[PR] [#9180] fix(spark-connector): Override tableExists() to bypass authorization check [gravitino]

Wed, 19 Nov 2025 16:49:42 -0800 


bharos opened a new pull request, #9183:
URL: https://github.com/apache/gravitino/pull/9183

   
   <!--
   1. Title: [#<issue>] <type>(<scope>): <subject>
      Examples:
        - "[#123] feat(operator): support xxx"
        - "[#233] fix: check null before access result in xxx"
        - "[MINOR] refactor: fix typo in variable name"
        - "[MINOR] docs: fix typo in README"
        - "[#255] test: fix flaky test NameOfTheTest"
      Reference: https://www.conventionalcommits.org/en/v1.0.0/
   2. If the PR is unfinished, please mark this PR as draft.
   -->
   
   ### What changes were proposed in this pull request?
   
   This PR overrides the `tableExists()` method in `BaseCatalog` to delegate 
directly to the underlying Spark catalog (`sparkCatalog`) instead of using the 
inherited default implementation from the `TableCatalog` interface.
   
   The default `tableExists()` implementation calls `loadTable()` internally, 
which triggers Gravitino's authorization layer and requires LOAD_TABLE 
privilege. By overriding this method to call `sparkCatalog.tableExists()` 
directly, we bypass Gravitino's authorization and allow the backend catalog 
(JDBCTableCatalog, HiveTableCatalog, SparkCatalog, etc.) to perform lightweight 
existence checks using SQL queries, HEAD requests, or direct metadata store 
queries.
   
   
   ### Why are the changes needed?
   
   Users with CREATE_TABLE privilege were unable to create tables using `CREATE 
TABLE IF NOT EXISTS` because the table existence check required LOAD_TABLE 
privilege. This created a chicken-and-egg problem where users needed additional 
privileges just to check if a table exists before creating it.
   
   The root cause is that `BaseCatalog` did not override `tableExists()`, so it 
inherited the default implementation from the `TableCatalog` interface, which 
calls `loadTable()`. 
   
   Fix: #9180
   
   
   ### Does this PR introduce _any_ user-facing change?
   
   Yes. Users with CREATE_TABLE privilege can now successfully execute `CREATE 
TABLE IF NOT EXISTS` statements without requiring LOAD_TABLE privilege. The 
table existence check now uses backend catalog's lightweight operations instead 
of going through Gravitino's authorization layer.
   
   
   ### How was this patch tested?
   Testing can be performed by:
   1. Creating a user with only CREATE_TABLE privilege (no LOAD_TABLE privilege)
   2. Executing `CREATE TABLE IF NOT EXISTS my_table (...)` 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to