You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@kyuubi.apache.org by GitBox <gi...@apache.org> on 2022/08/24 12:49:35 UTC

[GitHub] [incubator-kyuubi] bowenliang123 opened a new pull request, #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privileges check for permanent views and skipping shadowed source tables

bowenliang123 opened a new pull request, #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326

   …PrivilegesBuilder with PermanentViewMarker, finally maker cleanup in RuleEliminateViewMarker
   
   <!--
   Thanks for sending a pull request!
   
   Here are some tips for you:
     1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/contributions.html
     2. If the PR is related to an issue in https://github.com/apache/incubator-kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
     3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
   -->
   
   ### _Why are the changes needed?_
   <!--
   Please clarify why the changes are needed. For instance,
     1. If you add a feature, you can talk about the use case of it.
     2. If you fix a bug, you can clarify why it is a bug.
   -->
   fix https://github.com/apache/incubator-kyuubi/issues/3325
   
   Permanent views are generally registed globally and then used for unifing, masking, joining tables for different practical purposes. The data manager would like to authorize views to users , but not all the source tables.
   
   Authz plugin is not satisfiying this senario as it checks privileges all the source table instead of the permanent views.
   
   Suggesting chaning behaviour of PrivilegesBuilder
   
   check privileges for permanent view
   skip privileges check for shadowed source view of permanent views
   ### _How was this patch tested?_
   - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
   
   - [ ] Add screenshots for manual tests if appropriate
   
   - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954462253


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+class ViewAccessAnalysis extends Rule[LogicalPlan] {

Review Comment:
   alright, renamd to `RuleApplyPermanentViewMarker`.
   
   My initial naming was to put all the temp/perm/other view marking analysis in this class, not just for PermanentView.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954469093


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+

Review Comment:
   Updated  class comments and refer to RuleEliminateViewMarker



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#issuecomment-1229709513

   @yaooqinn sure. will do it soon.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954456981


##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,21 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
         })
     }
   }
+
+  test("Permanent View privilege checks") {
+    val table = "hive_src"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+      val view = "temp_view"
+      doAs("admin", sql(s"CREATE VIEW $view  AS select * from $table"))
+
+      val e1 = intercept[AccessControlException](
+        doAs("someone", sql(s"SELECT * FROM $view").queryExecution.optimizedPlan))
+      if (isSparkV31OrGreater) { // isTempView of View since Spark 3.1

Review Comment:
   nit: newline for the comment



##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,21 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
         })
     }
   }
+
+  test("Permanent View privilege checks") {
+    val table = "hive_src"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+      val view = "temp_view"
+      doAs("admin", sql(s"CREATE VIEW $view  AS select * from $table"))
+
+      val e1 = intercept[AccessControlException](
+        doAs("someone", sql(s"SELECT * FROM $view").queryExecution.optimizedPlan))
+      if (isSparkV31OrGreater) { // isTempView of View since Spark 3.1
+        assert(e1.getMessage.contains(s"does not have [select] privilege on [default/$view]"))
+      } else { // fallback to column check

Review Comment:
   ditto



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954454501


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.logging.log4j.LogManager
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+class ViewAccessAnalysis extends Rule[LogicalPlan] {
+
+  val LOG = LogManager.getLogger(classOf[ViewAccessAnalysis])

Review Comment:
   ok, removed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954455015


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {
+    plan match {
+      case view: View =>
+        // isTempView as field of View since Spark 3.1.0
+        try {

Review Comment:
   instead of try-catch, using `case view: View if isSparkVersionAtLeast("3.1.0")`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954455176


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.logging.log4j.LogManager
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+class ViewAccessAnalysis extends Rule[LogicalPlan] {
+
+  val LOG = LogManager.getLogger(classOf[ViewAccessAnalysis])
+
+  override def apply(plan: LogicalPlan): LogicalPlan = {
+    plan mapChildren {
+      case p: PermanentViewMarker => p
+      case permanentView if isPermanentView(permanentView) =>
+        applyPermanentViewMarker(permanentView)

Review Comment:
   Sure, simplified.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954563701


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {

Review Comment:
   agree.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954456226


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+class ViewAccessAnalysis extends Rule[LogicalPlan] {

Review Comment:
   RuleApplyPermanentViewMarker



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954528381


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyPermanentViewMarker.scala:
##########
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+/**
+ * Adding [[org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker]] for permanent views
+ * for marking catalogTable of views used by privilege checking
+ * in [[org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization]].
+ * [[org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker]] must be transformed up later
+ * in [[org.apache.kyuubi.plugin.spark.authz.util.RuleEliminateViewMarker]] optimizer.
+ */
+class RuleApplyPermanentViewMarker extends Rule[LogicalPlan] {
+
+  override def apply(plan: LogicalPlan): LogicalPlan = {
+    plan mapChildren {
+      case p: PermanentViewMarker => p
+      case permanentView if isPermanentView(permanentView) =>

Review Comment:
   case v: View if isPermanentView(v) =>



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954456731


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+

Review Comment:
   Let's add some comments for elaborating what we do here and cross-ref RuleEliminateViewMarker for what we do there



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954525881


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {

Review Comment:
   Let's rename it to hasResolvedPermanentView here? and check resolved?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954543730


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala:
##########
@@ -129,6 +130,9 @@ object PrivilegesBuilder {
         val db = quote(parts.init)
         privilegeObjects += tablePrivileges(TableIdentifier(parts.last, Some(db)))
 
+      case permanentViewMarker: PermanentViewMarker =>

Review Comment:
   OK. 
   Changed to mergeProjection, and checking column level privileges for perm views.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954458774


##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,21 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
         })
     }
   }
+
+  test("Permanent View privilege checks") {
+    val table = "hive_src"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+      val view = "temp_view"
+      doAs("admin", sql(s"CREATE VIEW $view  AS select * from $table"))
+
+      val e1 = intercept[AccessControlException](
+        doAs("someone", sql(s"SELECT * FROM $view").queryExecution.optimizedPlan))
+      if (isSparkV31OrGreater) { // isTempView of View since Spark 3.1
+        assert(e1.getMessage.contains(s"does not have [select] privilege on [default/$view]"))
+      } else { // fallback to column check

Review Comment:
   ok



##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -499,4 +499,21 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
         })
     }
   }
+
+  test("Permanent View privilege checks") {
+    val table = "hive_src"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $table (id int)"))
+      val view = "temp_view"
+      doAs("admin", sql(s"CREATE VIEW $view  AS select * from $table"))
+
+      val e1 = intercept[AccessControlException](
+        doAs("someone", sql(s"SELECT * FROM $view").queryExecution.optimizedPlan))
+      if (isSparkV31OrGreater) { // isTempView of View since Spark 3.1

Review Comment:
   ok



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954456747


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {
+    plan match {
+      case view: View =>
+        // isTempView as field of View since Spark 3.1.0
+        try {

Review Comment:
   ok, changed to reuse isSparkVersionAtLeast.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#issuecomment-1226713581

   cc @minyk @packyan who might be interested. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#issuecomment-1229707922

   hi @bowenliang123, please help resolve the conflicts when you have time


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#issuecomment-1229827249

   some ut for selecting unauthed view added and it remains unexpected error.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] bowenliang123 commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
bowenliang123 commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954463686


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {

Review Comment:
   are you suggesting move this method to `RuleApplyPermanentViewMarker` ?
   
   I'm neutral here.  Methods for checking plans in `AuthZUtils` like `hasResolvedDatasourceV2Table` or `hasResolvedDatasourceTable` are too used once in other optimizers once and they are not move to where close to calling.



##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {

Review Comment:
   Are you suggesting move this method to `RuleApplyPermanentViewMarker` ?
   
   I'm neutral here.  Methods for checking plans in `AuthZUtils` like `hasResolvedDatasourceV2Table` or `hasResolvedDatasourceTable` are too used once in other optimizers once and they are not move to where close to calling.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954526572


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala:
##########
@@ -129,6 +130,9 @@ object PrivilegesBuilder {
         val db = quote(parts.init)
         privilegeObjects += tablePrivileges(TableIdentifier(parts.last, Some(db)))
 
+      case permanentViewMarker: PermanentViewMarker =>

Review Comment:
         case PermanentViewMarker(child, table) => mergeProjection(table, child)
   
   looks we need to change to the above one, we may still project a view



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn closed pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
yaooqinn closed pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables
URL: https://github.com/apache/incubator-kyuubi/pull/3326


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954455875


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala:
##########
@@ -98,6 +98,20 @@ private[authz] object AuthZUtils {
     }
   }
 
+  def isPermanentView(plan: LogicalPlan): Boolean = {

Review Comment:
   we can move this close where it is called



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954454433


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.logging.log4j.LogManager
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+class ViewAccessAnalysis extends Rule[LogicalPlan] {
+
+  val LOG = LogManager.getLogger(classOf[ViewAccessAnalysis])
+
+  override def apply(plan: LogicalPlan): LogicalPlan = {
+    plan mapChildren {
+      case p: PermanentViewMarker => p
+      case permanentView if isPermanentView(permanentView) =>
+        applyPermanentViewMarker(permanentView)

Review Comment:
   Simply PermanentViewMarker(plan, plan.asInstanceOf[View].desc)
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on a diff in pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on code in PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#discussion_r954453779


##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/ViewAccessAnalysis.scala:
##########
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.ranger
+
+import org.apache.logging.log4j.LogManager
+import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, View}
+import org.apache.spark.sql.catalyst.rules.Rule
+
+import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
+import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
+
+class ViewAccessAnalysis extends Rule[LogicalPlan] {
+
+  val LOG = LogManager.getLogger(classOf[ViewAccessAnalysis])

Review Comment:
   nit: remove this.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] codecov-commenter commented on pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables

Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#issuecomment-1225800751

   # [Codecov](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
   > Merging [#3326](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (e6237c1) into [master](https://codecov.io/gh/apache/incubator-kyuubi/commit/f88c4cbbd5bd968dd1456637bf1d82cbb9234a04?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (f88c4cb) will **decrease** coverage by `0.01%`.
   > The diff coverage is `43.47%`.
   
   ```diff
   @@             Coverage Diff              @@
   ##             master    #3326      +/-   ##
   ============================================
   - Coverage     51.53%   51.51%   -0.02%     
     Complexity       13       13              
   ============================================
     Files           475      478       +3     
     Lines         26475    26498      +23     
     Branches       3694     3699       +5     
   ============================================
   + Hits          13643    13651       +8     
   - Misses        11504    11515      +11     
   - Partials       1328     1332       +4     
   ```
   
   
   | [Impacted Files](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
   |---|---|---|
   | [.../kyuubi/plugin/spark/authz/PrivilegesBuilder.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L1ByaXZpbGVnZXNCdWlsZGVyLnNjYWxh) | `68.94% <0.00%> (-0.44%)` | :arrow_down: |
   | [.../plugin/spark/authz/util/PermanentViewMarker.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvUGVybWFuZW50Vmlld01hcmtlci5zY2FsYQ==) | `0.00% <0.00%> (ø)` | |
   | [...plugin/spark/authz/ranger/ViewAccessAnalysis.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9WaWV3QWNjZXNzQW5hbHlzaXMuc2NhbGE=) | `50.00% <50.00%> (ø)` | |
   | [...he/kyuubi/plugin/spark/authz/util/AuthZUtils.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvQXV0aFpVdGlscy5zY2FsYQ==) | `43.58% <50.00%> (+0.73%)` | :arrow_up: |
   | [...gin/spark/authz/util/RuleEliminateViewMarker.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3V0aWwvUnVsZUVsaW1pbmF0ZVZpZXdNYXJrZXIuc2NhbGE=) | `50.00% <50.00%> (ø)` | |
   | [...ugin/spark/authz/ranger/RangerSparkExtension.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZW5zaW9ucy9zcGFyay9reXV1Ymktc3BhcmstYXV0aHovc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9reXV1YmkvcGx1Z2luL3NwYXJrL2F1dGh6L3Jhbmdlci9SYW5nZXJTcGFya0V4dGVuc2lvbi5zY2FsYQ==) | `100.00% <100.00%> (ø)` | |
   | [...uubi/engine/spark/events/SparkOperationEvent.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZXJuYWxzL2t5dXViaS1zcGFyay1zcWwtZW5naW5lL3NyYy9tYWluL3NjYWxhL29yZy9hcGFjaGUva3l1dWJpL2VuZ2luZS9zcGFyay9ldmVudHMvU3BhcmtPcGVyYXRpb25FdmVudC5zY2FsYQ==) | `88.88% <0.00%> (-5.56%)` | :arrow_down: |
   | [...rg/apache/kyuubi/ctl/cmd/log/LogBatchCommand.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLWN0bC9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9jdGwvY21kL2xvZy9Mb2dCYXRjaENvbW1hbmQuc2NhbGE=) | `78.00% <0.00%> (-2.00%)` | :arrow_down: |
   | [...n/scala/org/apache/kyuubi/engine/ProcBuilder.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9lbmdpbmUvUHJvY0J1aWxkZXIuc2NhbGE=) | `82.60% <0.00%> (-0.63%)` | :arrow_down: |
   | [...rc/main/scala/org/apache/spark/ui/EnginePage.scala](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZXJuYWxzL2t5dXViaS1zcGFyay1zcWwtZW5naW5lL3NyYy9tYWluL3NjYWxhL29yZy9hcGFjaGUvc3BhcmsvdWkvRW5naW5lUGFnZS5zY2FsYQ==) | `78.93% <0.00%> (-0.30%)` | :arrow_down: |
   | ... and [6 more](https://codecov.io/gh/apache/incubator-kyuubi/pull/3326/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
   
   :mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org

[GitHub] [incubator-kyuubi] yaooqinn commented on pull request #3326: [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables

Posted by GitBox <gi...@apache.org>.
yaooqinn commented on PR #3326:
URL: https://github.com/apache/incubator-kyuubi/pull/3326#issuecomment-1231248725

   thanks, merged to master


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org