore a bad statu
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@94
PS12, Line 94: req->set_table(tbl.ToString());
> Use DCHECK_EQ.
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@136
PS12, Line 136: req->set_column(col);
> To adhere to the common calling convention used in Kudu, let's restructure
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@170
PS12, Line 170:
> Nit: why this empty line?
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.h
File src/kudu/subprocess/server.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.h@187
PS12, Line 187: //
> I'd supplement this doc with a quick note about why the public methods are
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.cc@141
PS12, Line 141: if (!closing_.CountDown()) {
> This isn't super robust because it assumes a particular ordering in Init();
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 13
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 02 Mar 2020 18:31:59 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 17:
(19 comments)
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger.proto@27
PS16, Line 27: // The action type mapping is similar to the one in Sentry which was implemented
: // before Ranger and the same privileges have to be enforced with both
: // authorization providers.
: //
: // For more information on fine grained authz check docs/security.adoc
: //
: // SELECT - select row
> Agreed re: the usefulness of linking to existing docs, though we shouldn't
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@55
PS12, Line 55: struct AuthorizedAction {
> Hmm, that may not work, but at least you could convert the shared ownership
hm SubprocessServer has an atomic member (next_id_) so it's not copy/move constructible. Do you think it's worth adding a move constructor to it so we can use a unique_ptr here? Or can you think of a better approach?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@68
PS16, Line 68: }
> Again, define a hasher rather than overloading std::hash.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@112
PS16, Line 112:
> Could just as easily RETURN_NOT_OK.
RETURN_NOT_OK only works for methods that return a Status, this returns a boolean. I can return a runtime error or something, but this should always work, unless an incorrect protobuf message is returned which doesn't seem too likely and would indicate a serious error.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@128
PS16, Line 128:
: void SetUp() override {
: server_->next_response_ = &next_response_;
> Could maybe do resp->mutable_response()->PackFrom(resp_list)?
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@38
PS16, Line 38: eturn
> nit: Creates?
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@47
PS16, Line 47:
> nit: indent.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@54
PS16, Line 54: d::strin
> Same here.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@59
PS16, Line 59:
> It's not a vector.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@60
PS16, Line 60:
> nit: is authorized to access if OK status is returned.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@62
PS16, Line 62:
:
> Same here.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@69
PS16, Line 69:
> nit: should it be named to AuthorizeActions given its functionality?
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@70
PS16, Line 70: std::unordered_set<std::string>* column_names)
: WARN_UNUSED_RESULT;
> And here.
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@82
PS16, Line 82: // Sends request to the subprocess and parses the response.
: Status SendRequest(RangerRequestListPB* req, RangerResponseListPB* resp) WARN_UNUSED_RESULT;
:
: std::shared_ptr<kudu::subprocess::SubprocessServer> server_;
: };
:
: } // namespace ranger
: }
> This is a no-no in the Google Style Guide: https://google.github.io/stylegu
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@55
PS16, Line 55: atus RangerClient::Star
> Add a TODO here if you are going to have a follow up patch to actually call
this will only call init, ranger authz provider sets up the server, do you think that's a good approach? if it is, I don't think it's necessary to add a todo here.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@67
PS16, Line 67: RETURN_NOT_OK(server_->Execute(&sreq,
> Maybe use DCHECK instead?
that was the original approach, but it got optimized out and it segfaulted in release mode. As this needs to run anyway, I think between storing the result in a variable and DCHECK on that and simply CHECK I think it's better to CHECK, but let me know if you disagree.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@79
PS16, Line 79:
: auto s = ParseRangerTableIdentifier(table_name, &db, &tbl);
: if (PREDICT_FALSE(!s.ok())) {
> I tend to agree. Like with Sentry (though that was due to HMS integration),
Even with Sentry only conflicting tables had to be renamed. Tables with names that are invalid in Sentry are unmodified. OTOH those tables are denied in Sentry too so I'm changing it to deny non-Ranger tables and log a warning.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@156
PS16, Line 156: return Status::OK();
> BTW, the Sentry provider doesn't provide any detail besides "unauthorized a
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/subprocess/server.cc@155
PS16, Line 155: if (write_thread_) {
> Nit: it's C++, so you can simplify to:
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 17
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 03 Mar 2020 13:18:16 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#8).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 639 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/8
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 8
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#21).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/subprocess/subprocess_proxy.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 843 insertions(+), 60 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/21
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 21
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 16:
Also it seems there is a IWYU failure for anger_client-test.cc.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 16
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 02 Mar 2020 23:46:30 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#24).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/subprocess/subprocess_proxy.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 831 insertions(+), 60 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/24
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 24
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#17).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 751 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/17
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 17
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 19: Code-Review+1
(5 comments)
Overall looks good to me, thanks a lot for working on the patch Attila!
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger.proto@33
PS19, Line 33: // SELECT - select rows in a table
: // INSERT - insert to a table
: // UPDATE - update existing rows in a table
: // DELETE - delete rows in a table
: // ALTER - alter schema
: // CREATE - creating a table
: // DROP - drop a table
nit: I think this can be removed now, and it is not quite accurate.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@55
PS16, Line 55: atus RangerClient::Star
> this will only call init, ranger authz provider sets up the server, do you
A little surprised to see it is set in ranger authz provider as Ranger client should be able to successfully connect to Ranger subprocess on its own. However it is fine for now as mini Ranger is not in place.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@67
PS16, Line 67: RETURN_NOT_OK(server_->Execute(&sreq,
> that was the original approach, but it got optimized out and it segfaulted
Ack, LGTM.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@79
PS16, Line 79:
: auto s = ParseRangerTableIdentifier(table_name, &db, &tbl);
: if (PREDICT_FALSE(!s.ok())) {
> Even with Sentry only conflicting tables had to be renamed. Tables with nam
Ack
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger_client.cc@82
PS19, Line 82: Denying action on table with invalid name
Maybe also advise the user to update the table name via table rename tool?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 19
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 03 Mar 2020 19:15:43 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 20:
(7 comments)
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h@46
PS20, Line 46:
: // Authorizes an action on the table. Returns OK if 'user_name' is authorized
: // to perform 'action' on 'table_name', NotAuthorized otherwise.
: Status AuthorizeAction(const std::string& user_name, const ActionPB& action,
: const std::string& table_name) WARN_UNUSED_RESULT;
Is this needed if we have AuthorizeActions()?
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h@69
PS20, Line 69: a table-level action
nit: "multiple table-level actions"
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h@74
PS20, Line 74: std::unordered_set<ActionPB, ActionHash>* actions,
nit: per the GSG, output parameters should be last.
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc@73
PS20, Line 73:
: Status RangerClient::SendRequest(RangerRequestListPB* req, RangerResponseListPB* resp) {
: SubprocessRequestPB sreq;
: SubprocessResponsePB sresp;
:
: auto packed_req = new Any();
: packed_req->PackFrom(*req);
: sreq.set_allocated_request(packed_req);
: RETURN_NOT_OK(server_->Execute(&sreq, &sresp));
:
: CHECK(sresp.response().UnpackTo(resp));
:
: return Status::OK();
: }
Depending on the order of what lands, may want to rebase on this and typedef some RangerSubprocess:
https://gerrit.cloudera.org/c/15344/
Though we can always address that later too.
