Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/14400 )
Change subject: IMPALA-9002: Add query option to only check SELECT privilege in SHOW TABLES ...................................................................... IMPALA-9002: Add query option to only check SELECT privilege in SHOW TABLES If authorization is enabled, SHOW TABLES statements or GET_TABLES requests in HS2 protocol (used in HUE and JDBC drivers) will only return tables that the user has ANY privileges on them. If the user don't have any privileges on a table, we need 8 privilege checks (ALL, INSERT, SELECT, ALTER, CREATE, DROP, OWNER, REFRESH) to get this conclusion. It takes time in Sentry to check these one by one if there are thousands of tables. Unfortunately, there are no batch API for these checks. This introduces a performance regression after we supported fine-grained privileges, since before that we just check 3 privileges (ALL, INSERT, SELECT). In practice, SELECT privilege is the minimal privilege set. It's wired to grant INSERT or other privileges to a resource without SELECT privilege. We can simplify the process to only check on SELECT privilege if users make sure that SELECT privilege is the minimal privilege set in their environment. This patch adds a flag(SIMPLIFY_CHECK_ON_SHOW_TABLES) to bypass checking other privileges in SHOW TABLE statements. Testing in a database with 40k tables and granting the user SELECT privilege on only 6 tables. When using Sentry, the SHOW TABLES statement takes 5s. With the SIMPLIFY_CHECK_ON_SHOW_TABLES enabled, time reduces to 1.2s. No performance gain is observed when using Ranger since Ranger is fast enough. Tests: - Add custom cluster test for the flag in test_authorization.py for both Sentry and Ranger. - Run CORE tests Change-Id: I17e2b7bf9e36c54627276a6812b459912156cc3c Reviewed-on: http://gerrit.cloudera.org:8080/14400 Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> --- M be/src/common/global-flags.cc M be/src/util/backend-gflag-util.cc M common/thrift/BackendGflags.thrift M fe/src/main/java/org/apache/impala/authorization/Privilege.java M fe/src/main/java/org/apache/impala/service/BackendConfig.java M fe/src/main/java/org/apache/impala/service/Frontend.java M tests/authorization/test_authorization.py 7 files changed, 108 insertions(+), 8 deletions(-) Approvals: Impala Public Jenkins: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/14400 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I17e2b7bf9e36c54627276a6812b459912156cc3c Gerrit-Change-Number: 14400 Gerrit-PatchSet: 8 Gerrit-Owner: Quanlong Huang <huangquanl...@gmail.com> Gerrit-Reviewer: Fang-Yu Rao <fangyu....@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Kurt Deschler <kdesc...@cloudera.com> Gerrit-Reviewer: Quanlong Huang <huangquanl...@gmail.com> Gerrit-Reviewer: Vihang Karajgaonkar <vih...@cloudera.com>