[
https://issues.apache.org/jira/browse/IMPALA-7616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036546#comment-17036546
]
ASF subversion and git services commented on IMPALA-7616:
---------------------------------------------------------
Commit e7d10df2ecaf14f244eb32224e2c8099f2f0d8cf in impala's branch
refs/heads/master from Csaba Ringhofer
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=e7d10df ]
IMPALA-9242: Filter privileges before returning them to Sentry
This change implements the new FilteredPrivilegeCache, which adds
functions for filtering privileges based on the authorizable and
for returning Privileges directly instead of their String form.
The filtering is based on server + db + table (or just server in
case of URI privileges) to filter out the bulk of unrelated privileges.
Efficient filtering is done by a new class PrincipalPrivilegeTree.
It was tempting to reuse Sentry's TreePrivilegeCache, which has a very
similar role, but it lacks a "remove" function that is needed to keep
this index in sync with the CatalogObjectCache in Principal. I am also
a bit concerned about the possible side effect of Sentry's interning
of names in privileges - we try to avoid using String.intern() on
massive amount of names in Impala.
Other Changes:
- Add the Sentry privilege name as member to PrincipalPrivileges.
Note that the name was a member of TPrivilege till IMPALA-7616.
Storing the name shouldn't consume much extra memory, as it
is already stored as the key of the PrincipalPrivilege in
CatalogObjectCache.
Testing:
- added unit tests based on Sentry / TestTreePrivilegeCache
Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e
Reviewed-on: http://gerrit.cloudera.org:8080/15068
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Refactor PrincipalPrivilege.buildPrivilegeName
> ----------------------------------------------
>
> Key: IMPALA-7616
> URL: https://issues.apache.org/jira/browse/IMPALA-7616
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 3.1.0
> Reporter: Adam Holley
> Assignee: Fredy Wijaya
> Priority: Minor
> Fix For: Impala 3.1.0
>
>
> The buildPrivilegeName pattern across the frontend code is odd in that
> setting the name is an explicit function and not built during the get from
> the constituent parts. e.g. If you create a privilege that doesn't have the
> grant option set, and then set the grant option after, the getPrivilegeName()
> will return a name that does not have the grant option. This should be
> refactored to build the name on the getPrivilegeName call based on the
> current values in the Privilege object.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
