Hello Anonymous Coward (498), Vihang Karajgaonkar, Daniel Becker, Impala Public
Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/15068
to look at the new patch set (#11).
Change subject: IMPALA-9242: Filter privileges before returning them to Sentry
......................................................................
IMPALA-9242: Filter privileges before returning them to Sentry
This change implements the new FilteredPrivilegeCache, which adds
functions for filtering privileges based on the authorizable and
for returning Privileges directly instead of their String form.
The filtering is based on server + db + table (or just server in
case of URI privileges) to filter out the bulk of unrelated privileges.
Efficient filtering is done by a new class PrincipalPrivilegeTree.
It was tempting to reuse Sentry's TreePrivilegeCache, which has a very
similar role, but it lacks a "remove" function that is needed to keep
this index in sync with the CatalogObjectCache in Principal. I am also
a bit concerned about the possible side effect of Sentry's interning
of names in privileges - we try to avoid using String.intern() on
massive amount of names in Impala.
Other Changes:
- Add the Sentry privilege name as member to PrincipalPrivileges.
Note that the name was a member of TPrivilege till IMPALA-7616.
Storing the name shouldn't consume much extra memory, as it
is already stored as the key of the PrincipalPrivilege in
CatalogObjectCache.
Testing:
- added unit tests based on Sentry / TestTreePrivilegeCache
Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e
---
M
fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationPolicy.java
M fe/src/main/java/org/apache/impala/catalog/Principal.java
M fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java
A fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilegeTree.java
A fe/src/test/java/org/apache/impala/catalog/PrincipalPrivilegeTreeTest.java
5 files changed, 509 insertions(+), 9 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/15068/11
--
To view, visit http://gerrit.cloudera.org:8080/15068
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e
Gerrit-Change-Number: 15068
Gerrit-PatchSet: 11
Gerrit-Owner: Csaba Ringhofer <csringho...@cloudera.com>
Gerrit-Reviewer: Anonymous Coward (498)
Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com>
Gerrit-Reviewer: Daniel Becker <daniel.bec...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Vihang Karajgaonkar <vih...@cloudera.com>
