[jira] [Commented] (IMPALA-9242) Access check should only check against the privileges of the authorizable

Fri, 13 Nov 2020 04:38:10 -0800 


    [ 
https://issues.apache.org/jira/browse/IMPALA-9242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17231429#comment-17231429
 ] 

Csaba Ringhofer commented on IMPALA-9242:
-----------------------------------------

The implementation is buggy at the moment, as it doesn't handle when 
server/db/table are empty strings instead of nulls in TPrivilege. FE tests do 
not generate such TPrivileges, so this didn't break our tests, but privileges 
returned by Sentry API do contain empty strings.

> Access check should only check against the privileges of the authorizable
> -------------------------------------------------------------------------
>
>                 Key: IMPALA-9242
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9242
>             Project: IMPALA
>          Issue Type: Improvement
>            Reporter: Vihang Karajgaonkar
>            Assignee: Csaba Ringhofer
>            Priority: Major
>
> Currently, according to the implementation of 
> https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64
> each access check request in Sentry is done against all the privileges of the 
> user. Instead, we can reduce the number of privilege checks significantly, if 
> we use this API in 
> https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46
> Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is 
> unavailable. However, if we can have a interface side changes in 
> PrivilegeCache, Impala can implement a prefix-tree based {{PrivilegeCache}} 
> so that number of privileges returned are only related to the given 
> authorizable. This API can then be used in SimpleCacheProviderBackend to 
> reduce the processing time required to check access for a large number of 
> objects in large setups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to