This is an automated email from the ASF dual-hosted git repository.
bowenliang pushed a commit to branch branch-1.8
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/branch-1.8 by this push:
new 1ee5bc152 [KYUUBI #5268] [AUTHZ] [TEST] Extract method for enabling
authorization in single call mode
1ee5bc152 is described below
commit 1ee5bc152379aec354b0ec09b98341e3c9736605
Author: Bowen Liang <[email protected]>
AuthorDate: Mon Sep 11 15:16:19 2023 +0800
[KYUUBI #5268] [AUTHZ] [TEST] Extract method for enabling authorization in
single call mode
### _Why are the changes needed?_
- improvements for testing by extracting method for enabling authorization
in single call mode
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including
negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run
test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests)
locally before make a pull request
### _Was this patch authored or co-authored using generative AI tooling?_
No.
Closes #5268 from bowenliang123/authz-withsingle.
Closes #5268
fe6b9d501 [Bowen Liang] extract withSingleCallEnabled method
Authored-by: Bowen Liang <[email protected]>
Signed-off-by: Bowen Liang <[email protected]>
(cherry picked from commit 1a69772356f9eccc25d31aa51d4c9b7c6adafe44)
Signed-off-by: Bowen Liang <[email protected]>
---
.../IcebergCatalogRangerSparkExtensionSuite.scala | 9 +-------
.../authz/ranger/RangerSparkExtensionSuite.scala | 26 +++++++++++++---------
...JdbcTableCatalogRangerSparkExtensionSuite.scala | 9 +-------
3 files changed, 18 insertions(+), 26 deletions(-)
diff --git
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/IcebergCatalogRangerSparkExtensionSuite.scala
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/IcebergCatalogRangerSparkExtensionSuite.scala
index 958686c25..b22a812fd 100644
---
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/IcebergCatalogRangerSparkExtensionSuite.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/IcebergCatalogRangerSparkExtensionSuite.scala
@@ -103,10 +103,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite
assert(e1.getMessage.contains(s"does not have [select] privilege" +
s" on [$namespace1/$table1/id]"))
- try {
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
-
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- true)
+ withSingleCallEnabled {
val e2 = intercept[AccessControlException](
doAs(
someone,
@@ -115,10 +112,6 @@ class IcebergCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite
s" [select] privilege" +
s" on
[$namespace1/$table1/id,$namespace1/table1/name,$namespace1/$table1/city]," +
s" [update] privilege on [$namespace1/$outputTable1]"))
- } finally {
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
-
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- false)
}
doAs(admin, sql(mergeIntoSql))
diff --git
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index c32b63a2f..0c307195c 100644
---
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -36,7 +36,6 @@ import org.apache.kyuubi.plugin.spark.authz.RangerTestUsers._
import
org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.KYUUBI_AUTHZ_TAG
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
import org.apache.kyuubi.util.reflect.ReflectUtils._
-
abstract class RangerSparkExtensionSuite extends AnyFunSuite
with SparkSessionProvider with BeforeAndAfterAll {
// scalastyle:on
@@ -90,6 +89,21 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
}
}
+ /**
+ * Enables authorizing in single call mode,
+ * and disables authorizing in single call mode after calling `f`
+ */
+ protected def withSingleCallEnabled(f: => Unit): Unit = {
+ val singleCallConfig =
+
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call"
+ try {
+ SparkRangerAdminPlugin.getRangerConf.setBoolean(singleCallConfig, true)
+ f
+ } finally {
+ SparkRangerAdminPlugin.getRangerConf.setBoolean(singleCallConfig, false)
+ }
+ }
+
test("[KYUUBI #3226] RuleAuthorization: Should check privileges once only.")
{
val logicalPlan = doAs(admin, sql("SHOW TABLES").queryExecution.logical)
val rule = new RuleAuthorization(spark)
@@ -628,10 +642,7 @@ class HiveCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite {
val e1 = intercept[AccessControlException](doAs(someone,
sql(insertSql1)))
assert(e1.getMessage.contains(s"does not have [select] privilege on
[$db1/$srcTable1/id]"))
- try {
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
-
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- true)
+ withSingleCallEnabled {
val e2 = intercept[AccessControlException](doAs(someone,
sql(insertSql1)))
assert(e2.getMessage.contains(s"does not have" +
s" [select] privilege on" +
@@ -639,11 +650,6 @@ class HiveCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite {
s"$db1/$srcTable2/age,$db1/$srcTable2/id]," +
s" [update] privilege on [$db1/$sinkTable1/id,$db1/$sinkTable1/age,"
+
s"$db1/$sinkTable1/name,$db1/$sinkTable1/city]"))
- } finally {
- // revert to default value
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
-
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- false)
}
}
}
diff --git
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/V2JdbcTableCatalogRangerSparkExtensionSuite.scala
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/V2JdbcTableCatalogRangerSparkExtensionSuite.scala
index 31d616b15..5c27a470f 100644
---
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/V2JdbcTableCatalogRangerSparkExtensionSuite.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/V2JdbcTableCatalogRangerSparkExtensionSuite.scala
@@ -205,10 +205,7 @@ class V2JdbcTableCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSu
assert(e1.getMessage.contains(s"does not have [select] privilege" +
s" on [$namespace1/$table1/id]"))
- try {
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
-
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- true)
+ withSingleCallEnabled {
val e2 = intercept[AccessControlException](
doAs(
someone,
@@ -217,10 +214,6 @@ class V2JdbcTableCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSu
s" [select] privilege" +
s" on
[$namespace1/$table1/id,$namespace1/table1/name,$namespace1/$table1/city]," +
s" [update] privilege on [$namespace1/$outputTable1]"))
- } finally {
- SparkRangerAdminPlugin.getRangerConf.setBoolean(
-
s"ranger.plugin.${SparkRangerAdminPlugin.getServiceType}.authorize.in.single.call",
- false)
}
}
