Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/12941 )
Change subject: sentry: generate TablePrivilegePBs ...................................................................... Patch Set 3: (6 comments) http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/default_authz_provider.h File src/kudu/master/default_authz_provider.h: http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/default_authz_provider.h@62 PS2, Line 62: } > Don't we need to set pb->table_id also? Given the function signature, I'd e Done http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/sentry_authz_provider.cc@554 PS2, Line 554: RETURN_NOT_OK(GetSentryPrivileges(SentryAuthorizableScope::TABLE, table_name, > Should set table_id, right? Good point, though I don't think the SentryAuthzProvider has any business setting the table ID, given it doesn't operate on table IDs. I'll be enforce that a table ID is set instead. http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/sentry_authz_provider.cc@555 PS2, Line 555: user, &privileges)); > Seems like the transformations that happen in the rest of this function cou I'm not sure that's exactly the case, given we're using a SchemaPB to map column IDs. I.e. tokens filled based on the same authorization metadata may be different upon subsequent calls to this function if the schema has changed. http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/sentry_authz_provider.cc@558 PS2, Line 558: for (const auto& privilege : privileges.privileges) { > This can be constructed once outside the loop. Done http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/sentry_authz_provider.cc@581 PS2, Line 581: } : } else if (!pb->scan_privilege() && : (ContainsKey(privilege.granted_privileges, SentryAction::ALL) || : ContainsKey(privilege.granted_privileges, SentryAction::OWNER) || : ContainsKey(privilege.granted_privileges, SentryAction::SELECT))) { : // Pull out any scan privileges at the column scope. : DCHECK_EQ(SentryAuthorizableScope::COLUMN, privilege.scope); : > We can skip this if an earlier privilege set privilege_pb.scan_privilege(), Done http://gerrit.cloudera.org:8080/#/c/12941/2/src/kudu/master/sentry_authz_provider.cc@599 PS2, Line 599: } > Note that this implementation _overwrites_ pb while the default implementat Done -- To view, visit http://gerrit.cloudera.org:8080/12941 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Icb6c533a04d2749e0ee68546dac61011432cba2f Gerrit-Change-Number: 12941 Gerrit-PatchSet: 3 Gerrit-Owner: Andrew Wong <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Mon, 08 Apr 2019 05:43:38 +0000 Gerrit-HasComments: Yes
