You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Vihang Karajgaonkar (Jira)" <ji...@apache.org> on 2019/12/13 01:14:00 UTC

[jira] [Created] (IMPALA-9242) Access check should only check against the privileges of the authorizable

Vihang Karajgaonkar created IMPALA-9242:
-------------------------------------------

             Summary: Access check should only check against the privileges of the authorizable
                 Key: IMPALA-9242
                 URL: https://issues.apache.org/jira/browse/IMPALA-9242
             Project: IMPALA
          Issue Type: Improvement
            Reporter: Vihang Karajgaonkar


Currently, according to the implementation of https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64

each access check request in Sentry is done against all the privileges of the user. Instead, we can reduce the number of privilege checks significantly, if we use this API in https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46

Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is unavailable. However, if we can have a interface side changes in PrivilegeCache, Impala can implement a prefix-tree based {{PrivilegeCache}} so that number of privileges returned are only related to the given authorizable. This API can then be used in SimpleCacheProviderBackend to reduce the processing time required to check access for a large number of objects in large setups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)