You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2019/04/20 02:13:45 UTC
[kudu-CR] [authz] new SentryAuthzProvider's caching strategy
Hello Kudu Jenkins, Andrew Wong, Hao Hao,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/13069
to look at the new patch set (#3).
Change subject: [authz] new SentryAuthzProvider's caching strategy
......................................................................
[authz] new SentryAuthzProvider's caching strategy
This patch updates the way how the privilege cache in
SentryAuthzProvider is populated. Prior to this patch, only one entry
per sanitized Sentry's response was created. With this patch,
a response may be split into two entries: one contains SERVER- and
DATABASE-scope privileges, and another contains TABLE- and COLUMN-scope
privileges. Of course, it also changes the lookup process: now it's
necessary to search for two entries in the cache if looking up for
an entry with privileges for an authorizable of the TABLE scope.
The new caching strategy leverages the fact that Sentry includes
information on privileges granted on authorizables of higher scopes
in the hierarchy, if any. The new strategy is beneficial in cases
when a user has privileges granted on DATABASE. In that case, once
there was a request to authorize an action on a table or a column
of that table, next request to authorize an action on the database
itself will hit the cache, avoiding an extra RPC sent to Sentry.
Another example that benefits from the new caching scheme are
scenarios like AuthorizeDropTable(tableA) followed by
AuthorizeCreateTable(tableA).
Change-Id: Id96181345e357a104e28314d8d8d88633dcf9608
---
M src/kudu/master/sentry_authz_provider-test.cc
M src/kudu/master/sentry_privileges_fetcher.cc
M src/kudu/master/sentry_privileges_fetcher.h
3 files changed, 305 insertions(+), 44 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/69/13069/3
--
To view, visit http://gerrit.cloudera.org:8080/13069
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id96181345e357a104e28314d8d8d88633dcf9608
Gerrit-Change-Number: 13069
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)