You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2022/08/22 06:29:18 UTC
[incubator-kyuubi] branch branch-1.6 updated: [KYUUBI #3281] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch branch-1.6
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/branch-1.6 by this push:
new 7c1577144 [KYUUBI #3281] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
7c1577144 is described below
commit 7c1577144c40e9b0fd7922a6c539c59d26a89e9d
Author: yikf <yi...@gmail.com>
AuthorDate: Mon Aug 22 14:28:37 2022 +0800
[KYUUBI #3281] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
### _Why are the changes needed?_
This is a minor fix and aims to use `AccessControlException` instead of `RuntimeException`
Subsequent code added to the AuthZ module should also use this exception if it is intended to represent an access exception
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3281 from yikf/auth-e.
Closes #3281
9033be48 [yikf] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
Authored-by: yikf <yi...@gmail.com>
Signed-off-by: Cheng Pan <ch...@apache.org>
(cherry picked from commit 42beea7c597cb23a8904006309d875d36a081158)
Signed-off-by: Cheng Pan <ch...@apache.org>
---
.../spark/authz/ranger/RuleAuthorization.scala | 3 ++-
.../spark/authz/util/AccessControlException.scala | 25 ++++++++++++++++++++++
.../authz/ranger/RangerSparkExtensionSuite.scala | 15 +++++++------
3 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
index 4a0b95ccf..b5118f101 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
@@ -27,6 +27,7 @@ import org.apache.spark.sql.catalyst.trees.TreeNodeTag
import org.apache.kyuubi.plugin.spark.authz.{ObjectType, _}
import org.apache.kyuubi.plugin.spark.authz.ObjectType._
import org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.KYUUBI_AUTHZ_TAG
+import org.apache.kyuubi.plugin.spark.authz.util.AccessControlException
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
class RuleAuthorization(spark: SparkSession) extends Rule[LogicalPlan] {
@@ -85,7 +86,7 @@ object RuleAuthorization {
private def verify(req: AccessRequest, auditHandler: SparkRangerAuditHandler): Unit = {
val ret = SparkRangerAdminPlugin.isAccessAllowed(req, auditHandler)
if (ret != null && !ret.getIsAllowed) {
- throw new RuntimeException(
+ throw new AccessControlException(
s"Permission denied: user [${req.getUser}] does not have [${req.getAccessType}] privilege" +
s" on [${req.getResource.getAsString}]")
}
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AccessControlException.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AccessControlException.scala
new file mode 100644
index 000000000..66690b27b
--- /dev/null
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AccessControlException.scala
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.util
+
+/**
+ * This exception is thrown by the Kyuubi AuthZ module to indicate
+ * that a requested access is denied.
+ */
+class AccessControlException(msg: String, cause: Option[Throwable] = None)
+ extends RuntimeException(msg, cause.orNull) {}
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index ae519b64c..525dc4b6d 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -35,6 +35,7 @@ import org.scalatest.funsuite.AnyFunSuite
import org.apache.kyuubi.plugin.spark.authz.SparkSessionProvider
import org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.KYUUBI_AUTHZ_TAG
+import org.apache.kyuubi.plugin.spark.authz.util.AccessControlException
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils.getFieldVal
abstract class RangerSparkExtensionSuite extends AnyFunSuite
@@ -129,14 +130,14 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
val alter = s"ALTER DATABASE $testDb SET DBPROPERTIES (abc = '123')"
val drop = s"DROP DATABASE IF EXISTS $testDb"
- val e = intercept[RuntimeException](sql(create))
+ val e = intercept[AccessControlException](sql(create))
assert(e.getMessage === errorMessage("create", "mydb"))
try {
doAs("admin", assert(Try { sql(create) }.isSuccess))
doAs("admin", assert(Try { sql(alter) }.isSuccess))
- val e1 = intercept[RuntimeException](sql(alter))
+ val e1 = intercept[AccessControlException](sql(alter))
assert(e1.getMessage === errorMessage("alter", "mydb"))
- val e2 = intercept[RuntimeException](sql(drop))
+ val e2 = intercept[AccessControlException](sql(drop))
assert(e2.getMessage === errorMessage("drop", "mydb"))
doAs("kent", Try(sql("SHOW DATABASES")).isSuccess)
} finally {
@@ -153,14 +154,14 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
val alter0 = s"ALTER TABLE $db.$table SET TBLPROPERTIES(key='ak')"
val drop0 = s"DROP TABLE IF EXISTS $db.$table"
val select = s"SELECT * FROM $db.$table"
- val e = intercept[RuntimeException](sql(create0))
+ val e = intercept[AccessControlException](sql(create0))
assert(e.getMessage === errorMessage("create"))
try {
doAs("bob", assert(Try { sql(create0) }.isSuccess))
doAs("bob", assert(Try { sql(alter0) }.isSuccess))
- val e1 = intercept[RuntimeException](sql(drop0))
+ val e1 = intercept[AccessControlException](sql(drop0))
assert(e1.getMessage === errorMessage("drop"))
doAs("bob", assert(Try { sql(alter0) }.isSuccess))
doAs("bob", assert(Try { sql(select).collect() }.isSuccess))
@@ -177,7 +178,7 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
doAs(
"kent", {
withClue(q) {
- val e = intercept[RuntimeException](sql(q).collect())
+ val e = intercept[AccessControlException](sql(q).collect())
assert(e.getMessage === errorMessage("select", "default/src/value", "kent"))
}
})
@@ -193,7 +194,7 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
val create0 = s"CREATE FUNCTION IF NOT EXISTS $db.$func AS 'abc.mnl.xyz'"
doAs(
"kent", {
- val e = intercept[RuntimeException](sql(create0))
+ val e = intercept[AccessControlException](sql(create0))
assert(e.getMessage === errorMessage("create", "default/func"))
})
doAs("admin", assert(Try(sql(create0)).isSuccess))