Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/13069 )
Change subject: [authz] new SentryAuthzProvider's caching strategy ...................................................................... Patch Set 4: (1 comment) http://gerrit.cloudera.org:8080/#/c/13069/4//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/13069/4//COMMIT_MSG@8 PS4, Line 8: : This patch updates the way how the privilege cache in : SentryAuthzProvider is populated. Prior to this patch, only one entry : per sanitized Sentry's response was created. With this patch, : a response may be split into two entries: one contains SERVER- and : DATABASE-scope privileges, and another contains TABLE- and COLUMN-scope : privileges. Of course, it also changes the lookup process: now it's : necessary to search for two entries in the cache if looking up for : an entry with privileges for an authorizable of the TABLE scope. : : The new caching strategy leverages the fact that Sentry includes : information on privileges granted on authorizables of higher scopes : in the hierarchy, if any. The new strategy is beneficial in cases : when a user has privileges granted on DATABASE. In that case, once : there was a request to authorize an action on a table or a column : of that table, next request to authorize an action on the database : itself will hit the cache, avoiding an extra RPC sent to Sentry. : Another example that benefits from the new caching scheme are : scenarios like AuthorizeDropTable(tableA) followed by : AuthorizeCreateTable(tableA). > I think you're referring to optimizing which branch we copy? I don't think Yeah I misunderstood: I assumed that we'd "early out" if we got a hit in the first of two lookups. While desirable for "simple lookups" (i.e. am I allowed to create this table?) it's not actually correct for OpenTable, where we want to collect all privileges that a user might have on a table. Moreover, even for simple lookups, which of /s/d/t or /s/d succeed has nothing to do with the order in which they're executed, but everything to do with the underlying privileges in Sentry's database. Sorry for the noise. -- To view, visit http://gerrit.cloudera.org:8080/13069 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Id96181345e357a104e28314d8d8d88633dcf9608 Gerrit-Change-Number: 13069 Gerrit-PatchSet: 4 Gerrit-Owner: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Mon, 22 Apr 2019 22:33:26 +0000 Gerrit-HasComments: Yes
