You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ya...@apache.org on 2022/09/07 06:57:54 UTC

[incubator-kyuubi] branch master updated: [KYUUBI #3426] Drop temp view should be skipped permission check

This is an automated email from the ASF dual-hosted git repository.

yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git


The following commit(s) were added to refs/heads/master by this push:
     new 20d1dd445 [KYUUBI #3426] Drop temp view should be skipped permission check
20d1dd445 is described below

commit 20d1dd44527aa8bef830b899eb8174f5582a7638
Author: yikf <yi...@gmail.com>
AuthorDate: Wed Sep 7 14:57:44 2022 +0800

    [KYUUBI #3426] Drop temp view should be skipped permission check
    
    ### _Why are the changes needed?_
    
    Fix https://github.com/apache/incubator-kyuubi/issues/3426
    
    This pr aims to skip permission check for drop temp view.
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
    
    Closes #3427 from Yikf/dropview.
    
    Closes #3426
    
    110528c9 [yikf] Drop temp view should be skipped permission check
    
    Authored-by: yikf <yi...@gmail.com>
    Signed-off-by: Kent Yao <ya...@apache.org>
---
 .../plugin/spark/authz/PrivilegesBuilder.scala     | 17 ++++++++++++-
 .../authz/ranger/RangerSparkExtensionSuite.scala   | 28 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 68c9116bb..d715d8fc3 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -68,6 +68,19 @@ object PrivilegesBuilder {
     }
   }
 
+  private def isTempView(
+      tableIdent: TableIdentifier,
+      spark: SparkSession): Boolean = {
+    val parts = tableIdent.database match {
+      case Some(db) =>
+        Seq(db, tableIdent.table)
+      case _ =>
+        Seq(tableIdent.table)
+    }
+
+    spark.sessionState.catalog.isTempView(parts)
+  }
+
   /**
    * Build PrivilegeObjects from Spark LogicalPlan
    *
@@ -382,7 +395,9 @@ object PrivilegesBuilder {
         outputObjs += databasePrivileges(quote(database))
 
       case "DropTableCommand" =>
-        outputObjs += tablePrivileges(getTableName)
+        if (!isTempView(getPlanField[TableIdentifier]("tableName"), spark)) {
+          outputObjs += tablePrivileges(getTableName)
+        }
 
       case "ExplainCommand" =>
 
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index 9b1f60e32..50732084a 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -448,6 +448,34 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     }
   }
 
+  test("[KYUUBI #3426] Drop temp view should be skipped permission check") {
+    val tempView = "temp_view"
+    val globalTempView = "global_temp_view"
+    doAs("denyuser", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from values(1)"))
+
+    doAs(
+      "denyuser",
+      sql(s"CREATE OR REPLACE TEMPORARY VIEW $tempView" +
+        s" AS select * from values(1)"))
+
+    doAs(
+      "denyuser",
+      sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM values(1)"))
+
+    doAs(
+      "denyuser",
+      sql(s"CREATE OR REPLACE GLOBAL TEMPORARY VIEW $globalTempView" +
+        s" AS select * from values(1)"))
+
+    // global_temp will contain the temporary view, even if it is not global
+    doAs("admin", assert(sql("show tables from global_temp").collect().length == 2))
+
+    doAs("denyuser2", sql(s"DROP VIEW IF EXISTS $tempView"))
+    doAs("denyuser2", sql(s"DROP VIEW IF EXISTS global_temp.$globalTempView"))
+
+    doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
+  }
+
   test("[KYUUBI #3343] pass temporary view creation") {
     val tempView = "temp_view"
     val globalTempView = "global_temp_view"