Csaba Ringhofer has uploaded this change for review. ( http://gerrit.cloudera.org:8080/15068
Change subject: WIP IMPALA-9242: Filter privileges before returning them to Sentry ...................................................................... WIP IMPALA-9242: Filter privileges before returning them to Sentry This change implements the new FilteredPrivilegeCache, which adds functions for filtering privileges based on the authorizable and for returning Privileges directly instead of their String form. The filtering is based on server + db + table to filter out the bulk of unrelated privileges. The cost of the check is still O(num_of_privileges), but the expensive (Impala) PrincipalPrivilege->String->(Sentry)Privilege is avoided for the filtered privileges. To improve performance further, privileges could be stored in a hierarchical way (like Sentry's TreePrivilegeCache) to allow a much more efficient lookup, but my feeling is that reimplementing the whole privilege check in Impala and skipping Sentry (at least for SHOW DATABASES/TABLES) would be simpler. Another possible optimization would be to store Sentry privileges in Impala instead of/in addittion to TPriviliges, but that may need more memory than the current solution. TODOs: - measure whether it actually helps with performance - 'server' probably doesn't need to be checked for all privileges - cleaning up the code Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e --- M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationPolicy.java M fe/src/main/java/org/apache/impala/catalog/Principal.java M fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java 3 files changed, 130 insertions(+), 5 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/15068/1 -- To view, visit http://gerrit.cloudera.org:8080/15068 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e Gerrit-Change-Number: 15068 Gerrit-PatchSet: 1 Gerrit-Owner: Csaba Ringhofer <[email protected]>
