> On Aug. 16, 2018, 8:26 p.m., Na Li wrote:
> > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/generic/thrift/SentryGenericPolicyProcessor.java
> > Line 588 (original), 588 (patched)
> > <https://reviews.apache.org/r/64661/diff/5/?file=2073587#file2073587line588>
> >
> > can you change the API to return Set<TSentryRole>? like what's in the
> > following code? It is even simplier.
> >
> > "roleSet = sentryStore.getTSentryRolesByGroupName(groups,
> > checkAllGroups);"
> >
> >
> > https://github.com/apache/sentry/blob/master/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java#L646
>
> Arjun Mishra wrote:
> Lina, there are two types of TSentryRole,
> org.apache.sentry.api.generic.thrift.TSentryRole, and
> org.apache.sentry.api.service.thrift.TSentryRole
1) DelegateSentryStore.getRolesByGroups gets
org.apache.sentry.api.service.thrift.TSentryRole right now, then return list of
role names
2) You can add a new function in DelegateSentryStore.getRolesByGroups to get
org.apache.sentry.api.service.thrift.TSentryRole, and then return set of
org.apache.sentry.api.generic.thrift.TSentryRole, which can be returned by
SentryGenericPolicyProcessor.list_sentry_roles_by_group
org.apache.sentry.api.service.thrift.TSentryRole is defined in
sentry_policy_service.thrift
struct TSentryRole {
1: required string roleName,
2: required set<TSentryGroup> groups,
3: required string grantorPrincipal #Deprecated
}
org.apache.sentry.api.generic.thrift.TSentryRole is defined in
sentry_generic_policy_service.thrift
struct TSentryRole {
1: required string roleName,
2: required set<string> groups
}
as you can see, you can easily convert
org.apache.sentry.api.service.thrift.TSentryRole to
org.apache.sentry.api.generic.thrift.TSentryRole
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64661/#review207431
-----------------------------------------------------------
On Aug. 16, 2018, 7:55 p.m., Arjun Mishra wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64661/
> -----------------------------------------------------------
>
> (Updated Aug. 16, 2018, 7:55 p.m.)
>
>
> Review request for sentry, kalyan kumar kalvagadda, Na Li, Steve Moist, and
> Sergio Pena.
>
>
> Bugs: SENTRY-1944
> https://issues.apache.org/jira/browse/SENTRY-1944
>
>
> Repository: sentry
>
>
> Description
> -------
>
> When Solr is using Sentry server for authorization, it issues a lot of calls
> to getGroupsByRoles() function in DelegateSentryStore.
>
> This function isn't very efficient - it walks over each role in the set,
> obtains role by name, get groups for each role, and collects all group names
> into a set.
>
> It may be possible to optimize it.
>
> Also, in SentryGenericPolicyProcessor class method
> list_sentry_roles_by_group() would make N transactions to build the roles to
> set of groups map. Instead, make it to a single transaction. This will
> significantly speed up operation
>
> Attach one or more files to this issue
>
>
> Diffs
> -----
>
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/generic/thrift/SentryGenericPolicyProcessor.java
> 1cc4b1b37
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
> 3026a6225
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
> eec2757d3
>
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericPolicyProcessor.java
> 4c207e9b4
>
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
> 69d16238f
>
>
> Diff: https://reviews.apache.org/r/64661/diff/5/
>
>
> Testing
> -------
>
> mvn -f sentry-provider/sentry-provider-db/pom.xml test
>
>
> Thanks,
>
> Arjun Mishra
>
>
