changelog and docs

Author: sbernauer

CHANGELOG.md

@@ -6,7 +6,9 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
-- Bump okio to 1.17.6 to get rid of CVE-2023-3635 ([#46])
+- BREAKING: Only send a subset of the fields sufficient for most use-cases to OPA for performance reasons.
+  The old behavior of sending all fields can be restored by setting `hadoop.security.authorization.opa.extended-requests` to `true` ([#XX]).
+- Bump `okio` to 1.17.6 and to 3.9.1 afterwards  to get rid of CVE-2023-3635 ([#46], [#XX]).
 
 [#46]: https://github.com/stackabletech/hdfs-utils/pull/46
 

README.md

@@ -26,6 +26,8 @@ The Stackable HDFS already takes care of this, you don't need to do anything in
 
 - Set `dfs.namenode.inode.attributes.provider.class` in `hdfs-site.xml` to `tech.stackable.hadoop.StackableAuthorizer`
 - Set `hadoop.security.authorization.opa.policy.url` in `core-site.xml` to the HTTP endpoint of your OPA rego rule, e.g. `http://opa.default.svc.cluster.local:8081/v1/data/hdfs/allow`
+- The property `hadoop.security.authorization.opa.extended-requests` (defaults to `false`), which controls if all fields should be send to OPA.
+  Sending all fields degrades the performance, but allows for more advanced authorization.
 
 ### API
 

src/main/java/tech/stackable/hadoop/OpaReducedAllowQuery.java

@@ -11,8 +11,8 @@ public OpaReducedAllowQuery(OpaReducedAllowQueryInput input) {
   }
 
   /**
-   * Similar to {@link OpaAllowQuery.OpaAllowQueryInput}, but  this class only contains a subset of   * fields that
-   * should be sufficient for most use-cases, but offer a much better performance.
+   * Similar to {@link OpaAllowQuery.OpaAllowQueryInput}, but this class only contains a subset of
+   * fields that should be sufficient for most use-cases, but offer a much better performance.
    * See <a href="https://github.com/stackabletech/hdfs-utils/issues/48">this issue</a> for details.
    */
   public static class OpaReducedAllowQueryInput {