Fredy Wijaya has posted comments on this change. ( http://gerrit.cloudera.org:8080/11531 )
Change subject: IMPALA-7503: SHOW GRANT USER not showing all privileges. ...................................................................... Patch Set 2: (19 comments) http://gerrit.cloudera.org:8080/#/c/11531/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/11531/2//COMMIT_MSG@11 PS2, Line 11: The output for SHOW : GRANT USER will have two additional columns for privilege name and : privilege type so the user can know where the privilege comes from. : Can we show a sample output here? http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java File fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java: http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java@471 PS2, Line 471: public synchronized TResultSet getPrincipalPrivileges(String principalName, I feel like it's better to have two separate methods, getRolePrivileges() and getUserPrivileges(). It makes the code easier to read and we can factor out common code if needed. http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java@472 PS2, Line 472: forUser showPrincipal is probably a better name for this. http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java@474 PS2, Line 474: AnalysisException nit: move this to L473 http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java@544 PS2, Line 544: Set<String> groupNames = fe.getAuthzChecker().getUserGroups(user); This call can be quite expensive. We should only call it once L499 and L544. http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java@553 PS2, Line 553: for (int i = 0; i < rolePrivs.rows.size(); ++i) { : result.addToRows(rolePrivs.rows.get(i)); : } We can avoid this copying if we create a method, e.g. getRolePrivileges that returns TResultRowBuilder. http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/test/java/org/apache/impala/service/CustomClusterGroupMapper.java File fe/src/test/java/org/apache/impala/service/CustomClusterGroupMapper.java: http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/test/java/org/apache/impala/service/CustomClusterGroupMapper.java@39 PS2, Line 39: remove empty line http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/test/java/org/apache/impala/service/CustomClusterResourceAuthorizationProvider.java File fe/src/test/java/org/apache/impala/service/CustomClusterResourceAuthorizationProvider.java: http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/test/java/org/apache/impala/service/CustomClusterResourceAuthorizationProvider.java@28 PS2, Line 28: fix indentation http://gerrit.cloudera.org:8080/#/c/11531/2/fe/src/test/java/org/apache/impala/service/CustomClusterResourceAuthorizationProvider.java@33 PS2, Line 33: fix indentation http://gerrit.cloudera.org:8080/#/c/11531/2/testdata/workloads/functional-query/queries/QueryTest/show_grant_user.test File testdata/workloads/functional-query/queries/QueryTest/show_grant_user.test: http://gerrit.cloudera.org:8080/#/c/11531/2/testdata/workloads/functional-query/queries/QueryTest/show_grant_user.test@1 PS2, Line 1: ==== This test cases are a bit hard to read with the names that contain numbers, i.e. group_1, group_2a, group_2b, etc. Is it not possible to just use a single group? http://gerrit.cloudera.org:8080/#/c/11531/2/tests/authorization/test_show_grant_user.py File tests/authorization/test_show_grant_user.py: http://gerrit.cloudera.org:8080/#/c/11531/2/tests/authorization/test_show_grant_user.py@1 PS2, Line 1: # Licensed to the Apache Software Foundation (ASF) under one nit: need consistency in this file whether to use ' or " for strings. http://gerrit.cloudera.org:8080/#/c/11531/2/tests/authorization/test_show_grant_user.py@18 PS2, Line 18: # Client tests for SQL statement authorization : # In these tests we run all the tests twice. Once with just using cache, hence the : # long sentry poll, and once by ensuring refreshes happen from Sentry. this comment doesn't look correct. http://gerrit.cloudera.org:8080/#/c/11531/2/tests/authorization/test_show_grant_user.py@75 PS2, Line 75: finally: : pass the finally isn't useful here. http://gerrit.cloudera.org:8080/#/c/11531/2/tests/authorization/test_show_grant_user.py@87 PS2, Line 87: "org.apache.impala.service.CustomClusterResourceAuthorizationProvider" nit: indentation http://gerrit.cloudera.org:8080/#/c/11531/2/tests/authorization/test_show_grant_user.py@88 PS2, Line 88: catalogd_args="--sentry_config=" + SENTRY_CONFIG_FILE + : " --authorization_policy_provider_class=" + : "org.apache.impala.service.CustomClusterResourceAuthorizationProvider" use python string format instead of + http://gerrit.cloudera.org:8080/#/c/11531/2/tests/common/sentry_cache_test_suite.py File tests/common/sentry_cache_test_suite.py: http://gerrit.cloudera.org:8080/#/c/11531/2/tests/common/sentry_cache_test_suite.py@43 PS2, Line 43: gnoreRole use snake_case, i.e. ignore_role http://gerrit.cloudera.org:8080/#/c/11531/2/tests/common/sentry_cache_test_suite.py@52 PS2, Line 52: offset call it index? http://gerrit.cloudera.org:8080/#/c/11531/2/tests/common/sentry_cache_test_suite.py@52 PS2, Line 52: offset = 0 : if ignoreRole: : offset = 2 can be simplified to index = 2 if ignore_role else 0 http://gerrit.cloudera.org:8080/#/c/11531/2/tests/common/sentry_cache_test_suite.py@56 PS2, Line 56: scope, database, table, column, uri, privilege, grant_option, create_time Update the comment -- To view, visit http://gerrit.cloudera.org:8080/11531 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie9f6c88f5569e1c414ceb8a86e7b013eaa3ecde1 Gerrit-Change-Number: 11531 Gerrit-PatchSet: 2 Gerrit-Owner: Adam Holley <ahol...@cloudera.com> Gerrit-Reviewer: Adam Holley <ahol...@cloudera.com> Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Comment-Date: Thu, 27 Sep 2018 03:36:23 +0000 Gerrit-HasComments: Yes