You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ya...@apache.org on 2022/09/07 11:23:43 UTC

[incubator-kyuubi] branch master updated: [KYUUBI #3428] AlterViewAsCommand should be skipped permission check

This is an automated email from the ASF dual-hosted git repository.

yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git


The following commit(s) were added to refs/heads/master by this push:
     new 9a53b2cee [KYUUBI #3428] AlterViewAsCommand should be skipped permission check
9a53b2cee is described below

commit 9a53b2ceeabed17aff903a73ac6fae69992ca3ba
Author: yikf <yi...@gmail.com>
AuthorDate: Wed Sep 7 19:23:34 2022 +0800

    [KYUUBI #3428] AlterViewAsCommand should be skipped permission check
    
    ### _Why are the changes needed?_
    
    Fix https://github.com/apache/incubator-kyuubi/issues/3428
    
    This pr aims to skip permission check in `AlterViewAsCommand` if view is a temp view
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
    
    Closes #3429 from Yikf/alter-view.
    
    Closes #3428
    
    a2f1b782 [yikf] AlterViewAsCommand should be skipped permission check
    
    Authored-by: yikf <yi...@gmail.com>
    Signed-off-by: Kent Yao <ya...@apache.org>
---
 .../plugin/spark/authz/PrivilegesBuilder.scala     |  4 +++-
 .../authz/ranger/RangerSparkExtensionSuite.scala   | 27 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index d715d8fc3..0ee9802b2 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -254,7 +254,9 @@ object PrivilegesBuilder {
 
       case "AlterViewAsCommand" =>
         val view = getPlanField[TableIdentifier]("name")
-        outputObjs += tablePrivileges(view)
+        if (!isTempView(view, spark)) {
+          outputObjs += tablePrivileges(view)
+        }
         buildQuery(getQuery, inputObjs)
 
       case "AlterViewAs" =>
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index 50732084a..f7d9dcd94 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -476,6 +476,33 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
   }
 
+  test("[KYUUBI #3428] AlterViewAsCommand should be skipped permission check") {
+    val tempView = "temp_view"
+    val globalTempView = "global_temp_view"
+
+    // create or replace view
+    doAs("denyuser", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from values(1)"))
+    doAs(
+      "denyuser",
+      sql(s"CREATE OR REPLACE TEMPORARY VIEW $tempView" +
+        s" AS select * from values(1)"))
+    doAs(
+      "denyuser",
+      sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM values(1)"))
+    doAs(
+      "denyuser",
+      sql(s"CREATE OR REPLACE GLOBAL TEMPORARY VIEW $globalTempView" +
+        s" AS select * from values(1)"))
+
+    // rename view
+    doAs("denyuser2", sql(s"ALTER VIEW $tempView AS SELECT * FROM values(1)"))
+    doAs("denyuser2", sql(s"ALTER VIEW global_temp.$globalTempView AS SELECT * FROM values(1)"))
+
+    doAs("admin", sql(s"DROP VIEW IF EXISTS $tempView"))
+    doAs("admin", sql(s"DROP VIEW IF EXISTS global_temp.$globalTempView"))
+    doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
+  }
+
   test("[KYUUBI #3343] pass temporary view creation") {
     val tempView = "temp_view"
     val globalTempView = "global_temp_view"