Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 )
Change subject: WIP [master] introduced SentryAuthzCache ...................................................................... Patch Set 5: (1 comment) http://gerrit.cloudera.org:8080/#/c/12833/5/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/5/src/kudu/master/sentry_authz_provider.cc@464 PS5, Line 464: SentryAuthzProvider::IsSameScopeHierarchyBranch > Right, in such cases, we do want to validate if the privileges are from the After discussion with Andrew offline, I agree that we actually should sanitize the privilege scope is matching the authorizable before relying privilege scope validation, because the Sentry API doesn't filter on privilege scope. Moreover, I think we missed this in the previous patch which introduced the privilege scope validation to SentryAuthzProvider. Also, Andrew raised a good point that we may want to remove the privileges that are not relevant to Kudu (e.g. has non Kudu related actions) before caching to avoid wasting time on checking them again. -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 5 Gerrit-Owner: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Sun, 31 Mar 2019 05:14:28 +0000 Gerrit-HasComments: Yes