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc@112
PS20, Line 112: CHECK_EQ(resp_list.responses_size(), 1);
nit: flip the order of the arguments so the error message is more correct (expected value first). Same elsewhere.
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc@276
PS20, Line 276: string RangerClient::GetJavaClasspath() {
: Env* env = Env::Default();
: string exe;
: CHECK_OK(env->GetExecutablePath(&exe));
: const string bin_dir = DirName(exe);
: return Substitute("$0/kudu-ranger.jar:$1", bin_dir, FLAGS_ranger_config_path);
: }
Will the JARs always be located in the binary directory? I was under the impression that many deployments have their own separate directory for JARs (e.g. Kudu backup JARs in CDH are located in a JARs directory). If that's the case, would it make sense to have the JAR path be configurable?
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/subprocess/server.cc@147
PS20, Line 147: if (process_->IsStarted()) {
: WARN_NOT_OK(process_->KillAndWait(SIGTERM), "failed to stop subprocess");
: }
: inbound_response_queue_.Shutdown();
: outbound_call_queue_.Shutdown();
:
: // We should be able to clean up our threads; they'll see that we're closing,
: // the pipe has been closed, or the queues have been shut down.
: if (write_thread_) {
: write_thread_->Join();
: }
: if (read_thread_) {
: read_thread_->Join();
: }
: if (deadline_checker_) {
: deadline_checker_->Join();
: }
nit: could you mention in a comment that these are all expected to always be there, except for in the mock?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 20
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 03 Mar 2020 23:00:27 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#16).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 790 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/16
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 16
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#13).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 791 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/13
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 13
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 10:
(12 comments)
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/common/table_util.h
File src/kudu/common/table_util.h:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/common/table_util.h@46
PS10, Line 46: Status
> nit: can you comment on when the returned Status will not be ok?
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.h
File src/kudu/ranger/ranger_action.h:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.h@39
PS10, Line 39: ActionPB ActionToActionPB(const Action& action);
> nit: Can you add comments for the methods in this class.
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.cc
File src/kudu/ranger/ranger_action.cc:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.cc@46
PS10, Line 46: return ActionPB::METADATA;
> LOG(FATAL) for unknown action? Similar to https://github.com/apache/kudu/bl
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.cc@70
PS10, Line 70: }
> Same here.
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.h@45
PS10, Line 45: and client
> nit: remove?
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@54
PS10, Line 54: return server_->Init();
> Add a logging?
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@93
PS10, Line 93: if (resp_list.responses()
> DCHECK the response size?
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@97
PS10, Line 97: Substitute("User %s is not authorized to "
: "perform %s on %s",
> Should we add a debug logging if the user is not authorized?
not sure if it's worth spamming the logs with it, a future audit log might be a better place for it. What do you think?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@134
PS10, Line 134: req_list
> Should we check the req_list size is the same as resp_list?
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@162
PS10, Line 162: non_ranger_tables
> nit: maybe name it to invalid_ranger_tables?
Done
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@178
PS10, Line 178: non_ranger_tables.emplace_back(table);
> Add a log here for invalid ranger tables?
if we choose the approach I explained below I don't think it's necessary, maybe vlog?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@193
PS10, Line 193: for (auto i = 0; i < non_ranger_tables.size(); ++i) {
: table_names->emplace(non_ranger_tables[i]);
: }
> why we place the invalid ranger table back to table_names? Shouldn't we den
as they can't be managed by Ranger anyway I thought it would be better to retain existing functionality which is allow everything for authenticated users.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 10
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 26 Feb 2020 11:51:07 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#9).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 662 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/9
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 9
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#4).
Change subject: [WIP] Ranger client
......................................................................
[WIP] Ranger client
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M CMakeLists.txt
A src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 718 insertions(+), 4 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/4
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 4
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 8:
(8 comments)
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client-test.cc@161
PS8, Line 161: ASSERT_TRUE(find(columns.begin(), columns.end(), "col1") != columns.end());
Use ContainsKey() from gutil/map-util.h
Same elsewhere.
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.h@46
PS8, Line 46: // Authorizes an action on the table. Returns OK if 'user_name' is authorized
: // to perform 'action' on 'table_name', NotAuthorized otherwise.
Should also mention that this returns an error if the table name doesn't conform to Ranger's naming requirements; same with the other methods. Probably worth adding test cases for this too.
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.h@70
PS8, Line 70: std::shared_ptr<kudu::subprocess::SubprocessServer> server_;
Could you add a TODO to make this a unique_ptr or a member variable when we no longer rely on the MockSubprocess test?
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@141
PS8, Line 141: Status RangerClient::AuthorizeAction(const string& user_name,
I'm fine doing this in another patch, but for these bulk requests, we ought to consider splitting up the Ranger requests across multiple messages in case they're larger than the expected max subprocess request size. Maybe add a TODO?
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@153
PS8, Line 153: for (auto table : *table_names) {
> warning: loop variable is copied but only used as const reference; consider
Should use const auto& here
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@154
PS8, Line 154: push_back
nit: prefer emplace_back() instead of push_back(), here and elsewhere.
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@158
PS8, Line 158: RETURN_NOT_OK(ParseRangerTableIdentifier(table, &db, &tbl));
This means that if there are any tables at all that don't conform to the Ranger requirements, we won't be able to list tables at all, right? Is that expected/desired vs just not authorizing non-conformant tables? If it is, could you update the comments in header to indicate that's the case?
http://gerrit.cloudera.org:8080/#/c/15206/8/src/kudu/ranger/ranger_client.cc@171
PS8, Line 171: for (auto i = 0; i < orig_table_names.size(); i++) {
We should probably validate that responses_size() == orig_table_names.size(). Maybe CHECK/DCHECK/IllegalState() or somesuch?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 8
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 Feb 2020 03:34:17 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#15).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 791 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/15
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 15
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [WIP] Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: [WIP] Ranger client
......................................................................
Patch Set 3:
(3 comments)
Only looked at the protobuf definition and ranger client as it is a wip.
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger.proto@24
PS3, Line 24: SCAN
To match with Ranger server side definition, we should use SELECT instead of SCAN here.
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_action.cc
File src/kudu/ranger/ranger_action.cc:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_action.cc@45
PS3, Line 45: case Action::METADATA:
: return ActionPB::METADATA;
Throw exception for unknown actions?
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h@44
PS3, Line 44: // Authorizes listing tables. If there is at least one table that user is
: // authorized to access metadata of, it returns OK and sets 'table_names' to
: // the tables the user is authorized to list. Otherwise it returns
: // NotAuthorized and it doesn't modify 'table_names'.
: Status AuthorizeList(const std::string& user_name,
: std::unordered_set<std::string>* table_names) WARN_UNUSED_RESULT;
:
: // Authorizes an action on the table. Returns OK if 'user_name' is authorized
: // to perform 'action' on 'table_name', NotAuthorized otherwise.
: Status AuthorizeAction(const std::string& user_name, const Action& action,
: const std::string& table_name) WARN_UNUSED_RESULT;
:
: // Authorizes a scan on a table. Returns OK if 'user_name' is authorized to
: // scan the whole table or at least one of the specified columns,
: // NotAuthorized otherwise. If the user isn't authorized to scan the whole
: // table, 'column_names' is changed to contain only the columns the user is
: // authorized to scan.
