[jira] [Commented] (IMPALA-9242) Access check should only check against the privileges of the authorizable

Wed, 08 Jan 2020 08:16:20 -0800 


    [ 
https://issues.apache.org/jira/browse/IMPALA-9242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010800#comment-17010800
 ] 

Csaba Ringhofer commented on IMPALA-9242:
-----------------------------------------

I looked through SENTRY-2539 (https://reviews.apache.org/r/71915) and the 
related Impala code.  Implementing IMPALA-9242 would need some significant 
changes in Impala, especially if we want to avoid increasing memory usage.

The main issue is that Impala uses a (concurrent) hash set to store privileges 
for a user/role, and the key contains all infos about a privilege, something 
like 
[ServerName=value]->[DbName=value]->[TableName=value]->[ColumnName=value]->[Action
 Granted=value]->[Grant Option=value] ( see 
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java
 ).
So this hash map doesn't offer a quick way to look up all privileges for a 
given authorizable.

> Access check should only check against the privileges of the authorizable
> -------------------------------------------------------------------------
>
>                 Key: IMPALA-9242
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9242
>             Project: IMPALA
>          Issue Type: Improvement
>            Reporter: Vihang Karajgaonkar
>            Assignee: Csaba Ringhofer
>            Priority: Major
>
> Currently, according to the implementation of 
> https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64
> each access check request in Sentry is done against all the privileges of the 
> user. Instead, we can reduce the number of privilege checks significantly, if 
> we use this API in 
> https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46
> Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is 
> unavailable. However, if we can have a interface side changes in 
> PrivilegeCache, Impala can implement a prefix-tree based {{PrivilegeCache}} 
> so that number of privileges returned are only related to the given 
> authorizable. This API can then be used in SimpleCacheProviderBackend to 
> reduce the processing time required to check access for a large number of 
> objects in large setups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to