[kudu-CR] [authz] updated SentryAuthzProvider caching strategy

Fri, 19 Apr 2019 15:00:45 -0700 

Hello Kudu Jenkins, Andrew Wong, Hao Hao,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/13069

to look at the new patch set (#2).

Change subject: [authz] updated SentryAuthzProvider caching strategy
......................................................................

[authz] updated SentryAuthzProvider caching strategy

This patch updates the way how the privilege cache in
SentryAuthzProvider is populated.  Prior to this patch, only
one entry per sanitized Sentry's response was created.  With
this patch, a response may be split into two entries: one
contains server- and database-scope privileges, and another
contains table- and column-scope privileges.  Of course, it
also changes the lookup process: now it's necessary to search
for two entries in the cache if looking up for information
related to table-level authz scope.

The new caching strategy leverages the fact that Sentry includes
privileges granted on authorizables of higher scopes in the hierarchy,
if any.  The new strategy is beneficial in cases when a user
has privileges granted on database, and those privileges imply
privileges on tables and columns.  In that case, once there was
a request to authorize an action on one table or a column of that table,
next request to authorize an action on another table or column of
another table will hit the cache, avoiding extra RPC to Sentry.
Another example that benefits from the new caching scheme is
AuthorizeDropTable(tableA) followed by AuthorizeCreateTable(tableA).

Change-Id: Id96181345e357a104e28314d8d8d88633dcf9608
---
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_privileges_fetcher.cc
M src/kudu/master/sentry_privileges_fetcher.h
3 files changed, 208 insertions(+), 36 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/69/13069/2
--
To view, visit http://gerrit.cloudera.org:8080/13069
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id96181345e357a104e28314d8d8d88633dcf9608
Gerrit-Change-Number: 13069
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Hao Hao <hao....@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)

Reply via email to