: Status AuthorizeScan(const std::string& user_name, const std::string& table_name,
: std::unordered_set<std::string>* column_names) WARN_UNUSED_RESULT;
These three methods kind of overlap with each other, they are all for authorizing some action upon some resources(either table level or column level) for a user. Maybe define a structure that hold all possible information for a request(e.g action, db name, table name, column name), and just use one method which takes a list of such structure (e.g RangerRequest) and returns a list of boolean which match the order of the request. In this case, the protobuf definition for Ranger can be simpler and information like default_database won't need to be present in the wire.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 3
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 13 Feb 2020 06:07:58 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 23:
(5 comments)
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@118
PS23, Line 118: string db;
: Slice tbl;
:
: auto s = ParseRangerTableIdentifier(table_name, &db, &tbl);
: if (PREDICT_FALSE(!s.ok())) {
: LOG(WARNING) << Substitute(kDenyNonRangerTableTemplate, table_name);
: return Status::NotAuthorized(kUnauthorizedAction);
: }
:
: RangerRequestListPB req_list;
: RangerResponseListPB resp_list;
: req_list.set_user(user_name);
:
: RangerRequestPB* req = req_list.add_requests();
:
: req->set_action(action);
: req->set_database(db);
: req->set_table(tbl.ToString());
:
: RETURN_NOT_OK(subprocess_.Execute(req_list, &resp_list));
:
: CHECK_EQ(1, resp_list.responses_size());
: if (resp_list.responses().begin()->allowed()) {
: return Status::OK();
: }
:
: LOG(WARNING) << Substitute("User $0 is not authorized to perform $1 on $2",
: user_name, ActionPB_Name(action), table_name);
: return Status::NotAuthorized(kUnauthorizedAction);
nit: Could this be:
return AuthorizeActions(user_name, table_name, { action });
or
return AuthorizeActionMultipleTables(user_name, action, { table_name });
? It'd reduce code complexity to reduce the number of implementations of roughly the same thing, assuming there isn't a huge perf cost.
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@234
PS23, Line 234: bool any_allowed = false;
: for (auto i = 0; i < orig_table_names.size(); i++) {
: if (resp_list.responses(i).allowed()) {
: if (!any_allowed) {
: any_allowed = true;
: table_names->clear();
: }
: table_names->emplace(orig_table_names[i]);
: }
: }
:
: if (!any_allowed) {
: LOG(WARNING) << Substitute("User $0 is not authorized to perform $1 on $2 tables",
: user_name, ActionPB_Name(action), table_names->size());
: return Status::NotAuthorized(kUnauthorizedAction);
: }
nit: may be simpler as
unordered_set<string> allowed_tables;
for (int i = 0; i < orig_table_names.size(); i++) {
if (resp_list.responses(i).allowed()) {
EmplaceOrDie(&allowed_tables, std::move(orig_table_names[i]));
}
}
if (allowed_tables.empty()) {
// return error
}
*table_names = std::move(allowed_tables);
Same elsewhere.
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@295
PS23, Line 295: LOG(WARNING) << Substitute("User $0 is not authorized to perform $1 actions on table $2",
nit: consider using JoinMapped() to output the actions instead of just the count?
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@308
PS23, Line 308: !FLAGS_ranger_jar_path.empty() ?
: FLAGS_ranger_jar_path :
: bin_dir + "/kudu-subprocess.jar";
nit: it'd be cleaner to read this without the negative. Also consider using JoinPathSegments? E.g.
string jar_path = FLAGS_ranger_jar_path.empty() ? JoinPathSegments(bin_dir, "kudu-subprocess.jar") : FLAGS_ranger_jar_path;
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/subprocess/subprocess_proxy.h
File src/kudu/subprocess/subprocess_proxy.h:
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/subprocess/subprocess_proxy.h@83
PS23, Line 83: void ReplaceServerForTests(SubprocessServer* server) {
: server_ = std::unique_ptr<SubprocessServer>(server);
nit: It'd probably be less error-prone to pass a unique_ptr<> and std::move() here. That way callers aren't able to misuse the with raw pointers.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 23
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 04 Mar 2020 22:12:57 +0000
Gerrit-HasComments: Yes
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: [WIP] Ranger client
......................................................................
Patch Set 4:
(3 comments)
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger.proto@24
PS3, Line 24: SELE
> To match with Ranger server side definition, we should use SELECT instead o
Done
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_action.cc
File src/kudu/ranger/ranger_action.cc:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_action.cc@45
PS3, Line 45: case Action::METADATA:
: return ActionPB::METADATA;
> Throw exception for unknown actions?
According to Google C++ style guide[1] we're not using exceptions. I could make it return a Status instead and return the action in an output parameter. I'm not sure it's worth it when using scoped enums though. What do you think?
[1] https://google.github.io/styleguide/cppguide.html#Exceptions
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h@44
PS3, Line 44: // Authorizes listing tables. If there is at least one table that user is
: // authorized to access metadata of, it returns OK and sets 'table_names' to
: // the tables the user is authorized to list. Otherwise it returns
: // NotAuthorized and it doesn't modify 'table_names'.
: Status AuthorizeList(const std::string& user_name,
: std::unordered_set<std::string>* table_names) WARN_UNUSED_RESULT;
:
: // Authorizes an action on the table. Returns OK if 'user_name' is authorized
: // to perform 'action' on 'table_name', NotAuthorized otherwise.
: Status AuthorizeAction(const std::string& user_name, const Action& action,
: const std::string& table_name) WARN_UNUSED_RESULT;
:
: // Authorizes a scan on a table. Returns OK if 'user_name' is authorized to
: // scan the whole table or at least one of the specified columns,
: // NotAuthorized otherwise. If the user isn't authorized to scan the whole
: // table, 'column_names' is changed to contain only the columns the user is
: // authorized to scan.
: Status AuthorizeScan(const std::string& user_name, const std::string& table_name,
: std::unordered_set<std::string>* column_names) WARN_UNUSED_RESULT;
> These three methods kind of overlap with each other, they are all for autho
They overlap somewhat, but I think it's worth keeping it separate for simpler usage in its client (ranger_authz_provider). As for returning a list of booleans, we would need to convert the unordered_set to an ordered structure (e.g. vector) as the authz_provider API uses unordered_set. I think it would be wasteful to convert the unordered set to vector and back, especially as the communication between the ranger client and the subprocess is on the pipe and we don't need to save bandwidth on the wire.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 4
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 13 Feb 2020 14:36:21 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has removed a vote on this change.
Change subject: KUDU-2972 Add Ranger client
......................................................................
Removed Verified-1 by Kudu Jenkins (120)
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 27
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#18).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 751 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/18
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 18
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 26: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 26
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 05 Mar 2020 02:54:49 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 26: Verified+1
Test failure seems unrelated.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 26
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 05 Mar 2020 02:08:10 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 20:
(2 comments)
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger.proto@31
PS20, Line 31: check
check out?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@112
PS16, Line 112: }
> RETURN_NOT_OK only works for methods that return a Status, this returns a b
Oh oops, thought it returned a Status. This is fine for a test.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 20
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 04 Mar 2020 05:28:28 +0000
Gerrit-HasComments: Yes
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#3).
