You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2022/08/22 06:29:18 UTC

[incubator-kyuubi] branch branch-1.6 updated: [KYUUBI #3281] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed

This is an automated email from the ASF dual-hosted git repository.

chengpan pushed a commit to branch branch-1.6
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git


The following commit(s) were added to refs/heads/branch-1.6 by this push:
     new 7c1577144 [KYUUBI #3281] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
7c1577144 is described below

commit 7c1577144c40e9b0fd7922a6c539c59d26a89e9d
Author: yikf <yi...@gmail.com>
AuthorDate: Mon Aug 22 14:28:37 2022 +0800

    [KYUUBI #3281] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
    
    ### _Why are the changes needed?_
    
    This is a minor fix and aims to use `AccessControlException` instead of `RuntimeException`
    
    Subsequent code added to the AuthZ module should also use this exception if it is intended to represent an access exception
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
    
    Closes #3281 from yikf/auth-e.
    
    Closes #3281
    
    9033be48 [yikf] [MINOR] Use AccessControlException instead of RuntimeException if check privilege failed
    
    Authored-by: yikf <yi...@gmail.com>
    Signed-off-by: Cheng Pan <ch...@apache.org>
    (cherry picked from commit 42beea7c597cb23a8904006309d875d36a081158)
    Signed-off-by: Cheng Pan <ch...@apache.org>
---
 .../spark/authz/ranger/RuleAuthorization.scala     |  3 ++-
 .../spark/authz/util/AccessControlException.scala  | 25 ++++++++++++++++++++++
 .../authz/ranger/RangerSparkExtensionSuite.scala   | 15 +++++++------
 3 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
index 4a0b95ccf..b5118f101 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
@@ -27,6 +27,7 @@ import org.apache.spark.sql.catalyst.trees.TreeNodeTag
 import org.apache.kyuubi.plugin.spark.authz.{ObjectType, _}
 import org.apache.kyuubi.plugin.spark.authz.ObjectType._
 import org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.KYUUBI_AUTHZ_TAG
+import org.apache.kyuubi.plugin.spark.authz.util.AccessControlException
 import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
 
 class RuleAuthorization(spark: SparkSession) extends Rule[LogicalPlan] {
@@ -85,7 +86,7 @@ object RuleAuthorization {
   private def verify(req: AccessRequest, auditHandler: SparkRangerAuditHandler): Unit = {
     val ret = SparkRangerAdminPlugin.isAccessAllowed(req, auditHandler)
     if (ret != null && !ret.getIsAllowed) {
-      throw new RuntimeException(
+      throw new AccessControlException(
         s"Permission denied: user [${req.getUser}] does not have [${req.getAccessType}] privilege" +
           s" on [${req.getResource.getAsString}]")
     }
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AccessControlException.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AccessControlException.scala
new file mode 100644
index 000000000..66690b27b
--- /dev/null
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AccessControlException.scala
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.util
+
+/**
+ * This exception is thrown by the Kyuubi AuthZ module to indicate
+ * that a requested access is denied.
+ */
+class AccessControlException(msg: String, cause: Option[Throwable] = None)
+  extends RuntimeException(msg, cause.orNull) {}
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index ae519b64c..525dc4b6d 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -35,6 +35,7 @@ import org.scalatest.funsuite.AnyFunSuite
 
 import org.apache.kyuubi.plugin.spark.authz.SparkSessionProvider
 import org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.KYUUBI_AUTHZ_TAG
+import org.apache.kyuubi.plugin.spark.authz.util.AccessControlException
 import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils.getFieldVal
 
 abstract class RangerSparkExtensionSuite extends AnyFunSuite
@@ -129,14 +130,14 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     val alter = s"ALTER DATABASE $testDb SET DBPROPERTIES (abc = '123')"
     val drop = s"DROP DATABASE IF EXISTS $testDb"
 
-    val e = intercept[RuntimeException](sql(create))
+    val e = intercept[AccessControlException](sql(create))
     assert(e.getMessage === errorMessage("create", "mydb"))
     try {
       doAs("admin", assert(Try { sql(create) }.isSuccess))
       doAs("admin", assert(Try { sql(alter) }.isSuccess))
-      val e1 = intercept[RuntimeException](sql(alter))
+      val e1 = intercept[AccessControlException](sql(alter))
       assert(e1.getMessage === errorMessage("alter", "mydb"))
-      val e2 = intercept[RuntimeException](sql(drop))
+      val e2 = intercept[AccessControlException](sql(drop))
       assert(e2.getMessage === errorMessage("drop", "mydb"))
       doAs("kent", Try(sql("SHOW DATABASES")).isSuccess)
     } finally {
@@ -153,14 +154,14 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     val alter0 = s"ALTER TABLE $db.$table SET TBLPROPERTIES(key='ak')"
     val drop0 = s"DROP TABLE IF EXISTS $db.$table"
     val select = s"SELECT * FROM $db.$table"
-    val e = intercept[RuntimeException](sql(create0))
+    val e = intercept[AccessControlException](sql(create0))
     assert(e.getMessage === errorMessage("create"))
 
     try {
       doAs("bob", assert(Try { sql(create0) }.isSuccess))
       doAs("bob", assert(Try { sql(alter0) }.isSuccess))
 
-      val e1 = intercept[RuntimeException](sql(drop0))
+      val e1 = intercept[AccessControlException](sql(drop0))
       assert(e1.getMessage === errorMessage("drop"))
       doAs("bob", assert(Try { sql(alter0) }.isSuccess))
       doAs("bob", assert(Try { sql(select).collect() }.isSuccess))
@@ -177,7 +178,7 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
           doAs(
             "kent", {
               withClue(q) {
-                val e = intercept[RuntimeException](sql(q).collect())
+                val e = intercept[AccessControlException](sql(q).collect())
                 assert(e.getMessage === errorMessage("select", "default/src/value", "kent"))
               }
             })
@@ -193,7 +194,7 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     val create0 = s"CREATE FUNCTION IF NOT EXISTS $db.$func AS 'abc.mnl.xyz'"
     doAs(
       "kent", {
-        val e = intercept[RuntimeException](sql(create0))
+        val e = intercept[AccessControlException](sql(create0))
         assert(e.getMessage === errorMessage("create", "default/func"))
       })
     doAs("admin", assert(Try(sql(create0)).isSuccess))