Csaba Ringhofer has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/11509 )

Change subject: IMPALA-7616: Remove the use of privilege name in TPrivilege
......................................................................


Patch Set 7:

(6 comments)

The comments are optional with the exception of the one in SentryProxy.java.

http://gerrit.cloudera.org:8080/#/c/11509/7/common/thrift/CatalogObjects.thrift
File common/thrift/CatalogObjects.thrift:

http://gerrit.cloudera.org:8080/#/c/11509/7/common/thrift/CatalogObjects.thrift@537
PS7, Line 537: 1
My suggestion would be to avoid changing the numbers and leave a gap at 1 
(comment out the original member). This is not about compatibility (removing a 
required field breaks that anyway + it is not a goal for internal thrift 
structs) but about keeping the history of this file as simple as possible.

pros: can make cherry-picking easier - imagine a commit that adds new field, 
and someone who tries to backport it to a branch without your change - if the 
numbers are shifted then to new field will be 12, which will cause conflict on 
the old branch.

cons: I do not see any, leaving gaps in numbers does not add any overhead as 
far as I understand thrift

I have seen examples both for replacing numbers and leaving gaps in older 
commits, so I think that there is no consensus about this in Impala.


http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java
File fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java:

http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/AuthorizationPolicy.java@490
PS7, Line 490:         String privName = 
PrincipalPrivilege.buildPrivilegeName(filter);
             :         if (!privName.equalsIgnoreCase(
             :             PrincipalPrivilege.buildPrivilegeName(privilege))) {
             :           continue;
             :         }
Building the filter priv name could be moved outside the loop, or with some 
refactor principal.getPrivilige() could be used for the filtered path.


http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/Catalog.java
File fe/src/main/java/org/apache/impala/catalog/Catalog.java:

http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/Catalog.java@524
PS7, Line 524:         for (PrincipalPrivilege p: tmpPrincipal.getPrivileges()) 
{
             :           if (p.getName().equalsIgnoreCase(privilegeName)) {
This could be replaced with tmpPrincipal.GetPrivilege(privilegeName). It is 
also case insensitive and should be faster.


http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java
File fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java:

http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java@1825
PS7, Line 1825:           
principal.removePrivilege(PrincipalPrivilege.buildPrivilegeName(privilege));
Building the privilege name could be moved outside the lock.


http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java@1850
PS7, Line 1850:       return 
principal.getPrivilege(PrincipalPrivilege.buildPrivilegeName(privSpec));
Building the privilege name could be moved outside the lock.


http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/util/SentryProxy.java
File fe/src/main/java/org/apache/impala/util/SentryProxy.java:

http://gerrit.cloudera.org:8080/#/c/11509/7/fe/src/main/java/org/apache/impala/util/SentryProxy.java@268
PS7, Line 268:       // Remove the privileges that no longer exist.
             :       for (String privilegeName: privilegesToRemove) {
             :         TPrivilege privilege = new TPrivilege();
             :         if (principal.getPrincipalType() == TPrincipalType.ROLE) 
{
             :           catalog_.removeRolePrivilege(principal.getName(), 
privilege);
             :         } else {
             :           catalog_.removeUserPrivilege(principal.getName(), 
privilege);
             :         }
             :       }
This doesn't look ok to me - we are trying to remove the default privilege.

remove*Privilege functions use the privilege's name only, so it would be easy 
to rewrite those to expect privilege names instead of TPrivilege-s.

+ I am curios if there is any test that would catch such a bug - I am not 
saying that it should be added in this commit, but it may worth a follow up Jira



--
To view, visit http://gerrit.cloudera.org:8080/11509
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia813dcc7d3872f126865c1f8f37175201a0b10ab
Gerrit-Change-Number: 11509
Gerrit-PatchSet: 7
Gerrit-Owner: Fredy Wijaya <[email protected]>
Gerrit-Reviewer: Adam Holley <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Fredy Wijaya <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Comment-Date: Wed, 26 Sep 2018 12:21:27 +0000
Gerrit-HasComments: Yes

Reply via email to