You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@kyuubi.apache.org by GitBox <gi...@apache.org> on 2022/10/08 19:05:54 UTC
[GitHub] [incubator-kyuubi] bowenliang123 opened a new pull request, #3595: [KYUUBI #3594][Subtask][Authz] Introduce Ranger Plugin factory and init plugin with service name by catalog name
bowenliang123 opened a new pull request, #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595
<!--
Thanks for sending a pull request!
Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/CONTRIBUTING.html
2. If the PR is related to an issue in https://github.com/apache/incubator-kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
-->
### _Why are the changes needed?_
<!--
Please clarify why the changes are needed. For instance,
1. If you add a feature, you can talk about the use case of it.
2. If you fix a bug, you can clarify why it is a bug.
-->
to close #3594 .
- Introduce Ranger Plugin factory
- fetching Ranger service name by looking up catalog name in Ranger config of 'ranger.plugin.spark.catalog.$catalogName.service.name'
- init plugin with service name by catalog name
- existed usage of Authz plugin will not be impacted, as default value for ranger plugin's serviceType('spark') and appId('sparkSql') is not changed.
### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1045372722
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
This will be done in the following PR in pull <https://github.com/apache/incubator-kyuubi/pull/3606> by adding `catalog` to `PrivilegeObject`. And then fill catalog info from extractors in another PR.
The initial plan and steps are in the umberalla issue here . https://github.com/apache/incubator-kyuubi/issues/3586
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022396998
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -38,12 +47,12 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
* This configuration controls whether to verify the privilege objects in single call or
* to verify them one by one.
*/
- def authorizeInSingleCall: Boolean = getRangerConf.getBoolean(
- s"ranger.plugin.${getServiceType}.authorize.in.single.call",
+ def authorizeInSingleCall: Boolean = getRangerConf(defaultBasePlugin).getBoolean(
+ s"ranger.plugin.${defaultBasePlugin.getServiceType}.authorize.in.single.call",
Review Comment:
why use the defaultBasePlugin.getServiceType?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1023850500
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyRowFilterAndDataMasking.scala:
##########
@@ -81,17 +81,18 @@ class RuleApplyRowFilterAndDataMasking(spark: SparkSession) extends Rule[Logical
plan: LogicalPlan,
identifier: TableIdentifier,
spark: SparkSession): LogicalPlan = {
+ val plugin = SparkRangerAdminPlugin
Review Comment:
Not really. Just to make sure `getFilterExpr` and `getMaskingExpr` are calling to same SparkRangerAdminPlugin instance. And separate them by catalog in future.
Or let me revert it this time?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on pull request #3595: [KYUUBI #3594][Subtask][Authz] WIP: Introduce Ranger Plugin factory and init plugin with service name by catalog name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#issuecomment-1272564115
for Ranger 2.1+, use constructor with service name , but for ranger 2.0 and below reuse same service name as default.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r992096375
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +144,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = {
Review Comment:
shall we synchronize it?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#issuecomment-1352477603
Also suspending this PR due to the unplanned close in pull https://github.com/apache/incubator-kyuubi/pull/3606 .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] codecov-commenter commented on pull request #3595: [KYUUBI #3594][Subtask][Authz] WIP: Introduce Ranger Plugin factory and init plugin with service name by catalog name
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#issuecomment-1273106333
# [Codecov](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#3595](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (ddc5f16) into [master](https://codecov.io/gh/apache/incubator-kyuubi/commit/bb50c52c2f6f2068dbd9897cc04280b63b299f2f?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (bb50c52) will **decrease** coverage by `0.06%`.
> The diff coverage is `75.00%`.
