[Impala-ASF-CR] WIP IMPALA-9242: Filter privileges before returning them to Sentry

Tue, 21 Jan 2020 09:51:12 -0800 

Hello Anonymous Coward (498), Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/15068

to look at the new patch set (#3).

Change subject: WIP IMPALA-9242: Filter privileges before returning them to 
Sentry
......................................................................

WIP IMPALA-9242: Filter privileges before returning them to Sentry

This change implements the new FilteredPrivilegeCache, which adds
functions for filtering privileges based on the authorizable and
for returning Privileges directly instead of their String form.

The filtering is based on server + db + table to filter out the
bulk of unrelated privileges. The cost of the check is still
O(num_of_privileges), but the expensive
(Impala) PrincipalPrivilege->String->(Sentry)Privilege is avoided
for the filtered privileges.

To improve performance further, privileges could be stored in a
hierarchical way (like Sentry's TreePrivilegeCache) to allow a much
more efficient lookup, but my feeling is that reimplementing the whole
privilege check in Impala and skipping Sentry (at least for
SHOW DATABASES/TABLES) would be simpler.

Another possible optimization would be to store Sentry privileges
in Impala instead of/in addittion to TPriviliges, but that may need
more memory than the current solution.

TODOs:
- measure whether it actually helps with performance
- 'server' probably doesn't need to be checked for all
  privileges
- cleaning up the code

Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e
---
M 
fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationPolicy.java
M fe/src/main/java/org/apache/impala/catalog/Principal.java
M fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java
3 files changed, 131 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/15068/3
--
To view, visit http://gerrit.cloudera.org:8080/15068
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Iecd4281368d1c9fe88cfe850ea725cd68895712e
Gerrit-Change-Number: 15068
Gerrit-PatchSet: 3
Gerrit-Owner: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Anonymous Coward (498)
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>

Reply via email to