[jira] [Commented] (SENTRY-2284) Add two client API to get all roles or users privileges mapping

Wed, 18 Jul 2018 12:26:28 -0700 


    [ 
https://issues.apache.org/jira/browse/SENTRY-2284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16548297#comment-16548297
 ] 

Sergio Peña commented on SENTRY-2284:
-------------------------------------

[~tlipcon] There is currently a known performance issue when Sentry manages 
more than 5k roles due to a bad SQL query used. I added this API that helps 
request a mapping object between roles/privileges or users/privileges with the 
assumption that current users won't exceed the 5k limit due to another API 
causing such performance problems.

However, there is room for improvement in this API. I can use data paging to 
request all the roles or users privileges in batches to avoid overloading the 
memory of the Sentry server. It can even use an iterator on the Client side to 
avoid memory issues there as well and request the next batch when the iterator 
finishes with one.

But the Sentry DB JDO schema does not expose the table ID to use it as the next 
batch. The package.jdo sets the table ID as a datastore identity instead of 
application identity. I played with the application identity before and the 
data paging worked pretty well, but I don't know the implications of changing 
the identity from datastore -> application in an upgrade. [~akolb] do you have 
an idea about this?

 

> Add two client API to get all roles or users privileges mapping
> ---------------------------------------------------------------
>
>                 Key: SENTRY-2284
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2284
>             Project: Sentry
>          Issue Type: Improvement
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Sergio Peña
>            Assignee: Sergio Peña
>            Priority: Major
>             Fix For: 2.1.0
>
>         Attachments: SENTRY-2284.1.patch, SENTRY-2284.2.patch
>
>
> Add two new API methods to the Sentry client to return all roles and their 
> privileges or all users and privileges in a map object.
> This is useful for components like Impala that keep a cache of all roles, 
> users and privileges on their side.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to