You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Csaba Ringhofer (Jira)" <ji...@apache.org> on 2020/01/08 16:27:00 UTC
[jira] [Comment Edited] (IMPALA-9242) Access check should only
check against the privileges of the authorizable
[ https://issues.apache.org/jira/browse/IMPALA-9242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010800#comment-17010800 ]
Csaba Ringhofer edited comment on IMPALA-9242 at 1/8/20 4:26 PM:
-----------------------------------------------------------------
I looked through SENTRY-2539 (https://reviews.apache.org/r/71915) and the related Impala code. Implementing IMPALA-9242 would need some significant changes in Impala, especially if we want to avoid increasing memory usage.
The main issue is that Impala uses a (concurrent) hash set to store privileges for a user/role, and the key contains all infos about a privilege, something like {code} [ServerName=value]->[DbName=value]->[TableName=value]->[ColumnName=value]->[Action Granted=value]->[Grant Option=value] {code}( see https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java ).
So this hash map doesn't offer a quick way to look up all privileges for a given authorizable.
I see 2 main ways to go:
1. Create a separate cache with efficient look up by authorizable, possible by simply reusing TreePrivilegeCache from Sentry. This cache would need to be recreated whenever the user's/role's privileges change. This seems an easy solution + it would not affect Ranger, but would likely ~double the memory consumption of privileges.
2. Change AuthorizationPolicy ( https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java ) to store Privileges in a "more treelike manner" to allow efficient look up by authorizable. This is a more complex change and could affect Ranger too.
was (Author: csringhofer):
I looked through SENTRY-2539 (https://reviews.apache.org/r/71915) and the related Impala code. Implementing IMPALA-9242 would need some significant changes in Impala, especially if we want to avoid increasing memory usage.
The main issue is that Impala uses a (concurrent) hash set to store privileges for a user/role, and the key contains all infos about a privilege, something like [ServerName=value]->[DbName=value]->[TableName=value]->[ColumnName=value]->[Action Granted=value]->[Grant Option=value] ( see https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/PrincipalPrivilege.java ).
So this hash map doesn't offer a quick way to look up all privileges for a given authorizable.
> Access check should only check against the privileges of the authorizable
> -------------------------------------------------------------------------
>
> Key: IMPALA-9242
> URL: https://issues.apache.org/jira/browse/IMPALA-9242
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Vihang Karajgaonkar
> Assignee: Csaba Ringhofer
> Priority: Major
>
> Currently, according to the implementation of https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64
> each access check request in Sentry is done against all the privileges of the user. Instead, we can reduce the number of privilege checks significantly, if we use this API in https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46
> Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is unavailable. However, if we can have a interface side changes in PrivilegeCache, Impala can implement a prefix-tree based {{PrivilegeCache}} so that number of privileges returned are only related to the given authorizable. This API can then be used in SimpleCacheProviderBackend to reduce the processing time required to check access for a large number of objects in large setups.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org