You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ya...@apache.org on 2022/09/07 11:23:43 UTC
[incubator-kyuubi] branch master updated: [KYUUBI #3428] AlterViewAsCommand should be skipped permission check
This is an automated email from the ASF dual-hosted git repository.
yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 9a53b2cee [KYUUBI #3428] AlterViewAsCommand should be skipped permission check
9a53b2cee is described below
commit 9a53b2ceeabed17aff903a73ac6fae69992ca3ba
Author: yikf <yi...@gmail.com>
AuthorDate: Wed Sep 7 19:23:34 2022 +0800
[KYUUBI #3428] AlterViewAsCommand should be skipped permission check
### _Why are the changes needed?_
Fix https://github.com/apache/incubator-kyuubi/issues/3428
This pr aims to skip permission check in `AlterViewAsCommand` if view is a temp view
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3429 from Yikf/alter-view.
Closes #3428
a2f1b782 [yikf] AlterViewAsCommand should be skipped permission check
Authored-by: yikf <yi...@gmail.com>
Signed-off-by: Kent Yao <ya...@apache.org>
---
.../plugin/spark/authz/PrivilegesBuilder.scala | 4 +++-
.../authz/ranger/RangerSparkExtensionSuite.scala | 27 ++++++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index d715d8fc3..0ee9802b2 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -254,7 +254,9 @@ object PrivilegesBuilder {
case "AlterViewAsCommand" =>
val view = getPlanField[TableIdentifier]("name")
- outputObjs += tablePrivileges(view)
+ if (!isTempView(view, spark)) {
+ outputObjs += tablePrivileges(view)
+ }
buildQuery(getQuery, inputObjs)
case "AlterViewAs" =>
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index 50732084a..f7d9dcd94 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -476,6 +476,33 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
}
+ test("[KYUUBI #3428] AlterViewAsCommand should be skipped permission check") {
+ val tempView = "temp_view"
+ val globalTempView = "global_temp_view"
+
+ // create or replace view
+ doAs("denyuser", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from values(1)"))
+ doAs(
+ "denyuser",
+ sql(s"CREATE OR REPLACE TEMPORARY VIEW $tempView" +
+ s" AS select * from values(1)"))
+ doAs(
+ "denyuser",
+ sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM values(1)"))
+ doAs(
+ "denyuser",
+ sql(s"CREATE OR REPLACE GLOBAL TEMPORARY VIEW $globalTempView" +
+ s" AS select * from values(1)"))
+
+ // rename view
+ doAs("denyuser2", sql(s"ALTER VIEW $tempView AS SELECT * FROM values(1)"))
+ doAs("denyuser2", sql(s"ALTER VIEW global_temp.$globalTempView AS SELECT * FROM values(1)"))
+
+ doAs("admin", sql(s"DROP VIEW IF EXISTS $tempView"))
+ doAs("admin", sql(s"DROP VIEW IF EXISTS global_temp.$globalTempView"))
+ doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
+ }
+
test("[KYUUBI #3343] pass temporary view creation") {
val tempView = "temp_view"
val globalTempView = "global_temp_view"