[kudu-CR] [master] introduce SentryPrivilegesFetcher
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. [master] introduce SentryPrivilegesFetcher This patch incorporates a TTL-based cache into the data paths of SentryAuthzProvider by introducing a new entity responsible for fetching and caching the information received from Sentry authz authority: SentryPrivilegesFetcher. A cache's entry contains sanitized and transformed information received as TListSentryPrivilegesResponse from Sentry. Set the newly introduced `--sentry_authz_cache_capacity_mb` command-line flag to 0 to disable caching of authz privilege information returned from Sentry. Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Reviewed-on: http://gerrit.cloudera.org:8080/12833 Reviewed-by: Hao Hao Reviewed-by: Andrew Wong Tested-by: Kudu Jenkins --- M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h A src/kudu/master/sentry_privileges_cache_metrics.cc A src/kudu/master/sentry_privileges_cache_metrics.h A src/kudu/master/sentry_privileges_fetcher.cc A src/kudu/master/sentry_privileges_fetcher.h M src/kudu/sentry/sentry_authorizable_scope.cc M src/kudu/sentry/sentry_authorizable_scope.h 12 files changed, 1,232 insertions(+), 642 deletions(-) Approvals: Hao Hao: Looks good to me, approved Andrew Wong: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 14 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 13: Code-Review+2 (1 comment) http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc File src/kudu/master/sentry_authz_provider.cc: http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78 PS9, Line 78: s = privileges_branch.privileges(); > > But I think this is confusing because this means that "privilege" would r :) Indeed, SGTM -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 22:45:26 + Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 13: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 22:32:54 + Gerrit-HasComments: No
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/12833 to look at the new patch set (#13). Change subject: [master] introduce SentryPrivilegesFetcher .. [master] introduce SentryPrivilegesFetcher This patch incorporates a TTL-based cache into the data paths of SentryAuthzProvider by introducing a new entity responsible for fetching and caching the information received from Sentry authz authority: SentryPrivilegesFetcher. A cache's entry contains sanitized and transformed information received as TListSentryPrivilegesResponse from Sentry. Set the newly introduced `--sentry_authz_cache_capacity_mb` command-line flag to 0 to disable caching of authz privilege information returned from Sentry. Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe --- M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h A src/kudu/master/sentry_privileges_cache_metrics.cc A src/kudu/master/sentry_privileges_cache_metrics.h A src/kudu/master/sentry_privileges_fetcher.cc A src/kudu/master/sentry_privileges_fetcher.h M src/kudu/sentry/sentry_authorizable_scope.cc M src/kudu/sentry/sentry_authorizable_scope.h 12 files changed, 1,232 insertions(+), 642 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/33/12833/13 -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 13 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Alexey Serbin has posted comments on this change. (
http://gerrit.cloudera.org:8080/12833 )
Change subject: [master] introduce SentryPrivilegesFetcher
..
Patch Set 13:
(10 comments)
> Patch Set 12: Code-Review+1
>
> (6 comments)
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc
File src/kudu/master/sentry_authz_provider-test.cc:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@182
PS9, Line 182: rivileges_cach
> Ah, missed the fact that it'd be recursive naming.
Yep, the function look-up rules in C++ turned to be non-intuitive in this
particular case. I initially wrote that without namespace specifiers and got
that compiler error.
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@426
PS9, Line 426: for (const auto& action :
SelectRandomSubset(
: kAllActions, 0, )) {
:
> Sorry for the conflicts. Thanks for being accommodating.
np, thanks for putting up a path to address that feedback. It seems I kept
this patch around for too long, so I should have expected something like that
anyways :)
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider-test.cc
File src/kudu/master/sentry_authz_provider-test.cc:
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider-test.cc@697
PS12, Line 697: caching
> nit: Cache?
