Quanlong Huang created SENTRY-2534:
--------------------------------------
Summary: Provide API to for checking ANY privileges
Key: SENTRY-2534
URL: https://issues.apache.org/jira/browse/SENTRY-2534
Project: Sentry
Issue Type: New Feature
Reporter: Quanlong Huang
In Impala when dealing with SHOW TABLES statements or GET_TABLES HiveServer2
requests, we need to check whether the user has any privileges on the table
before showing it. However, Sentry does not support checking ANY privilege
(while Ranger does) so we have to loop over all possible privileges if the user
don't have any of them:
{code:java}
for (ImpalaAction action: actions) {
if (provider_.hasAccess(new Subject(user.getShortName()), authorizables,
EnumSet.of(action), request.hasGrantOption(), ActiveRoleSet.ALL)) {
return true;
}
}
return false;{code}
Code link:
[https://github.com/apache/impala/blob/3.3.0/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java#L120-L129]
This is time-consuming if there are lots of tables to check. As a CPU profiling
for IMPALA-9002, we see that most of the time is spending in Sentry:
!cdh5.16.2-patch3543-db40k-calltree-profile.png|width=1295,height=1105!
It'd be better if we can get rid of the loop and get result from Sentry
directly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
