You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by am...@apache.org on 2019/01/30 04:34:39 UTC
[sentry] branch master updated: SENTRY-2488: Add privilege cache to
sentry hive bindings in DefaultAccessValidator (Arjun Mishra reviewed by
Kalyan Kumar Kalvagadda)
This is an automated email from the ASF dual-hosted git repository.
amishra pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git
The following commit(s) were added to refs/heads/master by this push:
new 1b8127e SENTRY-2488: Add privilege cache to sentry hive bindings in DefaultAccessValidator (Arjun Mishra reviewed by Kalyan Kumar Kalvagadda)
1b8127e is described below
commit 1b8127eab26fa2fc146f13663e056b8f4f5409d0
Author: amishra <am...@cloudera.com>
AuthorDate: Tue Jan 29 22:31:09 2019 -0600
SENTRY-2488: Add privilege cache to sentry hive bindings in DefaultAccessValidator (Arjun Mishra reviewed by Kalyan Kumar Kalvagadda)
---
.../binding/hive/authz/DefaultSentryValidator.java | 28 ++++++++++++++++------
.../hive/authz/HiveAuthzBindingHookBase.java | 2 +-
.../provider/cache/SimplePrivilegeCache.java | 3 ++-
3 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
index 9de47b3..a596d0b 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
@@ -16,7 +16,6 @@ package org.apache.sentry.binding.hive.authz;
import static org.apache.hadoop.hive.metastore.MetaStoreUtils.DEFAULT_DATABASE_NAME;
-import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import java.security.CodeSource;
@@ -174,7 +173,7 @@ public class DefaultSentryValidator extends SentryHiveAuthorizationValidator {
HiveAuthzBinding hiveAuthzBinding = null;
try {
- hiveAuthzBinding = getAuthzBinding();
+ hiveAuthzBinding = getAuthzBindingWithPrivilegeCache(authenticator.getUserName());
if (stmtAuthPrivileges == null) {
// We don't handle authorizing this statement
return;
@@ -245,9 +244,24 @@ public class DefaultSentryValidator extends SentryHiveAuthorizationValidator {
}
}
- @VisibleForTesting
- public HiveAuthzBinding getAuthzBinding() throws Exception {
- return new HiveAuthzBinding(hiveHook, conf, authzConf);
+ /**
+ * Create a binding object with a cache of privileges that will last the session
+ * At the time of doing the authorization check we will only check against the cache
+ * as opposed to fetching from the database each time
+ * @param userName
+ * @return
+ * @throws Exception
+ */
+ public HiveAuthzBinding getAuthzBindingWithPrivilegeCache(String userName) throws Exception {
+ HiveAuthzBinding hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf);
+ try {
+ HiveAuthzBinding hiveAuthzBindingWithCache = HiveAuthzBindingHookBase
+ .getHiveBindingWithPrivilegeCache(hiveAuthzBinding, userName);
+ return hiveAuthzBindingWithCache;
+ } catch (Exception e) {
+ LOG.error("Unable to build bindings with cache. Use bindings without cache", e);
+ return hiveAuthzBinding;
+ }
}
private void addExtendHierarchy(HiveOperation hiveOp, HiveAuthzPrivileges stmtAuthPrivileges,
@@ -372,13 +386,13 @@ public class DefaultSentryValidator extends SentryHiveAuthorizationValidator {
try {
switch (pType) {
case DATABASE:
- hiveAuthzBinding = getAuthzBinding();
+ hiveAuthzBinding = getAuthzBindingWithPrivilegeCache(authenticator.getUserName());
authzObjectFilter = new MetastoreAuthzObjectFilter<HivePrivilegeObject>(hiveAuthzBinding,
OBJECT_EXTRACTOR);
listObjs = authzObjectFilter.filterDatabases(authenticator.getUserName(), listObjs);
break;
case TABLE_OR_VIEW:
- hiveAuthzBinding = getAuthzBinding();
+ hiveAuthzBinding = getAuthzBindingWithPrivilegeCache(authenticator.getUserName());
authzObjectFilter = new MetastoreAuthzObjectFilter<HivePrivilegeObject>(hiveAuthzBinding,
OBJECT_EXTRACTOR);
listObjs = authzObjectFilter.filterTables(authenticator.getUserName(), listObjs);
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index 63d8d1c..46eb456 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -828,7 +828,7 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
}
// create hiveBinding with PrivilegeCache
- private static HiveAuthzBinding getHiveBindingWithPrivilegeCache(HiveAuthzBinding hiveAuthzBinding,
+ static HiveAuthzBinding getHiveBindingWithPrivilegeCache(HiveAuthzBinding hiveAuthzBinding,
String userName) throws SemanticException {
// get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider
AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider();
diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
index 0ad4616..5de3135 100644
--- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
+++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
@@ -16,6 +16,7 @@
*/
package org.apache.sentry.provider.cache;
+import java.util.Collections;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.utils.SentryConstants;
@@ -110,7 +111,7 @@ public class SimplePrivilegeCache implements PrivilegeCache {
@Override
public void close() {
if (cachedPrivileges != null) {
- cachedPrivileges.clear();
+ cachedPrivileges = Collections.emptySet();
}
}