You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2019/10/11 01:02:00 UTC
[jira] [Updated] (SENTRY-2534) Provide API to for checking ANY
privileges
[ https://issues.apache.org/jira/browse/SENTRY-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Quanlong Huang updated SENTRY-2534:
-----------------------------------
Attachment: cdh5.16.2-40k-tables-calltree-profile.png
> Provide API to for checking ANY privileges
> ------------------------------------------
>
> Key: SENTRY-2534
> URL: https://issues.apache.org/jira/browse/SENTRY-2534
> Project: Sentry
> Issue Type: New Feature
> Reporter: Quanlong Huang
> Priority: Major
> Attachments: cdh5.16.2-40k-tables-calltree-profile.png
>
>
> In Impala when dealing with SHOW TABLES statements or GET_TABLES HiveServer2 requests, we need to check whether the user has any privileges on the table before showing it. However, Sentry does not support checking ANY privilege (while Ranger does) so we have to loop over all possible privileges if the user don't have any of them:
> {code:java}
> for (ImpalaAction action: actions) {
> if (provider_.hasAccess(new Subject(user.getShortName()), authorizables,
> EnumSet.of(action), request.hasGrantOption(), ActiveRoleSet.ALL)) {
> return true;
> }
> }
> return false;{code}
> Code link: [https://github.com/apache/impala/blob/3.3.0/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java#L120-L129]
>
> This is time-consuming if there are lots of tables to check. As a CPU profiling for IMPALA-9002, we see that most of the time is spending in Sentry:
> !cdh5.16.2-patch3543-db40k-calltree-profile.png|width=1295,height=1105!
> It'd be better if we can get rid of the loop and get result from Sentry directly.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)