Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/13494 )
Change subject: sentry: don't send requests for DATABASE/SERVER privileges ...................................................................... Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/13494/2/src/kudu/master/sentry_privileges_fetcher.cc File src/kudu/master/sentry_privileges_fetcher.cc: http://gerrit.cloudera.org:8080/#/c/13494/2/src/kudu/master/sentry_privileges_fetcher.cc@693 PS2, Line 693: NarrowAuthzScopeForFetch(db, table, &authorizable); I'm not sure it will work as expected. Assume there is top-level request like return Authorize(SentryAuthorizableScope::Scope::DATABASE, SentryAction::Action::CREATE, new_table, user); So, if new_table exists for some reason, would it fetch privileges info on new_table instead of the database? I'm not sure we want to add such narrowing at this level. Another example: return Authorize(SentryAuthorizableScope::Scope::SERVER, SentryAction::Action::ALL, some_existing_table, user); Does the result will be hat we really want with the change? -- To view, visit http://gerrit.cloudera.org:8080/13494 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ic0025e3bacc8449dfffe99a1fc062a9e6787eb78 Gerrit-Change-Number: 13494 Gerrit-PatchSet: 2 Gerrit-Owner: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Tue, 04 Jun 2019 18:18:27 +0000 Gerrit-HasComments: Yes