[PR] [improvement](fe) Short-circuit catalog/db/table privilege check when global privilege is granted [doris]

Thu, 28 May 2026 03:17:13 -0700 


heguanhui opened a new pull request, #63838:
URL: https://github.com/apache/doris/pull/63838

   ## Summary
   Short-circuit `checkCtlPriv`/`checkDbPriv`/`checkTblPriv` in 
`CatalogAccessController` when `hasGlobal=true`, avoiding unnecessary privilege 
lookups that become a performance bottleneck with large numbers of privileges.
   
   ## What problem does this PR solve?
   
   Issue Number: close #xxx
   
   Related PR: #xxx
   
   Problem Summary: In `CatalogAccessController`, the 
`checkCtlPriv`/`checkDbPriv`/`checkTblPriv` methods with `hasGlobal` parameter 
always invoke the underlying privilege check (e.g. `checkCtlPriv(currentUser, 
ctl, wanted)`) even when `hasGlobal` is true. Since `hasGlobal=true` means the 
user already has global-level privilege, the result of the specific-level check 
is irrelevant — the method will return true regardless. This causes unnecessary 
privilege lookups, which become a performance bottleneck when there are a large 
number of privileges configured.
   
   Before:
   ```java
   default boolean checkCtlPriv(boolean hasGlobal, UserIdentity currentUser, 
String ctl, PrivPredicate wanted) {
       boolean res = checkCtlPriv(currentUser, ctl, wanted);
       return hasGlobal || res;
   }
   ```
   
   After:
   ```java
   default boolean checkCtlPriv(boolean hasGlobal, UserIdentity currentUser, 
String ctl, PrivPredicate wanted) {
       if (hasGlobal) {
           return true;
       }
       return checkCtlPriv(currentUser, ctl, wanted);
   }
   ```
   
   The same pattern is applied to `checkDbPriv` and `checkTblPriv`.
   
   ## Release note
   
   Optimized privilege checking to short-circuit when global privilege is 
already granted, avoiding unnecessary catalog/db/table-level privilege lookups 
and improving performance in environments with many privileges.
   
   ## Check List (For Author)
   
   - Test: Unit Test
       - Added `CatalogAccessControllerTest` covering short-circuit and 
fall-through paths for `checkCtlPriv`, `checkDbPriv`, `checkTblPriv`, and 
`checkColsPriv`
   - Behavior changed: No
   - Does this need documentation: No


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to