> On 一月 16, 2016, 4:15 p.m., Lenni Kuff wrote: > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java, > > line 605 > > <https://reviews.apache.org/r/42344/diff/2/?file=1198197#file1198197line605> > > > > Why not just always get a cache binding? How much does this improve > > things versus the previous approach? > > Colin Ma wrote: > Agree with Lenni, and we should have a performance test to check the > performance impact if always get a cache binding.
I don't think **always getting a cache binding** may be the best solution, since **getting a cache binding** will obtaining all privileges of current user per session. Some hierarchical queries will be happened at database: group->role->privilege. If there are thousands of privileges for user at database, even for the command like switch database: **use database1** will get the thousands of privilege to local. If we make it configurable, users could balance the two solutions with their cluster. > On 一月 16, 2016, 4:15 p.m., Lenni Kuff wrote: > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java, > > line 100 > > <https://reviews.apache.org/r/42344/diff/2/?file=1198198#file1198198line100> > > > > Add a comment on what this configuration does. Good suggestion, I will fix it on next update. - Dapeng ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/42344/#review114850 ----------------------------------------------------------- On 一月 15, 2016, 7:47 p.m., Dapeng Sun wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/42344/ > ----------------------------------------------------------- > > (Updated 一月 15, 2016, 7:47 p.m.) > > > Review request for sentry. > > > Bugs: SENTRY-1007 > https://issues.apache.org/jira/browse/SENTRY-1007 > > > Repository: sentry > > > Description > ------- > > Since current architecture will do one time authorization for every entity, > the sql script like **select col1,col2,col3,.....,colN from test_tb1** will > authorize all the query columns. > > This patch will reuse the CachedHiveBinding at SENTRY-565. > If entity > maxQueryNumber, it will query all user's privileges to local, and > use the local privilege for authorzation. > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java > 57e4689 > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java > e76fad1 > > Diff: https://reviews.apache.org/r/42344/diff/ > > > Testing > ------- > > > Thanks, > > Dapeng Sun > >
