You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@kyuubi.apache.org by "Yikf (via GitHub)" <gi...@apache.org> on 2024/01/14 12:02:31 UTC
[PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Yikf opened a new pull request, #5972:
URL: https://github.com/apache/kyuubi/pull/5972
# :mag: Description
## Issue References ๐
<!-- Append the issue number after #. If there is no issue for you to link create one or -->
<!-- If there are no issues to link, please provide details here. -->
This pull request aims to make authz check hoodie procedures path resource privileges.
## Describe Your Solution ๐ง
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
## Types of changes :bookmark:
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
## Test Plan ๐งช
#### Behavior Without This Pull Request :coffin:
When the Hoodie procedure operation is on the path, the check can pass regardless of whether the path resource has permissions.
#### Behavior With This Pull Request :tada:
Check the path permissions correctly.
#### Related Unit Tests
New tests added.
---
# Checklist ๐
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [ ] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html)
**Be nice. Be informative.**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "AngersZhuuuu (via GitHub)" <gi...@apache.org>.
AngersZhuuuu commented on code in PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#discussion_r1462652430
##########
extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json:
##########
@@ -2033,7 +2033,17 @@
} ],
"opType" : "QUERY",
"queryDescs" : [ ],
- "uriDescs" : [ ]
+ "uriDescs" : [ {
+ "fieldName" : "clone",
+ "fieldExtractor" : "HudiCallProcedureInputUriExtractor",
+ "isInput" : true,
+ "comment" : "Hudi"
Review Comment:
I think we don't need to add this here, better in the whole hudi node.
##########
extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json:
##########
@@ -2033,7 +2033,17 @@
} ],
"opType" : "QUERY",
"queryDescs" : [ ],
- "uriDescs" : [ ]
+ "uriDescs" : [ {
+ "fieldName" : "clone",
+ "fieldExtractor" : "HudiCallProcedureInputUriExtractor",
+ "isInput" : true,
+ "comment" : "Hudi"
+ }, {
+ "fieldName" : "clone",
+ "fieldExtractor" : "HudiCallProcedureOutputUriExtractor",
+ "isInput" : false,
+ "comment" : "Hudi"
Review Comment:
ditto
##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/HudiCommands.scala:
##########
@@ -288,7 +288,14 @@ object HudiCommands extends CommandSpecs[TableCommandSpec] {
"clone",
classOf[HudiCallProcedureOutputTableExtractor],
actionTypeDesc = Some(ActionTypeDesc(actionType = Some(UPDATE))),
- setCurrentDatabaseIfMissing = true)))
+ setCurrentDatabaseIfMissing = true)),
+ uriDescs = Seq(
+ UriDesc(
+ "clone",
+ classOf[HudiCallProcedureInputUriExtractor],
+ isInput = true,
+ comment = "Hudi"),
+ UriDesc("clone", classOf[HudiCallProcedureOutputUriExtractor], comment = "Hudi")))
Review Comment:
ditto, can remove hudi
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "Yikf (via GitHub)" <gi...@apache.org>.
Yikf commented on code in PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#discussion_r1462689659
##########
extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json:
##########
@@ -2033,7 +2033,17 @@
} ],
"opType" : "QUERY",
"queryDescs" : [ ],
- "uriDescs" : [ ]
+ "uriDescs" : [ {
+ "fieldName" : "clone",
+ "fieldExtractor" : "HudiCallProcedureInputUriExtractor",
+ "isInput" : true,
+ "comment" : "Hudi"
Review Comment:
thanks @AngersZhuuuu for the suggestion.
Maybe I misunderstood your meaning, do you mean the 'comment' attribute that can be removed?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "Yikf (via GitHub)" <gi...@apache.org>.
Yikf commented on code in PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#discussion_r1462939386
##########
extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json:
##########
@@ -2033,7 +2033,17 @@
} ],
"opType" : "QUERY",
"queryDescs" : [ ],
- "uriDescs" : [ ]
+ "uriDescs" : [ {
+ "fieldName" : "clone",
+ "fieldExtractor" : "HudiCallProcedureInputUriExtractor",
+ "isInput" : true,
+ "comment" : "Hudi"
Review Comment:
As far as I know, the comment field is only used for [error output](https://github.com/apache/kyuubi/blob/ac388d191ddb6a910a5c74575d3ba6aa5a31e062/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/Descriptor.scala#L64)(maybe I missed something ๐ฝ), So I don't understand what the purpose of deleting this field is?
