Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/12500 )
Change subject: [sentry] add privilege scope validation to SentryAuthzProvider ...................................................................... Patch Set 8: (1 comment) http://gerrit.cloudera.org:8080/#/c/12500/7//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/12500/7//COMMIT_MSG@30 PS7, Line 30: 'ALL ON default.a' > Right, for example 'ALL on SERVER1' or 'CREATE on SERVER1' will be returned In terms of minimizing the number of calls to Sentry, I think the "optimal" usage pattern would be to send the highest scope possible. Since we already know the server, database, and table associated with every request, if we take this idea to its extreme, we could ask for everything in server1. The complexity would then lie in how we get useful information out of those responses -- do we parse the huge response once, and separate the privileges out into some useful in-memory hierarchy? Maybe, but it seems tricky. Another approach would be to always send requests at the table scope. AFAICT, every request authorized by the master is associated with a table anyway, so it seems like this would be a natural fit. It reduces the amount of stuff returned by Sentry, and I think it would simplify how we could think about caching as well, since _every_ request would send the same scope to Sentry (including what we need to create authz tokens). WDYT? Also curious if Alexey agrees, since he's been working on this caching stuff. My main concern with sending over the highest possible scope (and more broadly, using the database scope and above at all) is that I'm pretty sure there are cases where Kudu tables will be in some default database. The default database could have a huge amount of irrelevant entries in the response -- that actually seems like it'd be a pretty common case. -- To view, visit http://gerrit.cloudera.org:8080/12500 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I89437a04a4fa18e501d21c3abf5d66a2d22ce58a Gerrit-Change-Number: 12500 Gerrit-PatchSet: 8 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Thu, 14 Mar 2019 07:10:28 +0000 Gerrit-HasComments: Yes