```diff
@@ Coverage Diff @@
## master #3595 +/- ##
============================================
- Coverage 51.81% 51.75% -0.07%
Complexity 13 13
============================================
Files 483 483
Lines 26998 27077 +79
Branches 3769 3784 +15
============================================
+ Hits 13989 14013 +24
- Misses 11652 11689 +37
- Partials 1357 1375 +18
```
| [Impacted Files](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...uubi/plugin/spark/authz/ranger/AccessRequest.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9BY2Nlc3NSZXF1ZXN0LnNjYWxh) | `63.63% <40.00%> (-30.12%)` | :arrow_down: |
| [...n/spark/authz/ranger/FilteredShowObjectsExec.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9GaWx0ZXJlZFNob3dPYmplY3RzRXhlYy5zY2FsYQ==) | `42.10% <50.00%> (ø)` | |
| [...in/spark/authz/ranger/SparkRangerAdminPlugin.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9TcGFya1JhbmdlckFkbWluUGx1Z2luLnNjYWxh) | `65.42% <72.91%> (+2.92%)` | :arrow_up: |
| [.../plugin/spark/authz/ranger/RuleAuthorization.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SdWxlQXV0aG9yaXphdGlvbi5zY2FsYQ==) | `79.48% <75.00%> (+0.53%)` | :arrow_up: |
| [...k/authz/ranger/RuleReplaceShowObjectCommands.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SdWxlUmVwbGFjZVNob3dPYmplY3RDb21tYW5kcy5zY2FsYQ==) | `62.90% <75.00%> (ø)` | |
| [...he/kyuubi/plugin/spark/authz/PrivilegeObject.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L1ByaXZpbGVnZU9iamVjdC5zY2FsYQ==) | `85.71% <100.00%> (+2.38%)` | :arrow_up: |
| [...ubi/plugin/spark/authz/ranger/AccessResource.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9BY2Nlc3NSZXNvdXJjZS5zY2FsYQ==) | `84.61% <100.00%> (ø)` | |
| [...uthz/ranger/RuleApplyRowFilterAndDataMasking.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SdWxlQXBwbHlSb3dGaWx0ZXJBbmREYXRhTWFza2luZy5zY2FsYQ==) | `90.69% <100.00%> (+0.22%)` | :arrow_up: |
| [...he/kyuubi/plugin/spark/authz/util/AuthZUtils.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvQXV0aFpVdGlscy5zY2FsYQ==) | `55.81% <100.00%> (+3.31%)` | :arrow_up: |
| [...plugin/spark/authz/util/RangerConfigProvider.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvUmFuZ2VyQ29uZmlnUHJvdmlkZXIuc2NhbGE=) | `77.77% <100.00%> (+17.77%)` | :arrow_up: |
| ... and [20 more](https://codecov.io/gh/apache/incubator-kyuubi/pull/3595/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022396320
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
getOrCreate
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r992879630
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
+ catalog match {
+ case None | Some("spark_catalog") =>
+ defaultBasePlugin
+ case Some(catalogName) =>
+ val serviceName = getRangerConf(defaultBasePlugin)
+ .get(s"ranger.plugin.spark.catalog.$catalogName.service.name")
+ serviceName match {
+ case _ if StringUtils.isBlank(serviceName) =>
+ logWarning(s"config ranger.plugin.spark.catalog.$catalogName.service.name not found," +
+ s" default ranger plugin is used")
+ defaultBasePlugin
Review Comment:
Here returns a `defaultBasePlugin` for the catalog without setting the Ranger service name.
But it may shadow and block the normal access to the catalog.
How to return a allow-all ranger plugin to skip access checking for them?
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
+ catalog match {
+ case None | Some("spark_catalog") =>
+ defaultBasePlugin
+ case Some(catalogName) =>
+ val serviceName = getRangerConf(defaultBasePlugin)
+ .get(s"ranger.plugin.spark.catalog.$catalogName.service.name")
+ serviceName match {
+ case _ if StringUtils.isBlank(serviceName) =>
+ logWarning(s"config ranger.plugin.spark.catalog.$catalogName.service.name not found," +
+ s" default ranger plugin is used")
+ defaultBasePlugin
Review Comment:
Here returns a `defaultBasePlugin` for the catalog without setting the Ranger service name.
But it may shadow and block the normal access to the catalog.
