Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-9002

Add flag to only check SELECT priviledge in GET_TABLES

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • Impala 3.4.0
    • Security
    • None
    • ghx-label-2

    Description

      In Frontend.doGetTableNames(), if authorization is enabled, we only return tables that current user has ANY priviledge on them:

        private List<String> doGetTableNames(String dbName, PatternMatcher matcher,
            User user) throws ImpalaException {
          FeCatalog catalog = getCatalog();
          List<String> tblNames = catalog.getTableNames(dbName, matcher);
          if (authzFactory_.getAuthorizationConfig().isEnabled()) {
            Iterator<String> iter = tblNames.iterator();
            while (iter.hasNext()) {
              ......
              PrivilegeRequest privilegeRequest = new PrivilegeRequestBuilder(
                  authzFactory_.getAuthorizableFactory())
                  .any().onAnyColumn(dbName, tblName, tableOwner).build();  <-- require ANY priviledge here
              if (!authzChecker_.get().hasAccess(user, privilegeRequest)) {
                iter.remove();
              }
            }
          }
          return tblNames;
        } 

      In Sentry integration, checking ANY priviledge will check all possible priviledges, i.e. ALL, OWNER, ALTER, DROP, CREATE, INSERT, SELECT, REFRESH, until one is permitted. In the worst case that current use don't have any priviledge on a table, we need to perform 8 checks on this table.

      public enum Privilege {
        ...
        static {
          ...
          ANY.implied_ = EnumSet.of(ALL, OWNER, ALTER, DROP, CREATE, INSERT, SELECT,
              REFRESH); 

      GET_TABLES performance is poor when there're thosands of tables. It's reasonable to only return tables that current user has SELECT priviledge on them. Checking only the SELECT priviledge can boost the perfomance to be 8 times better. In my experiment on impala-2.12-cdh5.16.2 with 40k tables, GET_TABLES takes 16s originally when current user only have priviledges on 6 tables. With this change, time reduces to 2s.

      We can add a flag to only check on SELECT priviledge for table visuability.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            stigahuang Quanlong Huang
            stigahuang Quanlong Huang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment