You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@kyuubi.apache.org by "yaooqinn (via GitHub)" <gi...@apache.org> on 2023/02/17 11:41:57 UTC
[GitHub] [kyuubi] yaooqinn opened a new pull request, #4358: [KYUUBI #4202] Fix Data masking for V2 relations
yaooqinn opened a new pull request, #4358:
URL: https://github.com/apache/kyuubi/pull/4358
<!--
Thanks for sending a pull request!
Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/CONTRIBUTING.html
2. If the PR is related to an issue in https://github.com/apache/kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
-->
### _Why are the changes needed?_
<!--
Please clarify why the changes are needed. For instance,
1. If you add a feature, you can talk about the use case of it.
2. If you fix a bug, you can clarify why it is a bug.
-->
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1111985809
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/RuleEliminateMarker.scala:
##########
@@ -22,6 +22,9 @@ import org.apache.spark.sql.catalyst.rules.Rule
class RuleEliminateMarker extends Rule[LogicalPlan] {
override def apply(plan: LogicalPlan): LogicalPlan = {
- plan.transformUp { case rf: RowFilterAndDataMaskingMarker => rf.child }
+ plan.transformUp {
+ case rf: DataMaskingMarker => rf.child
+ case rf: RowFilterMarker => rf.child
Review Comment:
```suggestion
case DataMaskingMarker(child, _) => child
case RowFilterMarker(child) => child
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1437897042
> @bowenliang123 does the tests need to be refined? It looks less rigorous to me
Good to have more tests on `create table as select` or select with joins ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1111979297
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/RuleEliminateMarker.scala:
##########
@@ -22,6 +22,9 @@ import org.apache.spark.sql.catalyst.rules.Rule
class RuleEliminateMarker extends Rule[LogicalPlan] {
override def apply(plan: LogicalPlan): LogicalPlan = {
- plan.transformUp { case rf: RowFilterAndDataMaskingMarker => rf.child }
+ plan.transformUp {
+ case rf: DataMaskingMarker => rf.child
+ case rf: RowFilterMarker => rf.child
Review Comment:
```suggestion
case marker: DataMaskingMarker | RowFilterMarker => marker.child
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn closed pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn closed pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
URL: https://github.com/apache/kyuubi/pull/4358
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1111987301
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyDataMasking.scala:
##########
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.hadoop.security.UserGroupInformation
+import org.apache.spark.sql.SparkSession
+import org.apache.spark.sql.catalyst.expressions.{Alias, NamedExpression, SubqueryExpression}
+import org.apache.spark.sql.catalyst.plans.logical.{Command, LogicalPlan}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.ObjectType._
+import org.apache.kyuubi.plugin.spark.authz.OperationType.OperationType
+import org.apache.kyuubi.plugin.spark.authz.ranger.AccessType._
+import org.apache.kyuubi.plugin.spark.authz.serde._
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.DataMaskingMarker
+
+class RuleApplyDataMasking(spark: SparkSession) extends Rule[LogicalPlan] {
+ private val parse = spark.sessionState.sqlParser.parseExpression _
+
+ override def apply(plan: LogicalPlan): LogicalPlan = {
+ val ugi = getAuthzUgi(spark.sparkContext)
+ val opType = operationType(plan)
+
+ plan match {
+ case marker: DataMaskingMarker => marker
+ case cmd if isKnownTableCommand(cmd) =>
+ val tableCommandSpec = getTableCommandSpec(cmd)
+ val queries = tableCommandSpec.queries(cmd)
+ cmd.mapChildren {
+ case marker: DataMaskingMarker => marker
+ case query if queries.contains(query) && query.resolved =>
+ applyDataMasking(query, ugi, opType)
+ case o => o
+ }
+ case cmd: Command if cmd.childrenResolved =>
+ cmd.mapChildren(applyDataMasking(_, ugi, opType))
+ case cmd: Command => cmd
Review Comment:
Is there ut for commands with masking rules applied in V2?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] codecov-commenter commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "codecov-commenter (via GitHub)" <gi...@apache.org>.
codecov-commenter commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1436393928
# [Codecov](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#4358](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (aecbc00) into [master](https://codecov.io/gh/apache/kyuubi/commit/0be3cbff6e35c8e86635bfe6d856d0dfa148247d?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (0be3cbf) will **decrease** coverage by `0.05%`.
> The diff coverage is `78.94%`.
```diff
@@ Coverage Diff @@
## master #4358 +/- ##
============================================
- Coverage 53.71% 53.67% -0.05%
Complexity 13 13
============================================
Files 562 564 +2
Lines 30786 30897 +111
Branches 4149 4171 +22
============================================
+ Hits 16537 16583 +46
- Misses 12697 12747 +50
- Partials 1552 1567 +15
```
| [Impacted Files](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...in/spark/authz/ranger/SparkRangerAdminPlugin.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9TcGFya1JhbmdlckFkbWluUGx1Z2luLnNjYWxh) | `64.47% <ø> (-2.64%)` | :arrow_down: |
| [.../plugin/spark/authz/util/RuleEliminateMarker.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvUnVsZUVsaW1pbmF0ZU1hcmtlci5zY2FsYQ==) | `50.00% <33.33%> (ø)` | |
| [...bi/plugin/spark/authz/util/DataMaskingMarker.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvRGF0YU1hc2tpbmdNYXJrZXIuc2NhbGE=) | `66.66% <50.00%> (ø)` | |
| [...ugin/spark/authz/ranger/RuleApplyDataMasking.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SdWxlQXBwbHlEYXRhTWFza2luZy5zY2FsYQ==) | `80.95% <80.95%> (ø)` | |
| [...ugin/spark/authz/ranger/RangerSparkExtension.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SYW5nZXJTcGFya0V4dGVuc2lvbi5zY2FsYQ==) | `100.00% <100.00%> (ø)` | |
| [...plugin/spark/authz/ranger/RuleApplyRowFilter.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SdWxlQXBwbHlSb3dGaWx0ZXIuc2NhbGE=) | `95.65% <100.00%> (ø)` | |
| [...ala/org/apache/kyuubi/session/SessionLimiter.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9zZXNzaW9uL1Nlc3Npb25MaW1pdGVyLnNjYWxh) | `73.01% <0.00%> (-9.13%)` | :arrow_down: |
| [...kyuubi/server/trino/api/v1/StatementResource.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9zZXJ2ZXIvdHJpbm8vYXBpL3YxL1N0YXRlbWVudFJlc291cmNlLnNjYWxh) | `50.66% <0.00%> (-8.00%)` | :arrow_down: |
| [...in/java/org/apache/kyuubi/client/AdminRestApi.java](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXJlc3QtY2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9reXV1YmkvY2xpZW50L0FkbWluUmVzdEFwaS5qYXZh) | `84.00% <0.00%> (-7.31%)` | :arrow_down: |
| [.../kyuubi/server/mysql/constant/MySQLErrorCode.scala](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9zZXJ2ZXIvbXlzcWwvY29uc3RhbnQvTXlTUUxFcnJvckNvZGUuc2NhbGE=) | `13.84% <0.00%> (-6.16%)` | :arrow_down: |
| ... and [31 more](https://codecov.io/gh/apache/kyuubi/pull/4358?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1437893112
@bowenliang123 does the tests need to be refined? It looks less rigorous to me
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1445796828
thanks, merged to master and 1.7. also cc @pan3793, the RM of v1.7.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1112458303
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyDataMasking.scala:
##########
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.hadoop.security.UserGroupInformation
+import org.apache.spark.sql.SparkSession
+import org.apache.spark.sql.catalyst.expressions.{Alias, NamedExpression, SubqueryExpression}
+import org.apache.spark.sql.catalyst.plans.logical.{Command, LogicalPlan}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.ObjectType._
+import org.apache.kyuubi.plugin.spark.authz.OperationType.OperationType
+import org.apache.kyuubi.plugin.spark.authz.ranger.AccessType._
+import org.apache.kyuubi.plugin.spark.authz.serde._
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.DataMaskingMarker
+
+class RuleApplyDataMasking(spark: SparkSession) extends Rule[LogicalPlan] {
+ private val parse = spark.sessionState.sqlParser.parseExpression _
+
+ override def apply(plan: LogicalPlan): LogicalPlan = {
+ val ugi = getAuthzUgi(spark.sparkContext)
+ val opType = operationType(plan)
+
+ plan match {
+ case marker: DataMaskingMarker => marker
+ case cmd if isKnownTableCommand(cmd) =>
+ val tableCommandSpec = getTableCommandSpec(cmd)
+ val queries = tableCommandSpec.queries(cmd)
+ cmd.mapChildren {
+ case marker: DataMaskingMarker => marker
+ case query if queries.contains(query) && query.resolved =>
+ applyDataMasking(query, ugi, opType)
+ case o => o
+ }
+ case cmd: Command if cmd.childrenResolved =>
+ cmd.mapChildren(applyDataMasking(_, ugi, opType))
+ case cmd: Command => cmd
Review Comment:
yes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1437912735
> > @bowenliang123 does the tests need to be refined? It looks less rigorous to me
>
> Good to have more tests on `create table as select` or select with joins ?
Can you make a follow-up to make the original `data masking` tests work for v2 relations, there is a seq for us to add new SQL patterns, we do not need new tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1112570594
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/RuleEliminateMarker.scala:
##########
@@ -22,6 +22,9 @@ import org.apache.spark.sql.catalyst.rules.Rule
class RuleEliminateMarker extends Rule[LogicalPlan] {
override def apply(plan: LogicalPlan): LogicalPlan = {
- plan.transformUp { case rf: RowFilterAndDataMaskingMarker => rf.child }
+ plan.transformUp {
+ case rf: DataMaskingMarker => rf.child
+ case rf: RowFilterMarker => rf.child
Review Comment:
```
case dm: DataMaskingMarker => dm.child
case rf: RowFilterMarker => rf.child
```
OK, back to the existing style. How about this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1112461005
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/RuleEliminateMarker.scala:
##########
@@ -22,6 +22,9 @@ import org.apache.spark.sql.catalyst.rules.Rule
class RuleEliminateMarker extends Rule[LogicalPlan] {
override def apply(plan: LogicalPlan): LogicalPlan = {
- plan.transformUp { case rf: RowFilterAndDataMaskingMarker => rf.child }
+ plan.transformUp {
+ case rf: DataMaskingMarker => rf.child
+ case rf: RowFilterMarker => rf.child
Review Comment:
Any reason to change? both styles are widely used
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1112562192
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/RuleEliminateMarker.scala:
##########
@@ -22,6 +22,9 @@ import org.apache.spark.sql.catalyst.rules.Rule
class RuleEliminateMarker extends Rule[LogicalPlan] {
override def apply(plan: LogicalPlan): LogicalPlan = {
- plan.transformUp { case rf: RowFilterAndDataMaskingMarker => rf.child }
+ plan.transformUp {
+ case rf: DataMaskingMarker => rf.child
+ case rf: RowFilterMarker => rf.child
Review Comment:
duplicated `rf` is more like the short form of `rowfilter` and not suitable for both DataMaskingMarker and RowFilterMarker. And in suggested style we could just skip naming it .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1438124014
thanks @Jackhjf for the input, will verify the cases you provided
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1112009465
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/DataMaskingMarker.scala:
##########
@@ -29,3 +29,11 @@ case class RowFilterAndDataMaskingMarker(child: LogicalPlan) extends UnaryNode
copy(child = newChild)
}
+case class RowFilterMarker(child: LogicalPlan) extends UnaryNode with WithInternalChild {
+
+ override def output: Seq[Attribute] = child.output
+
+ override def withNewChildInternal(newChild: LogicalPlan): LogicalPlan =
+ copy(child = newChild)
Review Comment:
```suggestion
override def withNewChildInternal(newChild: LogicalPlan): LogicalPlan = copy(child = newChild)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1118329674
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/datamasking/RuleApplyDataMaskingStage0.scala:
##########
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger.datamasking
+
+import org.apache.spark.sql.SparkSession
+import org.apache.spark.sql.catalyst.expressions.Alias
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, Project}
+
+import org.apache.kyuubi.plugin.spark.authz.ObjectType
+import org.apache.kyuubi.plugin.spark.authz.OperationType.QUERY
+import org.apache.kyuubi.plugin.spark.authz.ranger._
+import org.apache.kyuubi.plugin.spark.authz.serde._
+
+/**
+ * The full data masking rule contains two separate stages.
+ *
+ * Step1: RuleApplyDataMaskingStage0
+ * - lookup the full plan for supported scans
+ * - once found, get masker configuration for external column by column
+ * - use spark sql parser to generate a unresolved expression for each masker
+ * - add a projection with new output on the right top of the original scan if the output has
+ * changed
+ * - Add DataMaskingStage0Marker to track the original expression and its masker expression.
+ *
+ * Step2: Spark native rules will resolved our newly added maskers
+ *
+ * Step3: [[RuleApplyDataMaskingStage1]]
Review Comment:
These comments are key designs for the refactor in this PR. Better to copy them to the PR description as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1118329674
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/datamasking/RuleApplyDataMaskingStage0.scala:
##########
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger.datamasking
+
+import org.apache.spark.sql.SparkSession
+import org.apache.spark.sql.catalyst.expressions.Alias
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, Project}
+
+import org.apache.kyuubi.plugin.spark.authz.ObjectType
+import org.apache.kyuubi.plugin.spark.authz.OperationType.QUERY
+import org.apache.kyuubi.plugin.spark.authz.ranger._
+import org.apache.kyuubi.plugin.spark.authz.serde._
+
+/**
+ * The full data masking rule contains two separate stages.
+ *
+ * Step1: RuleApplyDataMaskingStage0
+ * - lookup the full plan for supported scans
+ * - once found, get masker configuration for external column by column
+ * - use spark sql parser to generate a unresolved expression for each masker
+ * - add a projection with new output on the right top of the original scan if the output has
+ * changed
+ * - Add DataMaskingStage0Marker to track the original expression and its masker expression.
+ *
+ * Step2: Spark native rules will resolved our newly added maskers
+ *
+ * Step3: [[RuleApplyDataMaskingStage1]]
Review Comment:
These comments are key designs to the refactor. Better to copy them to the PR description as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1112566253
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/RuleEliminateMarker.scala:
##########
@@ -22,6 +22,9 @@ import org.apache.spark.sql.catalyst.rules.Rule
class RuleEliminateMarker extends Rule[LogicalPlan] {
override def apply(plan: LogicalPlan): LogicalPlan = {
- plan.transformUp { case rf: RowFilterAndDataMaskingMarker => rf.child }
+ plan.transformUp {
+ case rf: DataMaskingMarker => rf.child
+ case rf: RowFilterMarker => rf.child
Review Comment:
The suggested style is not a good habit. it makes refactoring more difficult and the code more error-prone.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] Jackhjf commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "Jackhjf (via GitHub)" <gi...@apache.org>.
Jackhjf commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1438001668
This item previously existed in two issues:
1. The fields of the two tables are the same
create two tables: create table test(id string,name string),create table test_copy(id string,name string),Among them, the test1 table configures the masking strategy,use this sql:insert into test select *from test_copy, The data found in the test_copy is not masking data
2. The fields of the two tables are not the same
create two tables: create table test(id1 string,name1 string),create table test_copy(id string,name string),Among them, the test1 table configures the masking strategy,use this sql:insert into test select *from test_copy, The data found in the test_copy is not masking data
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#issuecomment-1436887183
cc @praveenkumarb1207 @bowenliang123 @pan3793
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4358: [KYUUBI #4202] Fix reference resolution when data masking enabled for V2 relations
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4358:
URL: https://github.com/apache/kyuubi/pull/4358#discussion_r1111990349
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyRowFilter.scala:
##########
@@ -45,46 +46,21 @@ class RuleApplyRowFilterAndDataMasking(spark: SparkSession) extends Rule[Logical
override def apply(plan: LogicalPlan): LogicalPlan = {
mapChildren(plan) {
- case p: RowFilterAndDataMaskingMarker => p
+ case p: RowFilterMarker => p
case scan if isKnownScan(scan) && scan.resolved =>
val tables = getScanSpec(scan).tables(scan, spark)
- tables.headOption.map(applyFilterAndMasking(scan, _)).getOrElse(scan)
+ tables.headOption.map(applyFilter(scan, _)).getOrElse(scan)
case other => apply(other)
}
}
-
- private def applyFilterAndMasking(
+ private def applyFilter(
plan: LogicalPlan,
table: Table): LogicalPlan = {
val ugi = getAuthzUgi(spark.sparkContext)
val opType = operationType(plan)
- val parse = spark.sessionState.sqlParser.parseExpression _
val are = AccessResource(ObjectType.TABLE, table.database.orNull, table.table, null)
val art = AccessRequest(are, ugi, opType, AccessType.SELECT)
- val filterExprStr = SparkRangerAdminPlugin.getFilterExpr(art)
- val newOutput = plan.output.map { attr =>
- val are =
- AccessResource(ObjectType.COLUMN, table.database.orNull, table.table, attr.name)
- val art = AccessRequest(are, ugi, opType, AccessType.SELECT)
- val maskExprStr = SparkRangerAdminPlugin.getMaskingExpr(art)
- if (maskExprStr.isEmpty) {
- attr
- } else {
- val maskExpr = parse(maskExprStr.get)
- plan match {
- case _: PermanentViewMarker =>
- Alias(maskExpr, attr.name)(exprId = attr.exprId)
- case _ =>
- Alias(maskExpr, attr.name)()
- }
- }
- }
-
- if (filterExprStr.isEmpty) {
- Project(newOutput, RowFilterAndDataMaskingMarker(plan))
- } else {
- val filterExpr = parse(filterExprStr.get)
- Project(newOutput, Filter(filterExpr, RowFilterAndDataMaskingMarker(plan)))
- }
+ val filterExpr = SparkRangerAdminPlugin.getFilterExpr(art).map(parse)
+ filterExpr.foldLeft(plan)((p, e) => Filter(e, RowFilterMarker(p)))
Review Comment:
```suggestion
filterExpr.foldLeft(plan)((p, expr) => Filter(expr, RowFilterMarker(p)))
```
Maybe it's better for understanding with the var name `expr` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org