How to return an allow-all ranger plugin to skip access checking for them?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1045372722
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
This will be done in the following PR in pull <https://github.com/apache/incubator-kyuubi/pull/3606> by adding `catalog` to `PrivilegeObject`. And then fill catalog info from in `Privilegebuilder` and extractors in another PR.
The initial plan and steps are in the umberalla issue here . https://github.com/apache/incubator-kyuubi/issues/3586
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 closed pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 closed pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
URL: https://github.com/apache/incubator-kyuubi/pull/3595
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r992096008
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +144,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = {
Review Comment:
def getOrCreate()
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1023868185
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
+ catalog match {
+ case None | Some("spark_catalog") =>
+ defaultBasePlugin
+ case Some(catalogName) =>
+ val serviceName = getRangerConf(defaultBasePlugin)
+ .get(s"ranger.plugin.spark.catalog.$catalogName.service.name")
+ serviceName match {
+ case _ if StringUtils.isBlank(serviceName) =>
+ logWarning(s"config ranger.plugin.spark.catalog.$catalogName.service.name not found," +
+ s" default ranger plugin is used")
+ defaultBasePlugin
+ case _ =>
+ catalog2pluginMap.getOrElseUpdate(
+ catalogName,
+ initRangerBasePlugin(serviceName = serviceName, appId = catalogName))
+ }
+ }
+ }
+
+ def initRangerBasePlugin(serviceName: String, appId: String): RangerBasePlugin = {
+ val basePlugin =
+ if (isRanger21orGreater) {
+ classOf[RangerBasePlugin].getConstructor(classOf[String], classOf[String], classOf[String])
+ .newInstance(serviceType, serviceName, appId)
+ } else {
+ // ignoring serviceName for Ranger 2.0 and below,
Review Comment:
Since it's not supporting different service names with same service type in Ranger 2.0 and below.
The only way to separate plugin config with service type is to seperate them in `ranger-security-${serviceType}.xml` configs file with different service types, plus repeating all the detail configs in it (e.g. REST url, user, password, and etc.). This is too heavy and hard to use.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r992168078
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +144,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = {
Review Comment:
ok, let's synchronize it.
Plus, `catalog2pluginMap` itself is already using `TrieMap` as implementation , which is a concurrent threadsafe lock-free concurrent.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1023870995
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
But in usages, it will become `getOrCreate().isAccessAllowed(request)` which is misleading in some way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1045372722
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
This will be done in the following PR in pull <https://github.com/apache/incubator-kyuubi/pull/3606> by adding `catalog` to `PrivilegeObject`. And then fill catalog info from in `Privilegebuilder` and extractors in another PR.
The initial plan and steps are in this umberalla issue. issue https://github.com/apache/incubator-kyuubi/issues/3586
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022429327
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/FilteredShowObjectsExec.scala:
##########
@@ -47,7 +48,7 @@ case class FilteredShowNamespaceExec(delegated: SparkPlan) extends FilteredShowO
val database = r.getString(0)
val resource = AccessResource(ObjectType.DATABASE, database, null, null)
val request = AccessRequest(resource, ugi, OperationType.SHOWDATABASES, AccessType.USE)
- val result = SparkRangerAdminPlugin.isAccessAllowed(request)
+ val result = getOrCreateRangerPlugin().isAccessAllowed(request)
Review Comment:
which service stores privileges for all catalogs if we want a filtered list of catalogs
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1023857847
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -38,12 +47,12 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
* This configuration controls whether to verify the privilege objects in single call or
* to verify them one by one.
*/
- def authorizeInSingleCall: Boolean = getRangerConf.getBoolean(
- s"ranger.plugin.${getServiceType}.authorize.in.single.call",
+ def authorizeInSingleCall: Boolean = getRangerConf(defaultBasePlugin).getBoolean(
+ s"ranger.plugin.${defaultBasePlugin.getServiceType}.authorize.in.single.call",
Review Comment:
Compatible to exsiting config name as `ranger.plugin.spark.authorize.in.single.call`.
Or let me use `serviceType` with `spark` value instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1023852469
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
Alright. I put RangerPlugin as suffix here is to distinguish `SparkRangerAdminPlugin` itself and `RangerBasePlugin`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1031662001
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/FilteredShowObjectsExec.scala:
##########
@@ -47,7 +48,7 @@ case class FilteredShowNamespaceExec(delegated: SparkPlan) extends FilteredShowO
val database = r.getString(0)
val resource = AccessResource(ObjectType.DATABASE, database, null, null)
val request = AccessRequest(resource, ugi, OperationType.SHOWDATABASES, AccessType.USE)
- val result = SparkRangerAdminPlugin.isAccessAllowed(request)
+ val result = getOrCreateRangerPlugin().isAccessAllowed(request)
Review Comment:
No, this PR is not evolved for storing or checking users' privileges of catalog-level resources.
As for this line of the method, no action changed and it's filtering the database-level resources as in Hive service def, as the namespace-level in Spark concept.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] bowenliang123 commented on pull request #3595: [KYUUBI #3594][Subtask][Authz] WIP: Introduce Ranger Plugin factory and init plugin with service name by catalog name
Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#issuecomment-1272384930
It shall pass the ut for Ranger 2.1+. The challenge is to adapt for Ranger 2.0 and below.
- RangerBasePlugin constructor do not accept serviceName param
- RangerBasePlugin doesn't have `getConfig` method and no `RangerConfiguration` class
The first one is a major obstacle.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022427092
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
+ catalog match {
+ case None | Some("spark_catalog") =>
+ defaultBasePlugin
+ case Some(catalogName) =>
+ val serviceName = getRangerConf(defaultBasePlugin)
+ .get(s"ranger.plugin.spark.catalog.$catalogName.service.name")
+ serviceName match {
+ case _ if StringUtils.isBlank(serviceName) =>
+ logWarning(s"config ranger.plugin.spark.catalog.$catalogName.service.name not found," +
+ s" default ranger plugin is used")
+ defaultBasePlugin
+ case _ =>
+ catalog2pluginMap.getOrElseUpdate(
+ catalogName,
+ initRangerBasePlugin(serviceName = serviceName, appId = catalogName))
+ }
+ }
+ }
+
+ def initRangerBasePlugin(serviceName: String, appId: String): RangerBasePlugin = {
+ val basePlugin =
+ if (isRanger21orGreater) {
+ classOf[RangerBasePlugin].getConstructor(classOf[String], classOf[String], classOf[String])
+ .newInstance(serviceType, serviceName, appId)
+ } else {
+ // ignoring serviceName for Ranger 2.0 and below,
Review Comment:
Explain why not what
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022403469
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin.scala:
##########
@@ -131,4 +140,39 @@ object SparkRangerAdminPlugin extends RangerBasePlugin("spark", "sparkSql")
}
}
}
+
+ def getOrCreateRangerPlugin(catalog: Option[String] = None): RangerBasePlugin = synchronized {
Review Comment:
anywhere we set catalog?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022393146
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyRowFilterAndDataMasking.scala:
##########
@@ -81,17 +81,18 @@ class RuleApplyRowFilterAndDataMasking(spark: SparkSession) extends Rule[Logical
plan: LogicalPlan,
identifier: TableIdentifier,
spark: SparkSession): LogicalPlan = {
+ val plugin = SparkRangerAdminPlugin
Review Comment:
unnecessary?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3595: [KYUUBI #3594][Subtask][Authz] init RangerBasePlugin for each catalog with corresponding service name
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3595:
URL: https://github.com/apache/incubator-kyuubi/pull/3595#discussion_r1022393385
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala:
##########
@@ -87,11 +86,12 @@ object RuleAuthorization {
}
}
- if (authorizeInSingleCall) {
- verify(requestArrays.flatten, auditHandler)
+ val rangerPlugin = SparkRangerAdminPlugin
Review Comment:
ditto
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org