Alex Behm has posted comments on this change. ( http://gerrit.cloudera.org:8080/9589 )
Change subject: IMPALA-6643: Add REFRESH fine-grained privilege ...................................................................... Patch Set 15: (10 comments) http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java File fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java: http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java@116 PS15, Line 116: } else { nit: I think it's more logical to structure the ifs this way since these really are three completely different cases: if (tableName_ != null) { } else if (database_ != null) { } else { } http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java File fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java: http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java@141 PS15, Line 141: if (privilege == Privilege.REFRESH) { can you do "else if" here as well to make the ifs less nested? http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/main/java/org/apache/impala/authorization/Privilege.java File fe/src/main/java/org/apache/impala/authorization/Privilege.java: http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/main/java/org/apache/impala/authorization/Privilege.java@52 PS15, Line 52: public enum SentryAction implements Action { What's the benefit of having a separate SentryAction as opposed to making Privilege implement Action directly? http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java File fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java: http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@266 PS15, Line 266: roleName = "refresh_functional_alltypes"; Why do we need both refresh_functional_alltypesagg and refresh_functional_alltypes? They both cover refresh at the table level. http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@861 PS15, Line 861: // but no privilege on table-level access. but no privileges at the table level. http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@919 PS15, Line 919: AuthzOk("invalidate metadata"); add all variants of invalidate and refresh here to make sure admins can do anything http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@922 PS15, Line 922: ((ImpaladTestCatalog) ctx_.catalog).reset(); I think we can remove the ImpalaTestCatalog cast http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@925 PS15, Line 925: // User only has REFRESH privilege on server. remove "only" http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@935 PS15, Line 935: AuthzOk("invalidate metadata"); add all variants of invalidate and refresh http://gerrit.cloudera.org:8080/#/c/9589/15/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java@938 PS15, Line 938: ((ImpaladTestCatalog) ctx_.catalog).reset(); I think we can remove the ImpalaTestCatalog cast -- To view, visit http://gerrit.cloudera.org:8080/9589 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4c3c5a51fe493d39fd719c7a388d4d5760049ce4 Gerrit-Change-Number: 9589 Gerrit-PatchSet: 15 Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Adam Holley <g...@holleyism.com> Gerrit-Reviewer: Alex Behm <alex.b...@cloudera.com> Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com> Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Vuk Ercegovac <vercego...@cloudera.com> Gerrit-Comment-Date: Mon, 19 Mar 2018 23:09:40 +0000 Gerrit-HasComments: Yes