Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/13657 )
Change subject: [sentry] add require_db_privileges flag for ListTables ...................................................................... Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/13657/1//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/13657/1//COMMIT_MSG@10 PS1, Line 10: The motivation : is to reduce time spend on authorization when there are a small amount : of databases but many tables in these. It may be obvious if you read between the lines, but it's probably worth being explicit about the expected performance behavior. Something like: "Without this flag, there will be a number of requests to Sentry related to the number of tables in Kudu. With it, that number is limited to the number of databases in Kudu." or even a concrete example: "If there are 2000 tables stored in Kudu, equally stored within 10 databases, and a user has privileges on one databases but not the others, with the flag turned on, there will be 10 requests to Sentry instead of 1801." Might also be worth running a couple benchmarks demonstrating this. http://gerrit.cloudera.org:8080/#/c/13657/1/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/13657/1/src/kudu/master/sentry_authz_provider.cc@41 PS1, Line 41: "When use sentry for fine-grained authorization, ListTables requires " : "any privileges on database level when set to true. Note that users " : "with no database level privileges on a database will not be able to " : "see any tables within it. When set to false table level privileges are " : "enforced." maybe: "Whether Kudu will require database-level privileges to authorize ListTables requests. When set to false, table-level privileges are required for each table." -- To view, visit http://gerrit.cloudera.org:8080/13657 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I6a225932b22470d653d4b40678f32c2b5cb8329c Gerrit-Change-Number: 13657 Gerrit-PatchSet: 1 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Fri, 14 Jun 2019 22:42:04 +0000 Gerrit-HasComments: Yes
