[jira] [Commented] (SENTRY-565) Improvement the performance when Sentry filter the entity

Mon, 16 Nov 2015 23:08:59 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15008172#comment-15008172
 ] 

Colin Ma commented on SENTRY-565:
---------------------------------

Thanks [~lili] for your comments. I agree that this feature need more 
discussion and find a suitable solution for Sentry.

Client will be responsible for synchronize the cache, so I think the outdated 
privilege data can't be avoided.
If do the incremental privilege update for cache, the synchronize time can be 
less, but if synchronize all privileges every time, the synchronize time should 
be more. I prefer do the incremental privilege update, even it will be more 
code changes.

For the cache structure, I think <group, set<privileges>> is suitable for the 
interface in Sentry.

For the retire cached items, I think it's not needed, currently machine is much 
powerful and has a lot of memory. The memory used for Sentry's cache will be a 
very small part. In the other hand, if the retire is used, it's hard to tell 
when to get the retired privileges back, and make this more complex.

[~sravya], [~lskuff], what do you think on this problem? 

> Improvement the performance when Sentry filter the entity
> ---------------------------------------------------------
>
>                 Key: SENTRY-565
>                 URL: https://issues.apache.org/jira/browse/SENTRY-565
>             Project: Sentry
>          Issue Type: Improvement
>            Reporter: Colin Ma
>            Assignee: Colin Ma
>         Attachments: SENTRY-565.001.patch, SENTRY-565.002.patch, 
> SENTRY-565.003.patch, SENTRY-565.004.patch, SENTRY-565.005.patch
>
>
> Currently, when get the metadata from hive, eg, "show tables", "show 
> databases". Sentry will filter the result and output the authorized entities. 
> There will be many RPC calls when filtering the result. The related code is 
> in HiveAuthzBinding, for example, in filterShowTables:
> {code}
> ......
> for (String tableName : queryResult) {
>   ......
>   hiveAuthzBinding.authorize(operation, tableMetaDataPrivilege, subject, 
> inputHierarchy,
>             outputHierarchy, providedPrivileges);
>   ......
> }
> ......
> {code}
> hiveAuthzBinding.authorize will get the privileges from sentry service, if 
> there are many tables in the hive, the filtering process will spend much 
> time. Considering sentry also need to filter the column, HiveAuthzBinding 
> should be improved to reduce the number of rpc calls when doing the filter.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to