Change subject: [WIP] Ranger client
......................................................................
[WIP] Ranger client
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M CMakeLists.txt
A src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 720 insertions(+), 4 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/3
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 3
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#6).
Change subject: [WIP] Ranger client
......................................................................
[WIP] Ranger client
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 657 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/6
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 6
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#10).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 663 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/10
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 10
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#7).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 657 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/7
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 7
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 10:
(12 comments)
The failure test is probably due to the recent change I had in https://gerrit.cloudera.org/c/15074/10/java/kudu-subprocess-echo/build.gradle#24. I will look into it.
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/common/table_util.h
File src/kudu/common/table_util.h:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/common/table_util.h@46
PS10, Line 46: Status
nit: can you comment on when the returned Status will not be ok?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.h
File src/kudu/ranger/ranger_action.h:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.h@39
PS10, Line 39: ActionPB ActionToActionPB(const Action& action);
nit: Can you add comments for the methods in this class.
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.cc
File src/kudu/ranger/ranger_action.cc:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.cc@46
PS10, Line 46: return ActionPB::METADATA;
LOG(FATAL) for unknown action? Similar to https://github.com/apache/kudu/blob/master/src/kudu/sentry/sentry_action.cc#L50
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_action.cc@70
PS10, Line 70: }
Same here.
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.h@45
PS10, Line 45: and client
nit: remove?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@54
PS10, Line 54: return server_->Init();
Add a logging?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@93
PS10, Line 93: if (resp_list.responses()
DCHECK the response size?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@97
PS10, Line 97: Substitute("User %s is not authorized to "
: "perform %s on %s",
Should we add a debug logging if the user is not authorized?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@134
PS10, Line 134: req_list
Should we check the req_list size is the same as resp_list?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@162
PS10, Line 162: non_ranger_tables
nit: maybe name it to invalid_ranger_tables?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@178
PS10, Line 178: non_ranger_tables.emplace_back(table);
Add a log here for invalid ranger tables?
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@193
PS10, Line 193: for (auto i = 0; i < non_ranger_tables.size(); ++i) {
: table_names->emplace(non_ranger_tables[i]);
: }
why we place the invalid ranger table back to table_names? Shouldn't we deny invalid tables by default?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 10
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 25 Feb 2020 23:31:43 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#12).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 679 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/12
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 12
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#20).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 763 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/20
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 20
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#2).
Change subject: [WIP] Ranger client
......................................................................
[WIP] Ranger client
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M CMakeLists.txt
A src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/client.h
M src/kudu/subprocess/server.h
10 files changed, 746 insertions(+), 12 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/2
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 2
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 15:
(6 comments)
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc@65
PS13, Line 65:
> warning: the parameter 'action' is copied for each invocation but only used
Done
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc@88
PS13, Line 88: using std::make_shared;
> warning: using decl 'vector' is unused [misc-unused-using-decls]
Done
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc@145
PS13, Line 145: }
> warning: parameter 'user_name' is passed by value and only copied once; con
Done
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc@147
PS13, Line 147: void Allow(string user_name, ActionPB action, string database_name,
> warning: parameter 'database_name' is passed by value and only copied once;
Done
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc@148
PS13, Line 148: string table_name, string column_name = "") {
> warning: parameter 'table_name' is passed by value and only copied once; co
Done
http://gerrit.cloudera.org:8080/#/c/15206/13/src/kudu/ranger/ranger_client-test.cc@149
PS13, Line 149: AuthorizedAction authorized_action;
> warning: parameter 'column_name' is passed by value and only copied once; c
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 15
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 02 Mar 2020 21:31:43 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#22).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/subprocess/subprocess_proxy.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 845 insertions(+), 60 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/22
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 22
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: [WIP] Ranger client
......................................................................
Patch Set 6:
(7 comments)
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
PS5:
> Seems like this conflicts with https://gerrit.cloudera.org/c/15074/4/src/ku
We agreed on the proto format offline, I rebased this patch on top of https://gerrit.cloudera.org/c/15074/4/src/kudu/ranger/ranger.proto
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.h@65
PS5, Line 65: std::shared_ptr<kudu::subprocess::SubprocessServer> server_;
: };
:
: } // namespace ranger
: } // namespace kudu
> nit: add docs.
Done
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.h@71
PS5, Line 71:
> Is shared_ptr needed here? Did you consider using unique_ptr and having the
I use a mock server in the unit tests so I need to use it outside the class. Do you have a better way to do it in this case?
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h@44
PS3, Line 44: const std::string& table_name) WARN_UNUSED_RESULT;
:
: // Authorizes action on multiple tables. If there is at least one table that
: // user is authorized to performa action on, it returns OK and sets
: // 'table_names' to the tables the user is authorized to access. Otherwise it
: // returns NotAuthorized and clears 'table_names'.
: Status AuthorizeAction(const std::string& user_name, const Action& action,
: std::unordered_set<std::string>* table_names) WARN_UNUSED_RESULT;
:
: // Authorizes an action on multiple columns of a single table. Returns OK if
: // 'user_name' is authorized to perform the action on at least one column,
: // NotAuthorized otherwise. Sets the column_names vector to the full list of
: // tables the user is authorized to access.
: Status AuthorizeAction(const std::string& user_name, const Action& action,
: const std::string& table_name, std::vector<std::string>* column_names)
: WARN_UNUSED_RESULT;
:
: private:
: // Sends request to the subprocess and parses the response.
> FWIW I agree with Hao. I was kind of surprised to see so much business logi
We discussed it offline, I'm using Hao's proto now. On the other hand the Ranger Client still has some business logic and the Ranger authz provider is the one that is lighter. Let me know what you think about the current rev.
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.cc@60
PS5, Line 60:
: auto packed_req = new Any();
:
> We probably don't need to plumb this all the way down here. Maybe just leav
Done
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.h
File src/kudu/subprocess/server.h:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.h@86
PS5, Line 86: virtual ~SubprocessServer();
:
: // Initialize the server, starting the subprocess and worker threads.
: virtual Status Init() WARN_UNUSED_RESULT;
:
: // Synchronously send a request to the subprocess and populate 'resp' with
: // contents returned from the subprocess, or return an error if anything
: // failed or timed out along the way.
: virtual Status Execute(SubprocessRequestPB* req, SubprocessResponsePB* resp) WARN_UNUSED_RESULT;
> Why these changes?
Need to override them in the mock class I use in the unit tests.
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.cc@134
PS5, Line 134: || !process_->IsStarted()) {
> When do we shut down before calling Init()?
