[
https://issues.apache.org/jira/browse/SENTRY-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Quanlong Huang updated SENTRY-2534:
-----------------------------------
Description:
In Impala when dealing with SHOW TABLES statements or GET_TABLES HiveServer2
requests, we need to check whether the user has any privileges on the table
before showing it. However, Sentry does not support checking ANY privilege
(while Ranger does) so we have to loop over all possible privileges if the user
don't have any of them:
{code:java}
for (ImpalaAction action: actions) {
if (provider_.hasAccess(new Subject(user.getShortName()), authorizables,
EnumSet.of(action), request.hasGrantOption(), ActiveRoleSet.ALL)) {
return true;
}
}
return false;{code}
Code link:
[https://github.com/apache/impala/blob/3.3.0/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java#L120-L129]
This is time-consuming if there are lots of tables to check. As a CPU profiling
for IMPALA-9002, we see that most of the time is spending in Sentry:
!cdh5.16.2-40k-tables-calltree-profile.png|width=1194,height=1019!
It'd be better if we can get rid of the loop and get result from Sentry
directly.
was:
In Impala when dealing with SHOW TABLES statements or GET_TABLES HiveServer2
requests, we need to check whether the user has any privileges on the table
before showing it. However, Sentry does not support checking ANY privilege
(while Ranger does) so we have to loop over all possible privileges if the user
don't have any of them:
{code:java}
for (ImpalaAction action: actions) {
if (provider_.hasAccess(new Subject(user.getShortName()), authorizables,
EnumSet.of(action), request.hasGrantOption(), ActiveRoleSet.ALL)) {
return true;
}
}
return false;{code}
Code link:
[https://github.com/apache/impala/blob/3.3.0/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java#L120-L129]
This is time-consuming if there are lots of tables to check. As a CPU profiling
for IMPALA-9002, we see that most of the time is spending in Sentry:
!cdh5.16.2-patch3543-db40k-calltree-profile.png|width=1295,height=1105!
It'd be better if we can get rid of the loop and get result from Sentry
directly.
> Provide API to for checking ANY privileges
> ------------------------------------------
>
> Key: SENTRY-2534
> URL: https://issues.apache.org/jira/browse/SENTRY-2534
> Project: Sentry
> Issue Type: New Feature
> Reporter: Quanlong Huang
> Priority: Major
> Attachments: cdh5.16.2-40k-tables-calltree-profile.png
>
>
> In Impala when dealing with SHOW TABLES statements or GET_TABLES HiveServer2
> requests, we need to check whether the user has any privileges on the table
> before showing it. However, Sentry does not support checking ANY privilege
> (while Ranger does) so we have to loop over all possible privileges if the
> user don't have any of them:
> {code:java}
> for (ImpalaAction action: actions) {
> if (provider_.hasAccess(new Subject(user.getShortName()), authorizables,
> EnumSet.of(action), request.hasGrantOption(), ActiveRoleSet.ALL)) {
> return true;
> }
> }
> return false;{code}
> Code link:
> [https://github.com/apache/impala/blob/3.3.0/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java#L120-L129]
>
> This is time-consuming if there are lots of tables to check. As a CPU
> profiling for IMPALA-9002, we see that most of the time is spending in Sentry:
> !cdh5.16.2-40k-tables-calltree-profile.png|width=1194,height=1019!
> It'd be better if we can get rid of the loop and get result from Sentry
> directly.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
