You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ya...@apache.org on 2022/09/06 08:21:19 UTC
[incubator-kyuubi] branch master updated: [KYUUBI #3411] Skip create privilege checking for output table of cache table sql
This is an automated email from the ASF dual-hosted git repository.
yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 9e0af1423 [KYUUBI #3411] Skip create privilege checking for output table of cache table sql
9e0af1423 is described below
commit 9e0af1423b42eefe57fcc3478578c682b7a2c719
Author: Bowen Liang <li...@gf.com.cn>
AuthorDate: Tue Sep 6 16:21:07 2022 +0800
[KYUUBI #3411] Skip create privilege checking for output table of cache table sql
### _Why are the changes needed?_
close #3411.
skip checking create privilege for output table of cache table sql
### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3416 from bowenliang123/3411-authz-cache-table.
Closes #3411
95f08fbb [Bowen Liang] revert to default config value in previous ut
685e1f45 [Bowen Liang] style
70cd7a74 [Bowen Liang] update test 'CacheTableAsSelect'
19f09489 [Bowen Liang] nit
389e1ef7 [Bowen Liang] skip checking create privilege for output table of cache sql
Authored-by: Bowen Liang <li...@gf.com.cn>
Signed-off-by: Kent Yao <ya...@apache.org>
---
.../plugin/spark/authz/PrivilegesBuilder.scala | 10 ----
.../spark/authz/PrivilegesBuilderSuite.scala | 21 +-------
.../authz/ranger/RangerSparkExtensionSuite.scala | 62 ++++++++++++++++++----
3 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 5665e6129..68c9116bb 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -274,23 +274,13 @@ object PrivilegesBuilder {
}
case "CacheTable" =>
- // >= 3.2
- outputObjs += tablePrivileges(getMultipartIdentifier)
val query = getPlanField[LogicalPlan]("table") // table to cache
buildQuery(query, inputObjs)
case "CacheTableCommand" =>
- if (isSparkVersionEqualTo("3.1")) {
- outputObjs += tablePrivileges(getMultipartIdentifier)
- } else {
- outputObjs += tablePrivileges(getTableIdent)
- }
getPlanField[Option[LogicalPlan]]("plan").foreach(buildQuery(_, inputObjs))
case "CacheTableAsSelect" =>
- val view = getPlanField[String]("tempViewName")
- outputObjs += tablePrivileges(TableIdentifier(view))
-
val query = getPlanField[LogicalPlan]("plan")
buildQuery(query, inputObjs)
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
index f99c1beb0..8ce092cac 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
@@ -19,7 +19,6 @@ package org.apache.kyuubi.plugin.spark.authz
import scala.reflect.io.File
-import org.apache.commons.lang3.StringUtils
import org.apache.spark.sql.{DataFrame, SparkSession, SQLContext}
import org.apache.spark.sql.catalyst.TableIdentifier
import org.apache.spark.sql.catalyst.catalog.{CatalogStorageFormat, CatalogTable, CatalogTableType}
@@ -459,15 +458,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
assert(tuple._1.isEmpty)
}
- assert(tuple._2.size === 1)
- val po = tuple._2.head
- assert(po.actionType === PrivilegeObjectActionType.OTHER)
- assert(po.privilegeObjectType === PrivilegeObjectType.TABLE_OR_VIEW)
- assert(po.dbname equalsIgnoreCase reusedDb)
- assert(po.objectName equalsIgnoreCase reusedDb)
- assert(po.columns.isEmpty)
- val accessType = ranger.AccessType(po, operationType, isInput = false)
- assert(accessType === AccessType.CREATE)
+ assert(tuple._2.size === 0)
}
test("CacheTableAsSelect") {
@@ -490,15 +481,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
val accessType0 = ranger.AccessType(po0, operationType, isInput = true)
assert(accessType0 === AccessType.SELECT)
- assert(tuple._2.size === 1)
- val po = tuple._2.head
- assert(po.actionType === PrivilegeObjectActionType.OTHER)
- assert(po.privilegeObjectType === PrivilegeObjectType.TABLE_OR_VIEW)
- assert(StringUtils.isEmpty(po.dbname))
- assert(po.objectName === "CacheTableAsSelect")
- assert(po.columns.isEmpty)
- val accessType = ranger.AccessType(po, operationType, isInput = false)
- assert(accessType === AccessType.CREATE)
+ assert(tuple._2.size === 0)
}
test("CreateViewCommand") {
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index 2ad93bf8b..16e9b8b4d 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -40,7 +40,7 @@ import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils.getFieldVal
abstract class RangerSparkExtensionSuite extends AnyFunSuite
with SparkSessionProvider with BeforeAndAfterAll {
-// scalastyle:on
+ // scalastyle:on
override protected val extension: SparkSessionExtensions => Unit = new RangerSparkExtension
protected def doAs[T](user: String, f: => T): T = {
@@ -71,6 +71,9 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
case (db, "database") => doAs("admin", sql(s"DROP DATABASE IF EXISTS $db"))
case (fn, "function") => doAs("admin", sql(s"DROP FUNCTION IF EXISTS $fn"))
case (view, "view") => doAs("admin", sql(s"DROP VIEW IF EXISTS $view"))
+ case (cacheTable, "cache") => if (isSparkV32OrGreater) {
+ doAs("admin", sql(s"UNCACHE TABLE IF EXISTS $cacheTable"))
+ }
case (_, e) =>
throw new RuntimeException(s"the resource whose resource type is $e cannot be cleared")
}
@@ -610,15 +613,54 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
val e1 = intercept[AccessControlException](doAs("someone", sql(insertSql1)))
assert(e1.getMessage.contains(s"does not have [select] privilege on [$db1/$srcTable1/id]"))
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
- s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- true)
- val e2 = intercept[AccessControlException](doAs("someone", sql(insertSql1)))
- assert(e2.getMessage.contains(s"does not have" +
- s" [select] privilege on" +
- s" [$db1/$srcTable1/id,$db1/$srcTable1/name,$db1/$srcTable1/city," +
- s"$db1/$srcTable2/age,$db1/$srcTable2/id]," +
- s" [update] privilege on [$db1/$sinkTable1]"))
+ try {
+ SparkRangerAdminPlugin.getRangerConf.setBoolean(
+ s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
+ true)
+ val e2 = intercept[AccessControlException](doAs("someone", sql(insertSql1)))
+ assert(e2.getMessage.contains(s"does not have" +
+ s" [select] privilege on" +
+ s" [$db1/$srcTable1/id,$db1/$srcTable1/name,$db1/$srcTable1/city," +
+ s"$db1/$srcTable2/age,$db1/$srcTable2/id]," +
+ s" [update] privilege on [$db1/$sinkTable1]"))
+ } finally {
+ // revert to default value
+ SparkRangerAdminPlugin.getRangerConf.setBoolean(
+ s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
+ false)
+ }
+ }
+ }
+
+ test("[KYUUBI #3411] skip checking cache table") {
+ if (isSparkV32OrGreater) { // cache table sql supported since 3.2.0
+
+ val db1 = "default"
+ val srcTable1 = "hive_src1"
+ val cacheTable1 = "cacheTable1"
+ val cacheTable2 = "cacheTable2"
+ val cacheTable3 = "cacheTable3"
+ val cacheTable4 = "cacheTable4"
+
+ withCleanTmpResources(Seq(
+ (s"$db1.$srcTable1", "table"),
+ (s"$db1.$cacheTable1", "cache"),
+ (s"$db1.$cacheTable2", "cache"),
+ (s"$db1.$cacheTable3", "cache"),
+ (s"$db1.$cacheTable4", "cache"))) {
+
+ doAs(
+ "admin",
+ sql(s"CREATE TABLE IF NOT EXISTS $db1.$srcTable1" +
+ s" (id int, name string, city string)"))
+
+ val e1 = intercept[AccessControlException](
+ doAs("someone", sql(s"CACHE TABLE $cacheTable2 select * from $db1.$srcTable1")))
+ assert(e1.getMessage.contains(s"does not have [select] privilege on [$db1/$srcTable1/id]"))
+
+ doAs("admin", sql(s"CACHE TABLE $cacheTable3 SELECT 1 AS a, 2 AS b "))
+ doAs("someone", sql(s"CACHE TABLE $cacheTable4 select 1 as a, 2 as b "))
+ }
}
}
}