You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ya...@apache.org on 2022/09/07 06:57:54 UTC
[incubator-kyuubi] branch master updated: [KYUUBI #3426] Drop temp view should be skipped permission check
This is an automated email from the ASF dual-hosted git repository.
yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 20d1dd445 [KYUUBI #3426] Drop temp view should be skipped permission check
20d1dd445 is described below
commit 20d1dd44527aa8bef830b899eb8174f5582a7638
Author: yikf <yi...@gmail.com>
AuthorDate: Wed Sep 7 14:57:44 2022 +0800
[KYUUBI #3426] Drop temp view should be skipped permission check
### _Why are the changes needed?_
Fix https://github.com/apache/incubator-kyuubi/issues/3426
This pr aims to skip permission check for drop temp view.
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3427 from Yikf/dropview.
Closes #3426
110528c9 [yikf] Drop temp view should be skipped permission check
Authored-by: yikf <yi...@gmail.com>
Signed-off-by: Kent Yao <ya...@apache.org>
---
.../plugin/spark/authz/PrivilegesBuilder.scala | 17 ++++++++++++-
.../authz/ranger/RangerSparkExtensionSuite.scala | 28 ++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 68c9116bb..d715d8fc3 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -68,6 +68,19 @@ object PrivilegesBuilder {
}
}
+ private def isTempView(
+ tableIdent: TableIdentifier,
+ spark: SparkSession): Boolean = {
+ val parts = tableIdent.database match {
+ case Some(db) =>
+ Seq(db, tableIdent.table)
+ case _ =>
+ Seq(tableIdent.table)
+ }
+
+ spark.sessionState.catalog.isTempView(parts)
+ }
+
/**
* Build PrivilegeObjects from Spark LogicalPlan
*
@@ -382,7 +395,9 @@ object PrivilegesBuilder {
outputObjs += databasePrivileges(quote(database))
case "DropTableCommand" =>
- outputObjs += tablePrivileges(getTableName)
+ if (!isTempView(getPlanField[TableIdentifier]("tableName"), spark)) {
+ outputObjs += tablePrivileges(getTableName)
+ }
case "ExplainCommand" =>
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index 9b1f60e32..50732084a 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -448,6 +448,34 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
}
}
+ test("[KYUUBI #3426] Drop temp view should be skipped permission check") {
+ val tempView = "temp_view"
+ val globalTempView = "global_temp_view"
+ doAs("denyuser", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from values(1)"))
+
+ doAs(
+ "denyuser",
+ sql(s"CREATE OR REPLACE TEMPORARY VIEW $tempView" +
+ s" AS select * from values(1)"))
+
+ doAs(
+ "denyuser",
+ sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM values(1)"))
+
+ doAs(
+ "denyuser",
+ sql(s"CREATE OR REPLACE GLOBAL TEMPORARY VIEW $globalTempView" +
+ s" AS select * from values(1)"))
+
+ // global_temp will contain the temporary view, even if it is not global
+ doAs("admin", assert(sql("show tables from global_temp").collect().length == 2))
+
+ doAs("denyuser2", sql(s"DROP VIEW IF EXISTS $tempView"))
+ doAs("denyuser2", sql(s"DROP VIEW IF EXISTS global_temp.$globalTempView"))
+
+ doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
+ }
+
test("[KYUUBI #3343] pass temporary view creation") {
val tempView = "temp_view"
val globalTempView = "global_temp_view"