Quanlong Huang has uploaded this change for review. ( http://gerrit.cloudera.org:8080/14400
Change subject: IMPALA-9002: Add query option to only check SELECT privilege in SHOW TABLES ...................................................................... IMPALA-9002: Add query option to only check SELECT privilege in SHOW TABLES If authorization is enabled, SHOW TABLES statements will only return tables that the user has ANY privileges on them. If the user don't have any privileges on a table, we need 8 privilege checks (ALL, INSERT, SELECT, ALTER, CREATE, DROP, OWNER, REFRESH) to get this conclusion. It takes time in Sentry to check these one by one if there are thousands of tables. Unfortunately, there are no batch API for these checks. This introduces a performance regression after we supported fine-grained privileges, since before that we just check 3 privileges (ALL, INSERT, SELECT). In practice, SELECT privilege is the minimal privilege set. It's wired to grant INSERT or other privileges to a resource without SELECT privilege. We can simplify the process to only check on SELECT privilege if users make sure that SELECT privilege is the minimal privilege set in their environment. This patch adds a flag(SIMPLIFY_CHECK_ON_SHOW_TABLES) to bypass checking other privileges in SHOW TABLE statements. Testing in a database with 40k tables and granting the user SELECT privilege on only 6 tables. When using Sentry, the SHOW TABLES statement takes 5s. With the SIMPLIFY_CHECK_ON_SHOW_TABLES enabled, time reduces to 1.2s. No performance gain is observed when using Ranger since Ranger is fast enough. Tests: - Add custom cluster test for the flag in test_authorization.py for both Sentry and Ranger. Change-Id: I17e2b7bf9e36c54627276a6812b459912156cc3c --- M be/src/common/global-flags.cc M be/src/util/backend-gflag-util.cc M common/thrift/BackendGflags.thrift M fe/src/main/java/org/apache/impala/service/BackendConfig.java M fe/src/main/java/org/apache/impala/service/Frontend.java M tests/authorization/test_authorization.py 6 files changed, 92 insertions(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/00/14400/1 -- To view, visit http://gerrit.cloudera.org:8080/14400 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I17e2b7bf9e36c54627276a6812b459912156cc3c Gerrit-Change-Number: 14400 Gerrit-PatchSet: 1 Gerrit-Owner: Quanlong Huang <huangquanl...@gmail.com>
