Stabilise HBase OPA Authoriser #8
Description
We introduced the OPA Authoriser a while ago and marked it as experimental.
We have not received any bug reports yet.
This ticket is the stabilisation issue where we can discuss what's needed to consider the authoriser stable.
See this issue for things that have not yet been covered: #2
Proposed scope and order of changes (based on #2)
Step 1: Basic structure (XS)
- implement missing calls relevant to OPA
- add unit tests for all calls
- review all logging statements to reduce noise
- check ADMIN on each namespace
- read permissions required for checkAnd* methods to prevent probing
Step 2: Extended permission coverage (S)
- permissions to be distinct between KeyValue and ColumnFamily
- check permissions on each mutation
- look at granting permissions on the level of cell families, not just tables
- review action granularity (e.g. write vs. delete)
Step 3: Integration test coverage (S/M)
- investigate ways of tracking changes made to upstream interfaces
- ensure consistency between empty implementation of interface methods (just for logging) and fallback to default impls
- ensure that all functionality is covered by integration tests