[
https://issues.apache.org/jira/browse/IMPALA-9242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036545#comment-17036545
]
ASF subversion and git services commented on IMPALA-9242:
---------------------------------------------------------
Commit e7d10df2ecaf14f244eb32224e2c8099f2f0d8cf in impala's branch
refs/heads/master from Csaba Ringhofer
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=e7d10df ]
IMPALA-9242: Filter privileges before returning them to Sentry
This change implements the new FilteredPrivilegeCache, which adds
functions for filtering privileges based on the authorizable and
for returning Privileges directly instead of their String form.
The filtering is based on server + db + table (or just server in
case of URI privileges) to filter out the bulk of unrelated privileges.
Efficient filtering is done by a new class PrincipalPrivilegeTree.
It was tempting to reuse Sentry's TreePrivilegeCache, which has a very
similar role, but it lacks a "remove" function that is needed to keep
this index in sync with the CatalogObjectCache in Principal. I am also
a bit concerned about the possible side effect of Sentry's interning
of names in privileges - we try to avoid using String.intern() on
massive amount of names in Impala.
Other Changes:
- Add the Sentry privilege name as member to PrincipalPrivileges.
Note that the name was a member of TPrivilege till IMPALA-7616.
Storing the name shouldn't consume much extra memory, as it
is already stored as the key of the PrincipalPrivilege in
CatalogObjectCache.
Testing:
- added unit tests based on Sentry / TestTreePrivilegeCache
Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e
Reviewed-on: http://gerrit.cloudera.org:8080/15068
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
> Access check should only check against the privileges of the authorizable
> -------------------------------------------------------------------------
>
> Key: IMPALA-9242
> URL: https://issues.apache.org/jira/browse/IMPALA-9242
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Vihang Karajgaonkar
> Assignee: Csaba Ringhofer
> Priority: Major
>
> Currently, according to the implementation of
> https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64
> each access check request in Sentry is done against all the privileges of the
> user. Instead, we can reduce the number of privilege checks significantly, if
> we use this API in
> https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46
> Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is
> unavailable. However, if we can have a interface side changes in
> PrivilegeCache, Impala can implement a prefix-tree based {{PrivilegeCache}}
> so that number of privileges returned are only related to the given
> authorizable. This API can then be used in SimpleCacheProviderBackend to
> reduce the processing time required to check access for a large number of
> objects in large setups.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
