[
https://issues.apache.org/jira/browse/SENTRY-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Quanlong Huang updated SENTRY-2534:
-----------------------------------
Attachment: cdh5.16.2-40k-tables-calltree-profile.png
> Provide API to for checking ANY privileges
> ------------------------------------------
>
> Key: SENTRY-2534
> URL: https://issues.apache.org/jira/browse/SENTRY-2534
> Project: Sentry
> Issue Type: New Feature
> Reporter: Quanlong Huang
> Priority: Major
> Attachments: cdh5.16.2-40k-tables-calltree-profile.png
>
>
> In Impala when dealing with SHOW TABLES statements or GET_TABLES HiveServer2
> requests, we need to check whether the user has any privileges on the table
> before showing it. However, Sentry does not support checking ANY privilege
> (while Ranger does) so we have to loop over all possible privileges if the
> user don't have any of them:
> {code:java}
> for (ImpalaAction action: actions) {
> if (provider_.hasAccess(new Subject(user.getShortName()), authorizables,
> EnumSet.of(action), request.hasGrantOption(), ActiveRoleSet.ALL)) {
> return true;
> }
> }
> return false;{code}
> Code link:
> [https://github.com/apache/impala/blob/3.3.0/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java#L120-L129]
>
> This is time-consuming if there are lots of tables to check. As a CPU
> profiling for IMPALA-9002, we see that most of the time is spending in Sentry:
> !cdh5.16.2-patch3543-db40k-calltree-profile.png|width=1295,height=1105!
> It'd be better if we can get rid of the loop and get result from Sentry
> directly.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
