You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@kyuubi.apache.org by GitBox <gi...@apache.org> on 2022/08/26 10:06:58 UTC
[GitHub] [incubator-kyuubi] Yikf commented on a diff in pull request #3344: [KYUUBI #3343] [Improvement] [AUTHZ] Skip privilege checks for CreateViewCommand of LocalTempView and GlobalTempView
Yikf commented on code in PR #3344:
URL: https://github.com/apache/incubator-kyuubi/pull/3344#discussion_r955885213
##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,48 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
})
}
}
+
+ test("pass temporary view creation") {
Review Comment:
Please add [KYUUBI #3344] prefix
##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,48 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
})
}
}
+
+ test("pass temporary view creation") {
+ val table = "hive_src"
+ val tempView = "temp_view"
+ val globalTempView = "global_temp_view"
+
+ withCleanTmpResources(Seq((table, "table"))) {
+ doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+
+ doAs("admin", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from $table"))
+ doAs(
+ "admin",
+ sql(s"CREATE OR REPLACE TEMPORARY VIEW $tempView" +
+ s" AS select * from $table"))
+ doAs("admin", sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM $table"))
+ doAs(
+ "admin",
+ sql(s"CREATE OR REPLACE GLOBAL TEMPORARY VIEW $globalTempView" +
+ s" AS select * from $table"))
+ }
+ }
+
+ test("check persisted view creation") {
Review Comment:
ditto
##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,48 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
})
}
}
+
+ test("pass temporary view creation") {
+ val table = "hive_src"
+ val tempView = "temp_view"
+ val globalTempView = "global_temp_view"
+
+ withCleanTmpResources(Seq((table, "table"))) {
+ doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+
+ doAs("admin", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from $table"))
+ doAs(
+ "admin",
+ sql(s"CREATE OR REPLACE TEMPORARY VIEW $tempView" +
+ s" AS select * from $table"))
+ doAs("admin", sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM $table"))
+ doAs(
+ "admin",
+ sql(s"CREATE OR REPLACE GLOBAL TEMPORARY VIEW $globalTempView" +
+ s" AS select * from $table"))
+ }
+ }
+
+ test("check persisted view creation") {
+ val table = "hive_src"
+ val permView = "perm_view"
+
+ withCleanTmpResources(Seq((table, "table"))) {
+ doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+
+ doAs("admin", sql(s"CREATE VIEW admin_perm_view AS SELECT * FROM $table"))
+
+ val e1 = intercept[AccessControlException](
+ doAs("someone", sql(s"CREATE VIEW $permView AS SELECT 1 as a")))
+ assert(e1.getMessage.contains(s"does not have [create] privilege on [default/$permView]"))
+
+ val e2 = intercept[AccessControlException](
+ doAs("someone", sql(s"CREATE VIEW $permView AS SELECT * FROM $table")))
Review Comment:
Can we use a user who has `SELECT` privileges on the `$table`, but not `CREATE` privileges for `$permView`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org