Re: Review Request 71915: SENTRY-2539: PolicyEngine should be able to return privilege directly

Fri, 20 Dec 2019 15:07:55 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71915/#review219090
-----------------------------------------------------------




sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/FilteredPrivilegeCache.java
Lines 35 (patched)
<https://reviews.apache.org/r/71915/#comment307158>

    I think instead of setPrivilegeFactory, we should just have 
PrivilegeFactory getPrivilegeFactory(). That would mean that we can make 
privilegeFactory final field in the cache. I am not sure if we would want to 
have privilegeFactory to be configurable once the instance of the cache is 
created.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
Line 46 (original)
<https://reviews.apache.org/r/71915/#comment307155>

    do we need to remove this? This nullifies the objective of creating a 
separate interface FilteredPrivilegeCache



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
Lines 97 (patched)
<https://reviews.apache.org/r/71915/#comment307156>

    do we need copyOf?



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
Lines 101 (patched)
<https://reviews.apache.org/r/71915/#comment307159>

    instead of returning empty may be throw a UnsupportedOperationException. 
Also you can add a Preconditions.checkState(cacheHandle instanceOf 
FilteredPrivilegeCache) in such a case.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleFilteredPrivilegeCache.java
Lines 41 (patched)
<https://reviews.apache.org/r/71915/#comment307160>

    If you don't modify the existing PrivilegeCache interface, we don't need 
this implementation. We should keep SimplePrivilegeCache as is so that fallback 
to previous behavior is possible.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleFilteredPrivilegeCache.java
Lines 58 (patched)
<https://reviews.apache.org/r/71915/#comment307157>

    can we use privilegeFactory here to create privilege instead of directly 
CommonPrivilege instance?



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 49 (patched)
<https://reviews.apache.org/r/71915/#comment307164>

    The code assumes that when the cache is being created all the privileges 
which are being cached are available upfront. But the general pattern of a 
privilege cache is such that it should support addPrivilege() and 
removePrivilege() methods.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 57 (patched)
<https://reviews.apache.org/r/71915/#comment307161>

    Is the ability to set the privilegeFactory is necessary? Instead can we 
pass the PrivilegeFactory as an argument to the constructor and make it final. 
That would mean that we only need a getPrivilegeFactory method in the in 
FilteredPrivilegeCache interface method instead of setPrivilegeFactory.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 60 (patched)
<https://reviews.apache.org/r/71915/#comment307162>

    The reason I suggest not to have a setPrivilegeFactory is because setting 
the privilegeFactory is actually recreating the cache which is an unusual 
pattern to use.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 66-79 (patched)
<https://reviews.apache.org/r/71915/#comment307167>

    Why don't we use the input arguments here?



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 67 (patched)
<https://reviews.apache.org/r/71915/#comment307163>

    Instead of doing multiple null checks for this variable, may be make sure 
that it is never null initializing this to a HashSet<>() and making it final.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 93 (patched)
<https://reviews.apache.org/r/71915/#comment307170>

    why we don't use the groups, users and roleSet arguments. Looks like this 
API is returning all the privileges for all the users for the given 
authorizationheirarchy. Same with the above method.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 95 (patched)
<https://reviews.apache.org/r/71915/#comment307168>

    In the other method calls we are checking if the cachedPrivileges is null 
we return a empty result. May be we should do the same thing to be consistent. 
Since this class is not expected to be thread-safe anyways, why do we need to 
handle this case? I mean, will there be any case where cachedPrivileges is not 
null while cachedPrivilegeMap is null?



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 120 (patched)
<https://reviews.apache.org/r/71915/#comment307171>

    Do we expect the clients to call listPrivileges after close? If not, we 
should enforce that in code by throwing a IllegalStateException once this is 
closed.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
Lines 174 (patched)
<https://reviews.apache.org/r/71915/#comment307169>

    can we be consistent. One method takes index first while the other takes it 
second argument.



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeNode.java
Lines 44 (patched)
<https://reviews.apache.org/r/71915/#comment307165>

    Isn't this partIndex = 1 since partIndex=0 is server1?



sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeNode.java
Lines 78 (patched)
<https://reviews.apache.org/r/71915/#comment307166>

    Should this be an exception instead of warn?


