[kudu-CR] sentry: sanitize and parse privileges from Sentry

Thu, 04 Apr 2019 17:59:59 -0700 

Hao Hao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/12919 )

Change subject: sentry: sanitize and parse privileges from Sentry
......................................................................


Patch Set 10: Code-Review+1

(2 comments)

http://gerrit.cloudera.org:8080/#/c/12919/5/src/kudu/master/sentry_authz_provider.cc
File src/kudu/master/sentry_authz_provider.cc:

http://gerrit.cloudera.org:8080/#/c/12919/5/src/kudu/master/sentry_authz_provider.cc@176
PS5, Line 176: for (const auto& granted_action : privilege.granted_privileges) {
             :         if (SentryAction(granted_action).Implies(action)) {
             :           return true;
             :         }
             :       }
> Maybe, but not as a part of this patch. I doubt this will be the bottleneck
I agree it should be a separate patch.

Though it can be useful when user has privileges on the same authorizable with 
N kinds of fine-grained action, it will slow down the Implies() process N times 
per SentryPrivilegesBranch, compare to if we can do a bit wise verification. If 
you think it makes sense, can you add a  TODO here?


http://gerrit.cloudera.org:8080/#/c/12919/5/src/kudu/master/sentry_authz_provider.cc@513
PS5, Line 513:
> Interesting, seems like OWNER could use some more test coverage in general.
In general, the test coverage for equivalency between OWNER and ALL are covered 
in sentry_action-test.cc. However, as now we have a 'hack' which link action 
'ALL' with grant option, so yes, we need more test coverage where grant options 
are used. Though I think it is only in CreateTable.



--
To view, visit http://gerrit.cloudera.org:8080/12919
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib6de6814f99abfbee4f030298b74f21f4e7c729b
Gerrit-Change-Number: 12919
Gerrit-PatchSet: 10
Gerrit-Owner: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Hao Hao <hao....@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Fri, 05 Apr 2019 00:58:53 +0000
Gerrit-HasComments: Yes

Reply via email to