Shutdown is called in the destructor so it will be called even if we fail to Init. I also don't call init in my mock class that I use in the unit tests.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 6
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 17 Feb 2020 07:32:37 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 24:
(5 comments)
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@118
PS23, Line 118: TODO(abukor): refactor to avoid code duplication
: Status RangerClient::AuthorizeAction(const string& user_name,
: const ActionPB& action,
: const string& table_name) {
: string db;
: Slice tbl;
:
: auto s = ParseRangerTableIdentifier(table_name, &db, &tbl);
: if (PREDICT_FALSE(!s.ok())) {
: LOG(WARNING) << Substitute(kDenyNonRangerTableTemplate, table_name);
: return Status::NotAuthorized(kUnauthorizedAction);
: }
:
: RangerRequestListPB req_list;
: RangerResponseListPB resp_list;
: req_list.set_user(user_name);
:
: RangerRequestPB* req = req_list.add_requests();
:
: req->set_action(action);
: req->set_database(db);
: req->set_table(tbl.ToString());
:
: RETURN_NOT_OK(subprocess_.Execute(req_list, &resp_list));
:
: CHECK_EQ(1, resp_list.responses_size());
: if (resp_list.responses().begin()->allowed()) {
: return Status::OK();
: }
> nit: Could this be:
as discussed offline it seems there's a significant (~20%) perf impact between these methods, so for now I'm just adding a todo to refactor it to avoid code duplication
[ RUN ] RangerClientTest.BenchmarkAuthorizeAction
[ OK ] RangerClientTest.BenchmarkAuthorizeAction (8202 ms)
[ RUN ] RangerClientTest.BenchmarkAuthorizeActions
[ OK ] RangerClientTest.BenchmarkAuthorizeActions (9774 ms)
TEST_F(RangerClientTest, BenchmarkAuthorizeAction) {
Allow("jdoe", ActionPB::SELECT, "default", "foobar");
for (int i = 0; i < 1000000; ++i) {
ASSERT_OK(client_.AuthorizeAction("jdoe", ActionPB::SELECT, "default.foobar"));
}
}
TEST_F(RangerClientTest, BenchmarkAuthorizeActions) {
Allow("jdoe", ActionPB::SELECT, "default", "foobar");
for (int i = 0; i < 1000000; ++i) {
unordered_set<ActionPB, ActionHash> actions({ActionPB::SELECT});
ASSERT_OK(client_.AuthorizeActions("jdoe", "default.foobar", &actions));
}
}
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@234
PS23, Line 234: DCHECK_EQ(orig_table_names.size(), resp_list.responses_size());
:
: unordered_set<string> allowed_tables;
: for (auto i = 0; i < orig_table_names.size(); ++i) {
: if (resp_list.responses(i).allowed()) {
: EmplaceOrDie(&allowed_tables, move(orig_table_names[i]));
: }
: }
:
: if (allowed_tables.empty()) {
: LOG(WARNING) << Substitute("User $0 is not authorized to perform $1 on $2 tables",
: user_name, ActionPB_Name(action), table_names->size());
: return Status::NotAuthorized(kUnauthorizedAction);
: }
:
: *
> nit: may be simpler as
Done
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@295
PS23, Line 295:
> nit: consider using JoinMapped() to output the actions instead of just the
Done
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@308
PS23, Line 308: _path;
:
: return Substitute("$0:$1", jar_path
> nit: it'd be cleaner to read this without the negative. Also consider using
Done
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/subprocess/subprocess_proxy.h
File src/kudu/subprocess/subprocess_proxy.h:
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/subprocess/subprocess_proxy.h@83
PS23, Line 83: void ReplaceServerForTests(std::unique_ptr<SubprocessServer> server) {
: server_ = std::move(server);
> nit: It'd probably be less error-prone to pass a unique_ptr<> and std::move
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 24
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 04 Mar 2020 23:42:05 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has removed a vote on this change.
Change subject: KUDU-2972 Add Ranger client
......................................................................
Removed Verified-1 by Kudu Jenkins (120)
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 26
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 26: Code-Review+2
(1 comment)
LGTM, but will leave open in case Adar or Hao have further feedback.
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/23/src/kudu/ranger/ranger_client.cc@118
PS23, Line 118: TODO(abukor): refactor to avoid code duplication
: Status RangerClient::AuthorizeAction(const string& user_name,
: const ActionPB& action,
: const string& table_name) {
: string db;
: Slice tbl;
:
: auto s = ParseRangerTableIdentifier(table_name, &db, &tbl);
: if (PREDICT_FALSE(!s.ok())) {
: LOG(WARNING) << Substitute(kDenyNonRangerTableTemplate, table_name);
: return Status::NotAuthorized(kUnauthorizedAction);
: }
:
: RangerRequestListPB req_list;
: RangerResponseListPB resp_list;
: req_list.set_user(user_name);
:
: RangerRequestPB* req = req_list.add_requests();
:
: req->set_action(action);
: req->set_database(db);
: req->set_table(tbl.ToString());
:
: RETURN_NOT_OK(subprocess_.Execute(req_list, &resp_list));
:
: CHECK_EQ(1, resp_list.responses_size());
: if (resp_list.responses().begin()->allowed()) {
: return Status::OK();
: }
> as discussed offline it seems there's a significant (~20%) perf impact betw
Curious how we'd fare if we used a FixedBitSet<ActionPB, ActionPB_ARRAYSIZE> instead of std::unordered_set here, though as we discussed, I'm glad to merge this without these improvements.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 26
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 05 Mar 2020 02:28:10 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#25).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/subprocess/subprocess_proxy.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 832 insertions(+), 60 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/25
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 25
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 12:
(17 comments)
http://gerrit.cloudera.org:8080/#/c/15206/12//COMMIT_MSG
Commit Message:
PS12:
Could you comment in the commit message regarding the change to ParseRangerTableIdentifier?
You can also talk about the level of test coverage in this patch vs. what's to come.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h
File src/kudu/ranger/ranger_action.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h@27
PS12, Line 27: enum class Action {
Add a doc here?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@55
PS12, Line 55: shared_ptr<RangerResponseListPB> next_response_;
This seems like it could be stack allocated.
You could also make it a field of RangerClientTest and pass a pointer to it into the mocked subprocess server. That way AddResponse needn't access the server in order to add a response, allowing you to make the server wholly owned by the RangerClient (and then adopting one of Andrew's suggestions regarding unique_ptr or stack allocation).
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@124
PS12, Line 124: if (table == "default.foobar") {
: AddResponse(true);
: } else {
: AddResponse(false);
: }
Rewrite as AddResponse(table == "default.foobar");
Below too.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@38
PS12, Line 38: class RangerClient {
Why do these functions need to be virtual? Is it for future mocking? If so, could you doc that?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@41
PS12, Line 41: kudu
You can drop the kudu prefix and I think get by with one of the following:
::subprocess::SubprocessServer
::SubprocessServer
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@54
PS12, Line 54: performa
perform an
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.h@56
PS12, Line 56: and clears 'table_names'.
Why bother? Won't the NotAuthorized alone signal to the caller that the user has no access to any of the tables?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@54
PS12, Line 54: LOG(INFO) << "Initializing Ranger subprocess server";
Doesn't seem all that interesting; maybe omit it? Or downgrade to VLOG?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@67
PS12, Line 67: sresp.response().UnpackTo(resp);
We should handle the return value in some way.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@75
PS12, Line 75: RangerRequestListPB req_list;
: RangerResponseListPB resp_list;
: req_list.set_user(user_name);
Let's move this down to where we actually need it (i.e. L86).
Same below.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@82
PS12, Line 82: if (PREDICT_FALSE(!s.ok())) {
: return Status::OK();
: }
At the very least this warrants a comment: why should we ignore a bad status here and return "you are authorized"?
Same below.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@94
PS12, Line 94: DCHECK(resp_list.responses_size() == 1);
Use DCHECK_EQ.
Same below.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@136
PS12, Line 136: column_names->clear();
To adhere to the common calling convention used in Kudu, let's restructure the function so that we don't modify any user input in the event of a bad Status.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@170
PS12, Line 170:
Nit: why this empty line?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.h
File src/kudu/subprocess/server.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.h@187
PS12, Line 187: class SubprocessServer {
I'd supplement this doc with a quick note about why the public methods are virtual (i.e. so that you can more easily mock the server).
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/subprocess/server.cc@141
PS12, Line 141: if (!closing_.CountDown() || !process_->IsStarted()) {
This isn't super robust because it assumes a particular ordering in Init(); if that order changes, suddenly we will have forgotten to clean something up.
Instead, I'd suggest adding conditions to the individual cleanup operations in Shutdown. If the process was started, call KillAndWait. If a thread exists, join on it. And so on.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 12
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 26 Feb 2020 21:24:39 +0000
Gerrit-HasComments: Yes
[kudu-CR] [WIP] Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: [WIP] Ranger client
......................................................................
Patch Set 5:
(2 comments)
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_action.cc
File src/kudu/ranger/ranger_action.cc:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_action.cc@45
PS3, Line 45: case Action::METADATA:
: return ActionPB::METADATA;
> According to Google C++ style guide[1] we're not using exceptions. I could
Ah, sorry that I wasn't clear, I meant to log a fatal error for unknown actions similar to what we do in sentry_action. https://github.com/apache/kudu/blob/master/src/kudu/sentry/sentry_action.cc#L50
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h@44
PS3, Line 44: // Authorizes listing tables. If there is at least one table that user is
: // authorized to access metadata of, it returns OK and sets 'table_names' to
: // the tables the user is authorized to list. Otherwise it returns
: // NotAuthorized and it doesn't modify 'table_names'.
: Status AuthorizeList(const std::string& user_name,
: std::unordered_set<std::string>* table_names) WARN_UNUSED_RESULT;
:
: // Authorizes an action on the table. Returns OK if 'user_name' is authorized
: // to perform 'action' on 'table_name', NotAuthorized otherwise.
: Status AuthorizeAction(const std::string& user_name, const Action& action,
: const std::string& table_name) WARN_UNUSED_RESULT;
:
: // Authorizes a scan on a table. Returns OK if 'user_name' is authorized to
: // scan the whole table or at least one of the specified columns,
: // NotAuthorized otherwise. If the user isn't authorized to scan the whole
: // table, 'column_names' is changed to contain only the columns the user is
: // authorized to scan.
: Status AuthorizeScan(const std::string& user_name, const std::string& table_name,
: std::unordered_set<std::string>* column_names) WARN_UNUSED_RESULT;
What is the reasoning to have duplicate code here and just to keep ranger_authz_provider simpler? You can check sentry_authz_provider and sentry_privilege_fetcher, which I think is the opposite, that sentry_privilege_fetcher only has one 'generic' method for fetching privileges and methods in sentry_authz_provider implement necessary logic to use it. Again, this should also simplify the ranger protobuf definition to make it more clean and easier to use as (https://gerrit.cloudera.org/c/15074/4/src/kudu/ranger/ranger.proto).
> I think it would be wasteful to convert the unordered set to vector and back, especially as the communication between the ranger client and the subprocess is on the pipe and we don't need to save bandwidth on the wire.
You don't need to covert the unordered set to vector and back, I am suggesting to create a structure to hold all authz request related info and you can create a list of it. All you need is to have a mapping between the requests and the resources (tables or columns).
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 5
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 13 Feb 2020 18:03:15 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 16:
(11 comments)
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger.proto@27
PS16, Line 27: // SELECT - select rows in a table
: // INSERT - insert to a table
: // UPDATE - update existing rows in a table
: // DELETE - delete rows in a table
: // ALTER - alter schema
: // CREATE - creating a table
: // DROP - drop a table
> It's not your fault, as this is introduced in the plugin patch. But if you
Agreed re: the usefulness of linking to existing docs, though we shouldn't link to vendor-specific documentation. Is there an Apache Kudu page we could use?
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@55
PS12, Line 55: return user_name == rhs.user_name &&
> Partially done, but I think I'm missing something. How would I inject the m
Hmm, that may not work, but at least you could convert the shared ownership into exclusive ownership.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@68
PS16, Line 68: struct hash<kudu::ranger::AuthorizedAction> {
Again, define a hasher rather than overloading std::hash.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@112
PS16, Line 112: CHECK(req->request().UnpackTo(&req_list));
Could just as easily RETURN_NOT_OK.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@128
PS16, Line 128: auto packed_resp = new Any();
: packed_resp->PackFrom(resp_list);
: resp->set_allocated_response(packed_resp);
Could maybe do resp->mutable_response()->PackFrom(resp_list)?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@59
PS16, Line 59: vector
It's not a vector.
Given how similar this is to AuthorizeAction, perhaps restyle the doc to resemble it, so the differences are more stark?
I'd also rename all of these to clarify their use; there are subtle differences between each AuthorizeAction overload and there's no real reason for them to be overloads.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@82
PS16, Line 82:
: namespace std {
: template<>
: struct hash<kudu::ranger::ActionPB> {
: int operator()(const kudu::ranger::ActionPB action) const {
: return action;
: }
: };
This is a no-no in the Google Style Guide: https://google.github.io/styleguide/cppguide.html#std_hash
Instead, just define your own hasher and use it in the various ActionPB unordered_sets.
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client.cc@67
PS12, Line 67: CHECK(sresp.response().UnpackTo(resp));
> added a DCHECK, do you think that's enough?
Curious what would be the problem with RETURN_NOT_OK, given we're OK doing that on L65?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@79
PS16, Line 79: As these tables cannot be
: // whitelisted in Ranger we should allow access to them to avoid making tables
: // inaccessible with Ranger integration enabled
> I think we should disallow the access to such tables to follow the deny by
I tend to agree. Like with Sentry (though that was due to HMS integration), aren't we assuming that in order to set up Ranger integration, one must run CLI tools to massage existing tables into shape?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@156
PS16, Line 156: return Status::NotAuthorized(Substitute("User $0 is not authorized to "
BTW, the Sentry provider doesn't provide any detail besides "unauthorized action" on purpose:
// Log a warning if the action is not authorized for debugging purpose, and
// only return a generic error to users to avoid a side channel leak, e.g.
// whether table A exists.
LOG(WARNING) << Substitute("Action <$0> on table <$1> with authorizable scope "
"<$2> is not permitted for user <$3>",
sentry::ActionToString(action),
table_ident,
sentry::ScopeToString(scope),
user);
return Status::NotAuthorized("unauthorized action");
I presume we'd want to follow the same policy here.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/subprocess/server.cc@155
PS16, Line 155: if (write_thread_ != nullptr) {
Nit: it's C++, so you can simplify to:
if (write_thread_) {
...
