You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ya...@apache.org on 2022/09/07 11:24:43 UTC
[incubator-kyuubi] branch master updated: [KYUUBI #3430] AlterTableRenameCommand should skip permission check if it's tempview
This is an automated email from the ASF dual-hosted git repository.
yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 365c1ccf7 [KYUUBI #3430] AlterTableRenameCommand should skip permission check if it's tempview
365c1ccf7 is described below
commit 365c1ccf78292d8ad06d5fba87fa31734ba7ea54
Author: yikf <yi...@gmail.com>
AuthorDate: Wed Sep 7 19:24:34 2022 +0800
[KYUUBI #3430] AlterTableRenameCommand should skip permission check if it's tempview
### _Why are the changes needed?_
Fix https://github.com/apache/incubator-kyuubi/issues/3430
`AlterTableRenameCommand` should skip permission check if it's tempview
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3431 from Yikf/view-rename.
Closes #3430
054948e1 [yikf] AlterTableRenameCommand should skip permission check if it is tempview
Authored-by: yikf <yi...@gmail.com>
Signed-off-by: Kent Yao <ya...@apache.org>
---
.../plugin/spark/authz/PrivilegesBuilder.scala | 6 ++++--
.../authz/ranger/RangerSparkExtensionSuite.scala | 23 ++++++++++++++++++++++
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 0ee9802b2..9bc3264a3 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -222,8 +222,10 @@ object PrivilegesBuilder {
case "AlterTableRenameCommand" =>
val oldTable = getPlanField[TableIdentifier]("oldName")
val newTable = getPlanField[TableIdentifier]("newName")
- outputObjs += tablePrivileges(oldTable, actionType = PrivilegeObjectActionType.DELETE)
- outputObjs += tablePrivileges(newTable)
+ if (!isTempView(oldTable, spark)) {
+ outputObjs += tablePrivileges(oldTable, actionType = PrivilegeObjectActionType.DELETE)
+ outputObjs += tablePrivileges(newTable)
+ }
// this is for spark 3.1 or below
case "AlterTableRecoverPartitionsCommand" =>
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index f7d9dcd94..6f7bbb040 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -448,6 +448,29 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
}
}
+ test("[KYUUBI #3430] AlterTableRenameCommand should skip permission check if it's tempview") {
+ val tempView = "temp_view"
+ val tempView2 = "temp_view2"
+ val globalTempView = "global_temp_view"
+ val globalTempView2 = "global_temp_view2"
+
+ // create or replace view
+ doAs("denyuser", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from values(1)"))
+ doAs(
+ "denyuser",
+ sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM values(1)"))
+
+ // rename view
+ doAs("denyuser2", sql(s"ALTER VIEW $tempView RENAME TO $tempView2"))
+ doAs(
+ "denyuser2",
+ sql(s"ALTER VIEW global_temp.$globalTempView RENAME TO global_temp.$globalTempView2"))
+
+ doAs("admin", sql(s"DROP VIEW IF EXISTS $tempView2"))
+ doAs("admin", sql(s"DROP VIEW IF EXISTS global_temp.$globalTempView2"))
+ doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
+ }
+
test("[KYUUBI #3426] Drop temp view should be skipped permission check") {
val tempView = "temp_view"
val globalTempView = "global_temp_view"