feat(Ranger): Use Apache Ranger for ACL when replica master-slave lea…

…rn (#1445) #1054 This patch add ACL to the learn action of replica. 1. specifically, regard learn as a write action, and use the Ranger policy to determine whether the master-slave can learn.
apache · Apr 20, 2023 · ce0af37 · ce0af37
1 parent b4937fa
commit ce0af37
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp
@@ -72,6 +72,7 @@
 #include "replica_disk_migrator.h"
 #include "replica_stub.h"
 #include "runtime/api_layer1.h"
+#include "runtime/ranger/access_type.h"
 #include "runtime/rpc/rpc_message.h"
 #include "runtime/rpc/serialization.h"
 #include "runtime/security/access_controller.h"
@@ -1310,14 +1311,19 @@ void replica_stub::on_group_check(group_check_rpc rpc)
 
 void replica_stub::on_learn(dsn::message_ex *msg)
 {
+    learn_response response;
     learn_request request;
     ::dsn::unmarshall(msg, request);
 
     replica_ptr rep = get_replica(request.pid);
     if (rep != nullptr) {
+        if (!rep->access_controller_allowed(msg, ranger::access_type::kWrite)) {
+            response.err = ERR_ACL_DENY;
+            reply(msg, response);
+            return;
+        }
         rep->on_learn(msg, request);
     } else {
-        learn_response response;
         response.err = ERR_OBJECT_NOT_FOUND;
         reply(msg, response);
     }