- Vihang Karajgaonkar


On Dec. 20, 2019, 9:27 p.m., Na Li wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71915/
> -----------------------------------------------------------
> 
> (Updated Dec. 20, 2019, 9:27 p.m.)
> 
> 
> Review request for sentry, kalyan kumar kalvagadda and Vihang Karajgaonkar.
> 
> 
> Bugs: sentry-2359
>     https://issues.apache.org/jira/browse/sentry-2359
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> Right now, the PolicyEngine Interface only returns the list of privileges in 
> the form of String. As a result, every authorization check has to convert the 
> privilege string to privilege object even though the cached privilege objects 
> are of the correct type already.
> 
> We should add a new function that returns privilege object directly to avoid 
> the overhead of conversion.
> 
> 
> Diffs
> -----
> 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  5c7f84f 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  90fcfc3 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
>  de88705 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  2940a1e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  8e09490 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java
>  6a8b871 
>   
> sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/privilege/kafka/TestKafkaWildcardPrivilege.java
>  0a0e2f0 
>   
> sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSolr.java
>  6782089 
>   
> sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java
>  94e9919 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/KeyValue.java
>  b6a1faa 
>   
> sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizables.java
>  7bc94c9 
>   
> sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/AbstractDBPrivilegeValidator.java
>  fa28716 
>   
> sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java
>  5b261e3 
>   
> sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
>  504b5ea 
>   
> sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
>  6c2737a 
>   
> sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java
>  a819bb0 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/FilteredPrivilegeCache.java
>  PRE-CREATION 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
>  4bb6d32 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
>  ddb4ec5 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleFilteredPrivilegeCache.java
>  PRE-CREATION 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
>  5de3135 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeCache.java
>  PRE-CREATION 
>   
> sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/TreePrivilegeNode.java
>  PRE-CREATION 
>   
> sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java
>  f2f735b 
>   
> sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestSimpleFilteredPrivilegeCache.java
>  PRE-CREATION 
>   
> sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestSimplePrivilegeCache.java
>  891c1d9 
>   
> sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestTreePrivilegeCache.java
>  PRE-CREATION 
>   
> sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/CacheProvider.java
>  d50a0bc 
>   
> sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
>  b244dba 
>   
> sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
>  222b77a 
>   
> sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
>  ccc505f 
>   
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
>  277f6b3 
>   
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java
>  f8dc211 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestColumnEndToEnd.java
>  3881692 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
>  4c09e68 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
>  cc0465a 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
>  cb201bb 
> 
> 
> Diff: https://reviews.apache.org/r/71915/diff/9/
> 
> 
> Testing
> -------
> 
> Performance test in 
> 
> 1) 
> Privilege: db[1000], table[10]
> Authorizable: db[12000], table[1]
>   
>   TreePrivilegeCache - total time on list string: 448 ms         
> (TestTreePrivilegeCache.testListPrivilegesPerf)
>   TreePrivilegeCache - total time on list obj: 365 ms            
> (TestTreePrivilegeCache.testListPrivilegeObjectsPerf)
> 
>   SimplePrivilegeCache - total time on list string: 717 ms       
> (TestSimplePrivilegeCache.testListPrivilegesPerf)
>   SimplePrivilegeCache - total time on list obj: 794 ms          
> (TestSimplePrivilegeCache.testListPrivilegeObjectsPerf)
> 
> 2) 
> Privilege: db[1000], table[10]
> Authorizable: db[12000], table[10]
> 
>   TreePrivilegeCache - total time on list string: 1302 ms        
> (TestTreePrivilegeCache.testListPrivilegesPerf)
>   TreePrivilegeCache - total time on list obj: 604 ms            
> (TestTreePrivilegeCache.testListPrivilegeObjectsPerf)
> 
>   SimplePrivilegeCache - total time on list string: 4436 ms      
> (TestSimplePrivilegeCache.testListPrivilegesPerf)
>   SimplePrivilegeCache - total time on list obj: 3732 ms         
> (TestSimplePrivilegeCache.testListPrivilegeObjectsPerf)
> 
> 
> Thanks,
> 
> Na Li
> 
>

Reply via email to