> On Dec. 18, 2017, 6:55 p.m., Alexander Kolbasov wrote:
> > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
> > Line 267 (original), 271 (patched)
> > <https://reviews.apache.org/r/64661/diff/3/?file=1922322#file1922322line271>
> >
> > I think there is a way to directly test for membership in the JDOQL -
> > can you check this?
> >
> > We have similar code in SentryStore which does that.
>
> Arjun Mishra wrote:
> Sasha not sure what exactly you are asking for? Are you asking for cases
> when a role is not mapped to any group? Also are your comments specific to my
> change?
>
> I did look at SentryStore. There are many places in the class where we
> addRolesFilter and run executeWithMap but I didn't see any check for
> membership being done here.
>
> Alexander Kolbasov wrote:
> I mean something similar to this:
>
> private Set<String> getRoleNamesForGroupsCore(PersistenceManager
> pm, Set<String> groups) {
> Query query = pm.newQuery(MSentryGroup.class);
> query.setFilter(":p1.contains(this.groupName)");
> List<MSentryGroup> sentryGroups = (List)
> query.execute(groups.toArray());
>
> Arjun Mishra wrote:
> I did add addRolesFilter check. See below. And addRolesFilter does the
> contains check. So something similar to the above is already being done. Yes?
>
> *****************************************************************************************
> QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query,
> null, roles);
>
>
> *****************************************************************************************
> public static QueryParamBuilder addRolesFilter(Query query,
> QueryParamBuilder paramBuilder,
> Set<String> roleNames) {
> query.declareVariables(MSentryRole.class.getName() + " role");
> if (paramBuilder == null) {
> paramBuilder = new QueryParamBuilder();
> }
> if (roleNames == null || roleNames.isEmpty()) {
> return paramBuilder;
> }
> paramBuilder.newChild().addSet("role.roleName == ", roleNames);
> paramBuilder.addString("roles.contains(role)");
> return paramBuilder;
> }
>
> Arjun Mishra wrote:
> Sasha, I get the below exception when not adding the map link. So it
> looks like we need to explitly addRolesFilter and execute with map
>
>
> ==============================================================================================================================================================================================
> javax.jdo.JDOUserException: Query has reference to member "roleName" of
> class "org.apache.sentry.provider.db.service.model.MSentryGroup" yet this
> doesnt exist!
> at
> org.apache.sentry.provider.db.generic.service.persistent.TestDelegateSentryStore.testGetGroupsByRoleNames(TestDelegateSentryStore.java:160)
> Caused by: org.datanucleus.exceptions.NucleusUserException: Query has
> reference to member "roleName" of class
> "org.apache.sentry.provider.db.service.model.MSentryGroup" yet this doesnt
> exist!
> at
> org.apache.sentry.provider.db.generic.service.persistent.TestDelegateSentryStore.testGetGroupsByRoleNames(TestDelegateSentryStore.java:160)
>
>
> ==============================================================================================================================================================================================
MSentryGroup doesn't have roleName, it has roles instead. I am not sure that
you can do similar check here.
But looking at the caller:
Set<String> roleNames =
store.getRolesByGroups(request.getComponent(), groups);
Set<TSentryRole> tSentryRoles = Sets.newHashSet();
for (String roleName : roleNames) {
Set<String> groupsForRoleName =
store.getGroupsByRoles(request.getComponent(), Sets.newHashSet(roleName));
tSentryRoles.add(new TSentryRole(roleName, groupsForRoleName));
}
So first it gets all roles belonging to given set of groups. Then it walks all
roles and for each role it gets groups belonging to this role. This is a weird
request, but putting this aside, would it make sense to use a single
transaction to answer this question?
Otherwise, if group belongs to N roles, we need to use N transactions to get
this
- Alexander
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64661/#review194080
-----------------------------------------------------------
On Dec. 19, 2017, 8:04 p.m., Arjun Mishra wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64661/
> -----------------------------------------------------------
>
> (Updated Dec. 19, 2017, 8:04 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Brian Towles, kalyan kumar
> kalvagadda, Na Li, Sergio Pena, and Vadim Spector.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> When Solr is using Sentry server for authorization, it issues a lot of calls
> to {{getGroupsByRoles()}} function in {{DelegateSentryStore}}.
>
> This function isn't very efficient - it walks over each role in the set,
> obtains role by name, get groups for each role, and collects all group names
> into a set.
>
> It may be possible to optimize it.
>
>
> Diffs
> -----
>
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
> 4cb46abc5
>
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
> 69d16238f
>
>
> Diff: https://reviews.apache.org/r/64661/diff/4/
>
>
> Testing
> -------
>
> mvn -f sentry-provider/sentry-provider-db/pom.xml test
>
>
> Thanks,
>
> Arjun Mishra
>
>
