You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2022/03/23 06:51:00 UTC

[jira] [Commented] (IMPALA-9242) Access check should only check against the privileges of the authorizable

    [ https://issues.apache.org/jira/browse/IMPALA-9242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511054#comment-17511054 ] 

Quanlong Huang commented on IMPALA-9242:
----------------------------------------

This is reverted in 3.4.1. We will add it back in 3.4.2 after we fix IMPALA-10326.

https://github.com/apache/impala/commit/134b6492edece7d723bd48890dc934e331988a16

> Access check should only check against the privileges of the authorizable
> -------------------------------------------------------------------------
>
>                 Key: IMPALA-9242
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9242
>             Project: IMPALA
>          Issue Type: Improvement
>            Reporter: Vihang Karajgaonkar
>            Assignee: Csaba Ringhofer
>            Priority: Major
>             Fix For: Impala 3.4.0
>
>
> Currently, according to the implementation of https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64
> each access check request in Sentry is done against all the privileges of the user. Instead, we can reduce the number of privilege checks significantly, if we use this API in https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46
> Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is unavailable. However, if we can have a interface side changes in PrivilegeCache, Impala can implement a prefix-tree based {{PrivilegeCache}} so that number of privileges returned are only related to the given authorizable. This API can then be used in SimpleCacheProviderBackend to reduce the processing time required to check access for a large number of objects in large setups.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org