Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-9242

Access check should only check against the privileges of the authorizable

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Implemented
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Epic Color:
      ghx-label-14

      Description

      Currently, according to the implementation of https://github.com/apache/sentry/blob/branch-2.1.0/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java#L64

      each access check request in Sentry is done against all the privileges of the user. Instead, we can reduce the number of privilege checks significantly, if we use this API in https://github.com/apache/sentry/blob/master/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java#L46

      Unfortunately, SENTRY-1291 which is merged in master branch of Sentry is unavailable. However, if we can have a interface side changes in PrivilegeCache, Impala can implement a prefix-tree based PrivilegeCache so that number of privileges returned are only related to the given authorizable. This API can then be used in SimpleCacheProviderBackend to reduce the processing time required to check access for a large number of objects in large setups.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                csringhofer Csaba Ringhofer
                Reporter:
                vihangk1 Vihang Karajgaonkar
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: