This is an automated email from the ASF dual-hosted git repository.
bowenliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new b57bc1cab [KYUUBI #5172] [AUTHZ] Check USE permissions for DESCRIBE
FUNCTION
b57bc1cab is described below
commit b57bc1cab61385a0ee4222bd89d5d68e8bf587ef
Author: yikaifei <[email protected]>
AuthorDate: Wed Aug 16 18:31:58 2023 +0800
[KYUUBI #5172] [AUTHZ] Check USE permissions for DESCRIBE FUNCTION
### _Why are the changes needed?_
Fix a bug, The `DESCRIBE FUNCTION` syntax should also be checked for USE
permissions. However, prior to this PR, the syntax was not checked for any
permissions
### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including
negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run
test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests)
locally before make a pull request
### _Was this patch authored or co-authored using generative AI tooling?_
No
Closes #5172 from Yikf/auth-desc-function.
Closes #5172
112f4f20b [yikaifei] The DESCRIBE FUNCTION syntax should also be checked
for USE permissions
Authored-by: yikaifei <[email protected]>
Signed-off-by: liangbowen <[email protected]>
---
.../apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala | 7 ++++++-
.../plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala | 11 +++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
index 7d62229ee..c0b7d2a03 100644
---
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
@@ -58,7 +58,12 @@ object AccessType extends Enumeration {
SHOWPARTITIONS |
ANALYZE_TABLE => SELECT
case SHOWCOLUMNS | DESCTABLE => SELECT
- case SHOWDATABASES | SWITCHDATABASE | DESCDATABASE | SHOWTABLES |
SHOWFUNCTIONS => USE
+ case SHOWDATABASES |
+ SWITCHDATABASE |
+ DESCDATABASE |
+ SHOWTABLES |
+ SHOWFUNCTIONS |
+ DESCFUNCTION => USE
case TRUNCATETABLE => UPDATE
case _ => NONE
}
diff --git
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index b5dcf63cb..c32b63a2f 100644
---
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -442,6 +442,17 @@ abstract class RangerSparkExtensionSuite extends
AnyFunSuite
}
doAs(admin, assert(sql("show tables from global_temp").collect().length ==
0))
}
+
+ test("[KYUUBI #5172] Check USE permissions for DESCRIBE FUNCTION") {
+ val fun = s"$defaultDb.function1"
+
+ withCleanTmpResources(Seq((s"$fun", "function"))) {
+ doAs(admin, sql(s"CREATE FUNCTION $fun AS 'Function1'"))
+ doAs(admin, sql(s"DESC FUNCTION $fun").collect().length == 1)
+ val e = intercept[AccessControlException](doAs(denyUser, sql(s"DESC
FUNCTION $fun")))
+ assert(e.getMessage === errorMessage("_any", "default/function1",
denyUser))
+ }
+ }
}
class InMemoryCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite {
