You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by bo...@apache.org on 2023/02/09 12:13:03 UTC

[kyuubi] branch master updated: [KYUUBI #4262] [AUTHZ] Change from DROP to ALTER as required privilege of the source table in AlterTableRenameCommand

This is an automated email from the ASF dual-hosted git repository.

bowenliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git


The following commit(s) were added to refs/heads/master by this push:
     new 68cc0e409 [KYUUBI #4262] [AUTHZ] Change from DROP to ALTER as required privilege of the source table in AlterTableRenameCommand
68cc0e409 is described below

commit 68cc0e40970453e59351d199396a2c546afb8c08
Author: liangbowen <li...@gf.com.cn>
AuthorDate: Thu Feb 9 20:12:52 2023 +0800

    [KYUUBI #4262] [AUTHZ] Change from DROP to ALTER as required privilege of the source table in AlterTableRenameCommand
    
    ### _Why are the changes needed?_
    
    to close #4262 .
    - change the required privilege of the source table from DROP to ALTER
    - skip privilege checks of the new target table, as the same way in Ranger's Hive plugin
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [x] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
    
    Closes #4281 from bowenliang123/4262-renametable.
    
    Closes #4262
    
    e7117de9 [liangbowen] change required privilege of the source table from DROP to ALTER
    
    Authored-by: liangbowen <li...@gf.com.cn>
    Signed-off-by: liangbowen <li...@gf.com.cn>
---
 .../src/main/resources/table_command_spec.json          | 17 -----------------
 .../kyuubi/plugin/spark/authz/ranger/AccessType.scala   |  3 +--
 .../plugin/spark/authz/PrivilegesBuilderSuite.scala     |  7 ++-----
 .../kyuubi/plugin/spark/authz/gen/TableCommands.scala   |  8 ++------
 4 files changed, 5 insertions(+), 30 deletions(-)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json b/extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json
index af748c278..d36690bcf 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json
+++ b/extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json
@@ -691,23 +691,6 @@
     "fieldName" : "oldName",
     "fieldExtractor" : "TableIdentifierTableExtractor",
     "columnDesc" : null,
-    "actionTypeDesc" : {
-      "fieldName" : null,
-      "fieldExtractor" : null,
-      "actionType" : "DELETE"
-    },
-    "tableTypeDesc" : {
-      "fieldName" : "oldName",
-      "fieldExtractor" : "TableIdentifierTableTypeExtractor",
-      "skipTypes" : [ "TEMP_VIEW" ]
-    },
-    "catalogDesc" : null,
-    "isInput" : false,
-    "setCurrentDatabaseIfMissing" : false
-  }, {
-    "fieldName" : "newName",
-    "fieldExtractor" : "TableIdentifierTableExtractor",
-    "columnDesc" : null,
     "actionTypeDesc" : null,
     "tableTypeDesc" : {
       "fieldName" : "oldName",
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
index 52e3c0176..7d62229ee 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
@@ -35,14 +35,13 @@ object AccessType extends Enumeration {
           case CREATETABLE | CREATEVIEW | CREATETABLE_AS_SELECT
               if obj.privilegeObjectType == TABLE_OR_VIEW =>
             if (isInput) SELECT else CREATE
-          // new table new `CREATE` privilege here and the old table gets `DELETE` via actionType
-          case ALTERTABLE_RENAME => CREATE
           case ALTERDATABASE |
               ALTERDATABASE_LOCATION |
               ALTERTABLE_ADDCOLS |
               ALTERTABLE_ADDPARTS |
               ALTERTABLE_DROPPARTS |
               ALTERTABLE_LOCATION |
+              ALTERTABLE_RENAME |
               ALTERTABLE_PROPERTIES |
               ALTERTABLE_RENAMECOL |
               ALTERTABLE_RENAMEPART |
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
index 15f58deb3..b014aaaca 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
@@ -143,7 +143,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
         val (in, out, operationType) = PrivilegesBuilder.build(plan, spark)
         assert(operationType === ALTERTABLE_RENAME)
         assert(in.isEmpty)
-        assert(out.size === 2)
+        assert(out.size === 1)
         out.foreach { po =>
           assert(po.privilegeObjectType === PrivilegeObjectType.TABLE_OR_VIEW)
           assert(po.catalog.isEmpty)
@@ -151,10 +151,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
           assert(Set(oldTableShort, "efg").contains(po.objectName))
           assert(po.columns.isEmpty)
           val accessType = ranger.AccessType(po, operationType, isInput = false)
-          assert(Set(AccessType.CREATE, AccessType.DROP).contains(accessType))
-          if (accessType == AccessType.DROP) {
-            checkTableOwner(po)
-          }
+          assert(accessType == AccessType.ALTER)
         }
       }
     }
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/TableCommands.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/TableCommands.scala
index e2fda9162..d24583e76 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/TableCommands.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/TableCommands.scala
@@ -102,7 +102,6 @@ object TableCommands {
 
   val AlterTableRename = {
     val cmd = "org.apache.spark.sql.execution.command.AlterTableRenameCommand"
-    val actionTypeDesc = ActionTypeDesc(actionType = Some(DELETE))
 
     val oldTableTableTypeDesc =
       TableTypeDesc(
@@ -112,12 +111,9 @@ object TableCommands {
     val oldTableD = TableDesc(
       "oldName",
       tite,
-      tableTypeDesc = Some(oldTableTableTypeDesc),
-      actionTypeDesc = Some(actionTypeDesc))
+      tableTypeDesc = Some(oldTableTableTypeDesc))
 
-    val newTableD =
-      TableDesc("newName", tite, tableTypeDesc = Some(oldTableTableTypeDesc))
-    TableCommandSpec(cmd, Seq(oldTableD, newTableD), ALTERTABLE_RENAME)
+    TableCommandSpec(cmd, Seq(oldTableD), ALTERTABLE_RENAME)
   }
 
   // this is for spark 3.1 or below