BTW, the top level CommandSpec has no comment field.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "Yikf (via GitHub)" <gi...@apache.org>.
Yikf commented on PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#issuecomment-1905586510
> Pls create a issue for this and change your pr title
Sure
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "codecov-commenter (via GitHub)" <gi...@apache.org>.
codecov-commenter commented on PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#issuecomment-1890951856
## [Codecov](https://app.codecov.io/gh/apache/kyuubi/pull/5972?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) Report
Attention: `3 lines` in your changes are missing coverage. Please review.
> Comparison is base [(`3af7551`)](https://app.codecov.io/gh/apache/kyuubi/commit/3af755115ac44737017a6e5d9448f87592d7d26c?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) 61.19% compared to head [(`d579e53`)](https://app.codecov.io/gh/apache/kyuubi/pull/5972?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) 61.29%.
| [Files](https://app.codecov.io/gh/apache/kyuubi/pull/5972?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | Patch % | Lines |
|---|---|---|
| [...ubi/plugin/spark/authz/serde/tableExtractors.scala](https://app.codecov.io/gh/apache/kyuubi/pull/5972?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3NlcmRlL3RhYmxlRXh0cmFjdG9ycy5zY2FsYQ==) | 96.90% | [0 Missing and 3 partials :warning: ](https://app.codecov.io/gh/apache/kyuubi/pull/5972?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) |
<details><summary>Additional details and impacted files</summary>
```diff
@@ Coverage Diff @@
## master #5972 +/- ##
============================================
+ Coverage 61.19% 61.29% +0.09%
Complexity 23 23
============================================
Files 622 622
Lines 36887 36913 +26
Branches 5014 5018 +4
============================================
+ Hits 22574 22626 +52
+ Misses 11871 11851 -20
+ Partials 2442 2436 -6
```
</details>
[:umbrella: View full report in Codecov by Sentry](https://app.codecov.io/gh/apache/kyuubi/pull/5972?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache).
:loudspeaker: Have feedback on the report? [Share it here](https://about.codecov.io/codecov-pr-comment-feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [KYUUBI #6007] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "Yikf (via GitHub)" <gi...@apache.org>.
Yikf closed pull request #5972: [KYUUBI #6007] AuthZ should check hoodie procedures path resource privileges
URL: https://github.com/apache/kyuubi/pull/5972
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [KYUUBI #6007] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "Yikf (via GitHub)" <gi...@apache.org>.
Yikf commented on PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#issuecomment-1911958768
thanks, merged to master
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "Yikf (via GitHub)" <gi...@apache.org>.
Yikf commented on PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#issuecomment-1891455976
cc @AngersZhuuuu Could you please take a look if you find a time ๐ถ ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "AngersZhuuuu (via GitHub)" <gi...@apache.org>.
AngersZhuuuu commented on code in PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#discussion_r1462692836
##########
extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json:
##########
@@ -2033,7 +2033,17 @@
} ],
"opType" : "QUERY",
"queryDescs" : [ ],
- "uriDescs" : [ ]
+ "uriDescs" : [ {
+ "fieldName" : "clone",
+ "fieldExtractor" : "HudiCallProcedureInputUriExtractor",
+ "isInput" : true,
+ "comment" : "Hudi"
Review Comment:
> thanks @AngersZhuuuu for the suggestion.
>
> Maybe I misunderstood your meaning, do you mean the 'comment' attribute that can be removed?
Yea, if you want to add comment to define query type, we can add it in top level
``` {
"classname" : "org.apache.spark.sql.hudi.command.CallProcedureHoodieCommand",
"comment": "Hudi"
````
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
Re: [PR] [AUTHZ] AuthZ should check hoodie procedures path resource privileges [kyuubi]
Posted by "AngersZhuuuu (via GitHub)" <gi...@apache.org>.
AngersZhuuuu commented on PR #5972:
URL: https://github.com/apache/kyuubi/pull/5972#issuecomment-1905347836
Pls create a issue for this and change your pr title
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org