Andrew Wong has uploaded this change for review. ( http://gerrit.cloudera.org:8080/13549
Change subject: sentry: avoid authorizing every table in ListTables ...................................................................... sentry: avoid authorizing every table in ListTables Currently ListTables will call into Sentry for every table in Kudu's catalog, checking whether the user has metadata privileges on the table, and adding it to the ListTablesResponsePB if so. This is expensive, particularly when there are thousands of tables in Kudu. This patch updates the authorization behavior to check whether the user has METADATA privileges on the table's database for each table. If no such privilege exists for the database, each table within the database is checked. A benchmark is added to gauge the performance in various scenarios: With 1 database and 300 tables in the database, with privileges on the database (warrants only a lookup on the database): sentry_authz_provider-test.cc:414] Time spent Listing tables: real 0.253s user 0.000s sys 0.000s With 1 database and 300 tables in the database, without privileges on the database (warrants lookups on the database and each table): sentry_authz_provider-test.cc:414] Time spent Listing tables: real 11.707s user 0.016s sys 0.005s With 300 database and 1 table in each database, without privileges on the databases (warrants lookups on every database and every table): sentry_authz_provider-test.cc:414] Time spent Listing tables: real 22.982s user 0.043s sys 0.022s With 300 database and 1 table in each database, with privileges on the databases (warrants lookups on every database): sentry_authz_provider-test.cc:414] Time spent Listing tables: real 22.363s user 0.021s sys 0.004s Change-Id: I7c495c635fbd2a661709b6d7f04973b7864b5527 --- M src/kudu/master/CMakeLists.txt M src/kudu/master/authz_provider.h M src/kudu/master/catalog_manager.cc M src/kudu/master/catalog_manager.h A src/kudu/master/default_authz_provider.cc M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h 9 files changed, 212 insertions(+), 32 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/49/13549/1 -- To view, visit http://gerrit.cloudera.org:8080/13549 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I7c495c635fbd2a661709b6d7f04973b7864b5527 Gerrit-Change-Number: 13549 Gerrit-PatchSet: 1 Gerrit-Owner: Andrew Wong <aw...@cloudera.com>
