SENTRY-2488: Add privilege cache to sentry hive bindings in DefaultAccessValidator (Arjun Mishra reviewed by Kalyan Kumar Kalvagadda)

commit: 1b8127eab26fa2fc146f13663e056b8f4f5409d0 [log] [tgz]
author: amishra <amishra@cloudera.com> Tue Jan 29 22:31:09 2019 -0600
committer: amishra <amishra@cloudera.com> Tue Jan 29 22:31:09 2019 -0600
tree: 8ea8824375f4f3a007d27f64917035f2a0a15c54
parent: 72ac123228cb059ff5448df86ca46f1a33a6748e [diff]
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
index 9de47b3..a596d0b 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java

@@ -16,7 +16,6 @@
 
 import static org.apache.hadoop.hive.metastore.MetaStoreUtils.DEFAULT_DATABASE_NAME;
 
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Sets;
 import java.security.CodeSource;
@@ -174,7 +173,7 @@
 
     HiveAuthzBinding hiveAuthzBinding = null;
     try {
-      hiveAuthzBinding = getAuthzBinding();
+      hiveAuthzBinding = getAuthzBindingWithPrivilegeCache(authenticator.getUserName());
       if (stmtAuthPrivileges == null) {
         // We don't handle authorizing this statement
         return;
@@ -245,9 +244,24 @@
     }
   }
 
-  @VisibleForTesting
-  public HiveAuthzBinding getAuthzBinding() throws Exception {
-    return new HiveAuthzBinding(hiveHook, conf, authzConf);
+  /**
+   * Create a binding object with a cache of privileges that will last the session
+   * At the time of doing the authorization check we will only check against the cache
+   * as opposed to fetching from the database each time
+   * @param userName
+   * @return
+   * @throws Exception
+   */
+  public HiveAuthzBinding getAuthzBindingWithPrivilegeCache(String userName) throws Exception {
+    HiveAuthzBinding hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf);
+    try {
+      HiveAuthzBinding hiveAuthzBindingWithCache = HiveAuthzBindingHookBase
+          .getHiveBindingWithPrivilegeCache(hiveAuthzBinding, userName);
+      return hiveAuthzBindingWithCache;
+    } catch (Exception e) {
+      LOG.error("Unable to build bindings with cache. Use bindings without cache", e);
+      return  hiveAuthzBinding;
+    }
   }
 
   private void addExtendHierarchy(HiveOperation hiveOp, HiveAuthzPrivileges stmtAuthPrivileges,
@@ -372,13 +386,13 @@
       try {
         switch (pType) {
           case DATABASE:
-            hiveAuthzBinding = getAuthzBinding();
+            hiveAuthzBinding = getAuthzBindingWithPrivilegeCache(authenticator.getUserName());
             authzObjectFilter = new MetastoreAuthzObjectFilter<HivePrivilegeObject>(hiveAuthzBinding,
               OBJECT_EXTRACTOR);
             listObjs = authzObjectFilter.filterDatabases(authenticator.getUserName(), listObjs);
             break;
           case TABLE_OR_VIEW:
-            hiveAuthzBinding = getAuthzBinding();
+            hiveAuthzBinding = getAuthzBindingWithPrivilegeCache(authenticator.getUserName());
             authzObjectFilter = new MetastoreAuthzObjectFilter<HivePrivilegeObject>(hiveAuthzBinding,
               OBJECT_EXTRACTOR);
             listObjs = authzObjectFilter.filterTables(authenticator.getUserName(), listObjs);

diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index 63d8d1c..46eb456 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java

@@ -828,7 +828,7 @@
   }
 
   // create hiveBinding with PrivilegeCache
-  private static HiveAuthzBinding getHiveBindingWithPrivilegeCache(HiveAuthzBinding hiveAuthzBinding,
+  static HiveAuthzBinding getHiveBindingWithPrivilegeCache(HiveAuthzBinding hiveAuthzBinding,
       String userName) throws SemanticException {
     // get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider
     AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider();

diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
index 0ad4616..5de3135 100644
--- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
+++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java

@@ -16,6 +16,7 @@
  */
 package org.apache.sentry.provider.cache;
 
+import java.util.Collections;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.utils.SentryConstants;
@@ -110,7 +111,7 @@
   @Override
   public void close() {
     if (cachedPrivileges != null) {
-      cachedPrivileges.clear();
+      cachedPrivileges = Collections.emptySet();
     }
   }
commit	1b8127eab26fa2fc146f13663e056b8f4f5409d0	[log] [tgz]
author	amishra <amishra@cloudera.com>	Tue Jan 29 22:31:09 2019 -0600
committer	amishra <amishra@cloudera.com>	Tue Jan 29 22:31:09 2019 -0600
tree	8ea8824375f4f3a007d27f64917035f2a0a15c54
parent	72ac123228cb059ff5448df86ca46f1a33a6748e [diff]