Done
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc
File src/kudu/master/sentry_authz_provider.cc:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78
PS9, Line 78: s = privileges_branch.privileges();
> But I think this is confusing because this means that "privilege" would refer
> to both the struct itself and a member internal to the struct. And so a clear
> way to distinguish these two "privileges" is to call the member "privilege"
> "action" instead.
Continuing this bike-shedding venue, I could propose to rename
AuthorizablePrivileges into AuthorizableAccessInfo or AuthorizableAccessRules.
However, I think we need this patch to land eventually, so I hope renaming this
into 'allowed_action' will be a reasonable solution :)
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@182
PS9, Line 182:
> SGTM
Great, thanks for being open for this alternative naming approach.
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc
File src/kudu/master/sentry_authz_provider.cc:
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc@50
PS12, Line 50: // action ('required_action') in the specified scope
('required_scope')
> nit: missing '
Done
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.h
File src/kudu/master/sentry_privileges_fetcher.h:
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.h@194
PS12, Line 194: Send
> nit: Sends.
Done
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.h@201
PS12, Line 201: Reset
> nit: Resets
Done
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h
File src/kudu/master/sentry_privileges_fetcher.h:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h@100
PS9, Line 100: std::string table_name;
> Thanks for doing that Alexey.
np :) probably we will come up with something better in next revisions while
iterating on the signatures of methods used as interface between
SentryAuthzProvider and SentryAuthzFetcher.
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc
File src/kudu/master/sentry_privileges_fetcher.cc:
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc@219
PS12, Line 219: i
> Nit: got two spaces here.
Done
--
To view, visit http://gerrit.cloudera.org:8080/12833
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe
Gerrit-Change-Number: 12833
Gerrit-PatchSet: 13
Gerrit-Owner: Alexey Serbin
Gerrit-Reviewer: Adar Dembo
Gerrit-Reviewer: Alexey Serbin
Gerrit-Reviewer: Andrew Wong
Gerrit-Reviewer: Hao Hao
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 10 Apr 2019 22:20:31 +
Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Andrew Wong has posted comments on this change. (
http://gerrit.cloudera.org:8080/12833 )
Change subject: [master] introduce SentryPrivilegesFetcher
..
Patch Set 12: Code-Review+1
(6 comments)
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc
File src/kudu/master/sentry_authz_provider-test.cc:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@182
PS9, Line 182: rivileges_cach
> Nope, that's left for a purpose: if dropping that here and below, compilati
Ah, missed the fact that it'd be recursive naming.
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@426
PS9, Line 426: for (const auto& action :
SelectRandomSubset(
: kAllActions, 0, )) {
:
> All right, it seem it's already taken care of (that bring many conflicts in
Sorry for the conflicts. Thanks for being accommodating.
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc
File src/kudu/master/sentry_authz_provider.cc:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78
PS9, Line 78: s = privileges_branch.privileges();
> Yeah, just another bikeshade-able point of this changelist :) It seems I s
I think I understand where you're coming from and I agree that there is no
contention that privileges are units that can be granted from a Sentry POV.
That said, I think if we don't make the conscious decision to clarify different
terms, it might be confusing.
In Sentry, you can have "a privilege on a scope" (per those docs), but what
this really means is "a privilege to perform an action at a given scope". I
don't think those docs do a great job making this distinction because an
end-user of Sentry doesn't really need to make that distinction -- the
"privilege" _is_ the action, and you can grant a privilege on a scope.
When it comes down to these code structs, we want our struct to encapsulate (in
terms from the docs) a privilege that has been granted on a scope. A simple way
to do this would to have a GrantedPrivilege be a struct. But
I think this is confusing because this means that "privilege" would refer to
both the struct itself and a member internal to the struct. And so a clear way
to distinguish these two "privileges" is to call the member "privilege"
"action" instead, so a Privilege is a struct. This corresponds
roughly to what's in TSentryPrivilege in sentry/sentry_policy_service.thrift.
In that way, we care about keeping track of the Privileges (ie. the
structs), and a user can be granted many of these Privileges.
And so when I think of "granting a privilege", I think of "granting a
struct", and by extension, a "granted action" in the context of
these Privileges, is the actions on which the privilege has been granted. But
if you're caught up on the "granted" aspect of it, I'd also be fine calling
this "actions".
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@182
PS9, Line 182:
> I moved this away from SentryPrivilegesBranch since I didn't want to bring
SGTM
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc
File src/kudu/master/sentry_authz_provider.cc:
http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_authz_provider.cc@50
PS12, Line 50: // action ('required_action) in the specified scope
('required_scope')
nit: missing '
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h
File src/kudu/master/sentry_privileges_fetcher.h:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_privileges_fetcher.h@100
PS9, Line 100: std::string table_name;
> Yep, the newly added SentryPrivilegesBranch::Init() method addresses that.
Thanks for doing that Alexey.
--
To view, visit http://gerrit.cloudera.org:8080/12833
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe
Gerrit-Change-Number: 12833
Gerrit-PatchSet: 12
Gerrit-Owner: Alexey Serbin
Gerrit-Reviewer: Adar Dembo
Gerrit-Reviewer: Alexey Serbin
Gerrit-Reviewer: Andrew Wong
Gerrit-Reviewer: Hao Hao
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Wed, 10 Apr 2019 18:04:51 +
Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/12833 ) Change subject: [master] introduce SentryPrivilegesFetcher .. Patch Set 12: Code-Review+1 (1 comment) http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc File src/kudu/master/sentry_privileges_fetcher.cc: http://gerrit.cloudera.org:8080/#/c/12833/12/src/kudu/master/sentry_privileges_fetcher.cc@219 PS12, Line 219: Nit: got two spaces here. -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 12 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Wed, 10 Apr 2019 16:49:01 + Gerrit-HasComments: Yes
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Alexey Serbin has posted comments on this change. (
http://gerrit.cloudera.org:8080/12833 )
Change subject: [master] introduce SentryPrivilegesFetcher
..
Patch Set 11:
(31 comments)
http://gerrit.cloudera.org:8080/#/c/12833/11//COMMIT_MSG
Commit Message:
http://gerrit.cloudera.org:8080/#/c/12833/11//COMMIT_MSG@7
PS11, Line 7: WIP
> This is no longer a WIP?
Done
http://gerrit.cloudera.org:8080/#/c/12833/11//COMMIT_MSG@10
PS11, Line 10: raw responses
: received from Sentry
> We actually store sanitized response from Sentry (SentryPrivilegesBranch),
Done
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc
File src/kudu/master/sentry_authz_provider-test.cc:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@157
PS9, Line 157: public:
> Omit this?
Done.
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@182
PS9, Line 182: y() {
> Drop, here and below
Nope, that's left for a purpose: if dropping that here and below, compilation
fails (at least on macOS):
/Users/aserbin/Projects/kudu/src/kudu/master/sentry_authz_provider-test.cc:215:19:
error: too many arguments to function call, expected 0, have 2; did you mean
'::kudu::master::DropRole'?
RETURN_NOT_OK(DropRole(sentry_client_.get(), kRoleName));
^~~~
::kudu::master::DropRole
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider-test.cc@426
PS9, Line 426: SentryPrivilegesBranch privileges_info;
:
ASSERT_OK(sentry_authz_provider_->fetcher_.GetSentryPrivileges(
:
> I agree with limiting the test matrix, OTOH if we're limiting it, we might
All right, it seem it's already taken care of (that bring many conflicts into
this patch, BTW):
https://github.com/apache/kudu/commit/16dc218b5a26fa18dee9e36e09e86c9c38f0d55c
Also, since this test doesn't depend much on the caching/non-caching behavior
of SentryPrivilegesFetcher, I'm leaving it in 'caching enabled' mode.
http://gerrit.cloudera.org:8080/#/c/12833/11/src/kudu/master/sentry_authz_provider.h
File src/kudu/master/sentry_authz_provider.h:
http://gerrit.cloudera.org:8080/#/c/12833/11/src/kudu/master/sentry_authz_provider.h@98
PS11, Line 98: GetSentryPrivileges
> nit: it looks like the comment is removed?
This method is moved SentryAuthzProvider's interface, yes.
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.h
File src/kudu/master/sentry_authz_provider.h:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.h@57
PS9, Line 57: privielge
> privilege
Done
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.h@98
PS9, Line 98: Status GetSentryPrivileges(sentry::SentryAuthorizableScope::Scope
scope,
> doc
Done
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc
File src/kudu/master/sentry_authz_provider.cc:
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@78
PS9, Line 78: bleScope(privilege.scope).Implies(scope)) {
> I strongly feel that we should keep granted_action. Even if an action, with
Yeah, just another bikeshade-able point of this changelist :) It seems I
started it a few revisions ago with a request to change naming of one field in
SentryPrivilegesBranch and now it continues on.
After some consideration I realized that I'm not sure what 'granted action'
means. How do you grant an action? I think that semantically 'action' in
English is not something that can be granted. Also, I don't know of any notion
of 'granting an action', and I could not find any notion of 'granted action' in
user-facing Sentry's documentation at
https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html
What would 'granted action' mean in your terms? Maybe, there is some
documentation on Sentry that clarifies on 'granting an action', but I could not
find it.
http://gerrit.cloudera.org:8080/#/c/12833/9/src/kudu/master/sentry_authz_provider.cc@182
PS9, Line 182: RETURN_NOT_OK(fetcher_.GetS
> This reads weirdly ("if" and "do" never follow in an English sentence) and
I moved this away from SentryPrivilegesBranch since I didn't want to bring too
much of the implication logic into the Fetcher.
It seems code conventions often contradict the rules of composition of
sentences in English. In current Kudu codebase you can see names of functions
like IsXxx, and that's the prevaling rules of naming such methods/functions.
That's why I decided to name this function using the same pattern. I think
it's better to have more or less uniform naming rules in the codebase. What do
you think?
http://gerrit.cloudera.org:8080/#/c/12833/11/src/kudu/master/sentry_authz_provider.cc
File
[kudu-CR] [master] introduce SentryPrivilegesFetcher
Hello Tidy Bot, Kudu Jenkins, Andrew Wong, Adar Dembo, Hao Hao, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/12833 to look at the new patch set (#12). Change subject: [master] introduce SentryPrivilegesFetcher .. [master] introduce SentryPrivilegesFetcher This patch incorporates a TTL-based cache into the data paths of SentryAuthzProvider by introducing new entity responsible for fetching and caching the information received from Sentry authz authority. The cache's entry contains sanitized and transformed information received as TListSentryPrivilegesResponse from Sentry. Set the newly introduced `--sentry_authz_cache_capacity_mb` command-line flag to 0 to disable caching of authz privilege information returned from Sentry. Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe --- M src/kudu/integration-tests/master_sentry-itest.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/default_authz_provider.h M src/kudu/master/sentry_authz_provider-test.cc M src/kudu/master/sentry_authz_provider.cc M src/kudu/master/sentry_authz_provider.h A src/kudu/master/sentry_privileges_cache_metrics.cc A src/kudu/master/sentry_privileges_cache_metrics.h A src/kudu/master/sentry_privileges_fetcher.cc A src/kudu/master/sentry_privileges_fetcher.h M src/kudu/sentry/sentry_authorizable_scope.cc M src/kudu/sentry/sentry_authorizable_scope.h 12 files changed, 1,224 insertions(+), 632 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/33/12833/12 -- To view, visit http://gerrit.cloudera.org:8080/12833 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Idaefacd50736f1f152dae34e76778e17b2e84cbe Gerrit-Change-Number: 12833 Gerrit-PatchSet: 12 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Adar Dembo Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
