Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/12500 )
Change subject: [sentry] add privilege scope validation to SentryAuthzProvider ...................................................................... Patch Set 7: (1 comment) http://gerrit.cloudera.org:8080/#/c/12500/7//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/12500/7//COMMIT_MSG@30 PS7, Line 30: 'ALL ON default.a' > In addition to "default", we also include "server1". Does this mean that ev Ah, I think I confused myself thinking about this. Just to be sure, in this example, some potentially returned privileges if we provide the database scope are: <action> ON server1 <action> ON server1.default <action> ON server1.default.a <action> ON server1.default.a.col0 <action> ON server1.default.a.col1 <action> ON server1.default.b <action> ON server1.default.c <action> ON server1.default.c.col0 <action> ON server1.default.c.col1 <action> ON server1.default.c.col2 <action> ON server1.default.c.col3 and had we passed to Sentry the table scope, we may have gotten privileges like: <action> ON server1 <action> ON server1.default <action> ON server1.default.a <action> ON server1.default.a.col0 <action> ON server1.default.a.col1 Somewhat unrelated to this patch, but if this is the case, it seems like the lower the scope we provide, the less we get back from Sentry. If that's the case, I wonder if it makes sense to send the lowest-level scope to Sentry when evaluating a higher-level scope requirement, and since privileges of higher-level scopes are returned from Sentry, we should be able to evaluate them. That might be something to consider if we find that responses from Sentry consume a large amount of memory. -- To view, visit http://gerrit.cloudera.org:8080/12500 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a Gerrit-Change-Number: 12500 Gerrit-PatchSet: 7 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 13 Mar 2019 07:49:20 +0000 Gerrit-HasComments: Yes