}
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 16
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 03 Mar 2020 07:11:38 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 12:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h
File src/kudu/ranger/ranger_action.h:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_action.h@29
PS12, Line 29: INSERT,
: UPDATE,
: DELETE,
: ALTER,
: CREATE,
: DROP,
> Drawing from CRUD for a minute, I'm curious why we chose to separate offer
Maybe I forgot that for Kudu's Ranger policy, there is no such entity scoping? I guess it'd be good to document the privilege model somewhere in the Kudu codebase and link to it here.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 12
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 26 Feb 2020 21:36:23 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#14).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 787 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/14
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 14
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 26: Code-Review+1
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 26
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 05 Mar 2020 02:35:28 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 27: Verified+1
The dist-test failure appears to be KUDU-2432.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 27
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 05 Mar 2020 03:34:14 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 20:
(4 comments)
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger.proto@33
PS19, Line 33: SELECT = 0;
: INSERT = 1;
: UPDATE = 2;
: DELETE = 3;
: ALTER = 4;
: CREATE = 5;
: DROP = 6;
> nit: I think this can be removed now, and it is not quite accurate.
Done
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/12/src/kudu/ranger/ranger_client-test.cc@55
PS12, Line 55: string database_name;
> hm SubprocessServer has an atomic member (next_id_) so it's not copy/move c
never mind, refactored the test code a bit, no need to either copy/move construct the SubprocessServer now when using unique_ptr.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@55
PS16, Line 55: ing std::string;
> A little surprised to see it is set in ranger authz provider as Ranger clie
hm makes sense, updated.
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/19/src/kudu/ranger/ranger_client.cc@82
PS19, Line 82:
> Maybe also advise the user to update the table name via table rename tool?
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 20
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Tue, 03 Mar 2020 20:38:15 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 27: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 27
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Thu, 05 Mar 2020 02:55:33 +0000
Gerrit-HasComments: No
[kudu-CR] [WIP] Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#5).
Change subject: [WIP] Ranger client
......................................................................
[WIP] Ranger client
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M CMakeLists.txt
A src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 717 insertions(+), 4 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/5
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 5
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#11).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
A src/kudu/ranger/ranger_action.cc
A src/kudu/ranger/ranger_action.h
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 679 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/11
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 11
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#23).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/subprocess/subprocess_proxy.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 833 insertions(+), 60 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/23
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 23
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Reviewed-on: http://gerrit.cloudera.org:8080/15206
Reviewed-by: Hao Hao <ha...@cloudera.com>
Tested-by: Andrew Wong <aw...@cloudera.com>
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/subprocess/subprocess_proxy.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
13 files changed, 832 insertions(+), 60 deletions(-)
Approvals:
Hao Hao: Looks good to me, approved
Andrew Wong: Verified
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 28
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [WIP] Ranger client
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: [WIP] Ranger client
......................................................................
Patch Set 5:
(7 comments)
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
PS5:
Seems like this conflicts with https://gerrit.cloudera.org/c/15074/4/src/kudu/ranger/ranger.proto, which makes me think we should have a separate patch that introduces the contents of ranger.proto that these two patches can then rebase onto once the interface is agreed upon.
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.h@65
PS5, Line 65: Status SendRequest(AuthzRequestPB* req, AuthzResponsePB* resp) WARN_UNUSED_RESULT;
:
: static Status AddTable(AuthzRequestPB* req, const std::string& table_name) WARN_UNUSED_RESULT;
:
: static void AddTable(std::unordered_set<std::string>* table_names, const TablePB& table);
nit: add docs.
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.h@71
PS5, Line 71: std::shared_ptr<kudu::subprocess::SubprocessServer> server_;
Is shared_ptr needed here? Did you consider using unique_ptr and having the RangerClient wholly own the subprocess? Or better yet have this be a stack-allocated member? We don't expect anything else to use it, right?
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/3/src/kudu/ranger/ranger_client.h@44
PS3, Line 44: // Authorizes listing tables. If there is at least one table that user is
: // authorized to access metadata of, it returns OK and sets 'table_names' to
: // the tables the user is authorized to list. Otherwise it returns
: // NotAuthorized and it doesn't modify 'table_names'.
: Status AuthorizeList(const std::string& user_name,
: std::unordered_set<std::string>* table_names) WARN_UNUSED_RESULT;
:
: // Authorizes an action on the table. Returns OK if 'user_name' is authorized
: // to perform 'action' on 'table_name', NotAuthorized otherwise.
: Status AuthorizeAction(const std::string& user_name, const Action& action,
: const std::string& table_name) WARN_UNUSED_RESULT;
:
: // Authorizes a scan on a table. Returns OK if 'user_name' is authorized to
: // scan the whole table or at least one of the specified columns,
: // NotAuthorized otherwise. If the user isn't authorized to scan the whole
: // table, 'column_names' is changed to contain only the columns the user is
: // authorized to scan.
: Status AuthorizeScan(const std::string& user_name, const std::string& table_name,
: std::unordered_set<std::string>* column_names) WARN_UNUSED_RESULT;
> What is the reasoning to have duplicate code here and just to keep ranger_a
FWIW I agree with Hao. I was kind of surprised to see so much business logic in what I expected to be a very simple, generic wrapper for the Java Ranger client.
OTOH, should probably form some consensus on the desired interface we want in the Java Ranger client here https://gerrit.cloudera.org/c/15074/
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/ranger/ranger_client.cc@60
PS5, Line 60: bool RangerClient::IsEnabled() {
: return !FLAGS_ranger_policy_server.empty();
: }
We probably don't need to plumb this all the way down here. Maybe just leave IsEnabled() to be implemented by the RangerAuthzProvider, and have the RangerAuthzProvider pass the Ranger policy server address to the RangerClient's constructor? It doesn't make much sense to construct a RangerClient at all if this is false.
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.h
File src/kudu/subprocess/server.h:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.h@86
PS5, Line 86: virtual ~SubprocessServer();
:
: // Initialize the server, starting the subprocess and worker threads.
: virtual Status Init() WARN_UNUSED_RESULT;
:
: // Synchronously send a request to the subprocess and populate 'resp' with
: // contents returned from the subprocess, or return an error if anything
: // failed or timed out along the way.
: virtual Status Execute(SubprocessRequestPB* req, SubprocessResponsePB* resp) WARN_UNUSED_RESULT;
Why these changes?
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/5/src/kudu/subprocess/server.cc@134
PS5, Line 134: || !process_->IsStarted()) {
When do we shut down before calling Init()?
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 5
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 17 Feb 2020 03:52:42 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15206
to look at the new patch set (#19).
Change subject: KUDU-2972 Add Ranger client
......................................................................
KUDU-2972 Add Ranger client
Adds a Ranger client that communicates with the Java subprocess that
wraps the Ranger plugin. It can be used by an authorization provider to
translate between Kudu and Ranger.
Removes default_database out parameter from ParseRangerTableIdentifier
in table_util as we decided to take a slightly different path and this
information is not needed anymore.
Current test coverage consists of only unit tests with a mock subprocess
server. Real integration tests will be added in a follow-up patch once a
working MiniRanger is added to facilitate this testing.
Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
---
M src/kudu/common/table_util-test.cc
M src/kudu/common/table_util.cc
M src/kudu/common/table_util.h
M src/kudu/ranger/CMakeLists.txt
M src/kudu/ranger/ranger.proto
A src/kudu/ranger/ranger_client-test.cc
A src/kudu/ranger/ranger_client.cc
A src/kudu/ranger/ranger_client.h
M src/kudu/subprocess/server.cc
M src/kudu/subprocess/server.h
M src/kudu/util/subprocess.cc
M src/kudu/util/subprocess.h
12 files changed, 751 insertions(+), 55 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/06/15206/19
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 19
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 22:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/15206/22/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/22/src/kudu/ranger/ranger_client-test.cc@20
PS22, Line 20: #include <stddef.h>
Should use cstddef instead.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 22
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 04 Mar 2020 17:10:23 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Hao Hao (Code Review)" <ge...@cloudera.org>.
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 16:
(13 comments)
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger.proto@27
PS16, Line 27: // SELECT - select rows in a table
: // INSERT - insert to a table
: // UPDATE - update existing rows in a table
: // DELETE - delete rows in a table
: // ALTER - alter schema
: // CREATE - creating a table
: // DROP - drop a table
It's not your fault, as this is introduced in the plugin patch. But if you are adding more detail information about possible privileges for the action type. Maybe refer https://docs.cloudera.com/documentation/enterprise/latest/topics/kudu_security.html for better accuracy? e.g. Select on Table/Column, Create on Database.
And probably also mention we try to map the action types to the existing one in Sentry as the same privileges will be enforced between different authorization providers(e.g. Ranger, Sentry).
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@38
PS16, Line 38: Create
nit: Creates?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@47
PS16, Line 47: const std::string& table_name
nit: indent.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@54
PS16, Line 54: std::uno
Same here.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@60
PS16, Line 60: .
nit: is authorized to access if OK status is returned.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@62
PS16, Line 62: const std::string& table_name,
: std:
Same here.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@69
PS16, Line 69: AuthorizeAction
nit: should it be named to AuthorizeActions given its functionality?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.h@70
PS16, Line 70: std::unordered_set<ActionPB>* actions,
: const s
And here.
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@97
PS10, Line 97: q_list, &resp_list));
:
> not sure if it's worth spamming the logs with it, a future audit log might
We have a warning log for debug purpose for Sentry if the access is not granted. But it is in the SentryAuthorizerProvider level https://github.com/apache/kudu/blob/master/src/kudu/master/sentry_authz_provider.cc#L357. But as Ranger has a audit log that can be enabled, I am Ok with not having log here.
http://gerrit.cloudera.org:8080/#/c/15206/10/src/kudu/ranger/ranger_client.cc@193
PS10, Line 193: req->set_database(db);
: req->set_table(tbl.ToString());
:
> as they can't be managed by Ranger anyway I thought it would be better to r
Left my thoughts on your latest patch.
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@55
PS16, Line 55: return server_->Init();
Add a TODO here if you are going to have a follow up patch to actually call into Ranger subprocess?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@67
PS16, Line 67: CHECK(sresp.response().UnpackTo(resp))
Maybe use DCHECK instead?
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client.cc@79
PS16, Line 79: As these tables cannot be
: // whitelisted in Ranger we should allow access to them to avoid making tables
: // inaccessible with Ranger integration enabled
I think we should disallow the access to such tables to follow the deny by default security principle. And ask the users to correct the table name with the rename tool. But open to hear what others think.
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 16
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 02 Mar 2020 23:45:58 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 23:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/15206/22/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/22/src/kudu/ranger/ranger_client-test.cc@20
PS22, Line 20: #include <cstddef>
> Should use cstddef instead.
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 23
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 04 Mar 2020 20:39:15 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-2972 Add Ranger client
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/15206 )
Change subject: KUDU-2972 Add Ranger client
......................................................................
Patch Set 21:
(9 comments)
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger.proto
File src/kudu/ranger/ranger.proto:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger.proto@31
PS20, Line 31: check
> check out?
Done
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc
File src/kudu/ranger/ranger_client-test.cc:
http://gerrit.cloudera.org:8080/#/c/15206/16/src/kudu/ranger/ranger_client-test.cc@112
PS16, Line 112: action.column_name = req.has_column() ? req.column() : "";
> Oh oops, thought it returned a Status. This is fine for a test.
Done
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h
File src/kudu/ranger/ranger_client.h:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h@46
PS20, Line 46: };
:
: typedef subprocess::SubprocessProxy<RangerRequestListPB, RangerResponseListPB,
: RangerSubprocessMetrics> RangerSubprocess;
:
> Is this needed if we have AuthorizeActions()?
Not necessarily needed but it's simpler to use than AuthorizeActions() and the code is less complex too so I'd rather leave it in.
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h@69
PS20, Line 69:
> nit: "multiple table-level actions"
Done
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.h@74
PS20, Line 74: // columns the user is authorized to access and returns OK, NotAuthorized
> nit: per the GSG, output parameters should be last.
Done
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc@73
PS20, Line 73: kudu::MetricUnit::kMilliseconds,
: "Duration of time in ms spent in the Ranger subprocess' outbound response queue",
: kudu::MetricLevel::kInfo,
: 60000LU, 1);
: METRIC_DEFINE_histogram(server, ranger_subprocess_execution_time_ms,
: "Ranger subprocess execution time (ms)",
: kudu::MetricUnit::kMilliseconds,
: "Duration of time in ms spent executing the Ranger subprocess request, excluding "
: "time spent spent in the subprocess queues",
: kudu::MetricLevel::kInfo,
: 60000LU, 1);
:
: namespace kudu {
: n
> Depending on the order of what lands, may want to rebase on this and typede
rebased it, using yours now. Had to change the proxy up a bit (heap allocated server so it can be mocked and a ForTests method to replace it)
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc@112
PS20, Line 112: HISTINIT(execution_time_ms, ranger_subpr
> nit: flip the order of the arguments so the error message is more correct (
Done
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/ranger/ranger_client.cc@276
PS20, Line 276:
: RangerRequestListPB req_list;
: RangerResponseListPB resp_list;
: req_list.set_user(user_name);
:
: for (const auto& action : *actions) {
:
> Will the JARs always be located in the binary directory? I was under the im
Done
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/subprocess/server.cc
File src/kudu/subprocess/server.cc:
http://gerrit.cloudera.org:8080/#/c/15206/20/src/kudu/subprocess/server.cc@147
PS20, Line 147: //
: // Normally the process_ should be started before we reach Shutdown() and the
: // threads below should be running too, except in mock servers because we
: // don't init there. Shutdown() is still called in this case from the
: // destructor though so these checks are necessary.
: if (process_->IsStarted()) {
: WARN_NOT_OK(process_->KillAndWait(SIGTERM), "failed to stop subprocess");
: }
: inbound_response_queue_.Shutdown();
: outbound_call_queue_.Shutdown();
:
: // We should be able to clean up our threads; they'll see that we're closing,
: // the pipe has been closed, or the queues have been shut down.
: if (write_thread_) {
: write_thread_->Join();
: }
: i
> nit: could you mention in a comment that these are all expected to always b
Done
--
To view, visit http://gerrit.cloudera.org:8080/15206
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e1ec19ed3aeb4d82ad38fe1fb655f57021c1a4
Gerrit-Change-Number: 15206
Gerrit-PatchSet: 21
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 04 Mar 2020 11:16:53 +0000
Gerrit-HasComments: Yes