This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new c290f20de [KYUUBI #5555][AUTHZ] Extractor common authorization rule
class
c290f20de is described below
commit c290f20dea54a04dd36fc7f1359965686e65dc77
Author: Angerszhuuuu <[email protected]>
AuthorDate: Mon Oct 30 16:35:27 2023 +0800
[KYUUBI #5555][AUTHZ] Extractor common authorization rule class
### _Why are the changes needed?_
To close #5555
Extractor common authorization rule class
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including
negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run
test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests)
locally before make a pull request
### _Was this patch authored or co-authored using generative AI tooling?_
No
Closes #5559 from AngersZhuuuu/KYUUBI-5555.
Closes #5555
85d0fa9fe [Angerszhuuuu] Update RangerSparkExtensionSuite.scala
623b3514e [Angerszhuuuu] [KYUUBI #5555][AUTHZ] Extractor common
authorization rule class
Authored-by: Angerszhuuuu <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
.../spark/authz/ranger/RuleAuthorization.scala | 39 ++------------
.../plugin/spark/authz/rule/Authorization.scala | 61 ++++++++++++++++++++++
.../authz/ranger/RangerSparkExtensionSuite.scala | 2 +-
3 files changed, 65 insertions(+), 37 deletions(-)
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
index 43574d0ad..afb4f7c54 100644
---
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
@@ -22,30 +22,15 @@ import scala.collection.mutable.ArrayBuffer
import org.apache.ranger.plugin.policyengine.RangerAccessRequest
import org.apache.spark.sql.SparkSession
import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan
-import org.apache.spark.sql.catalyst.rules.Rule
-import org.apache.spark.sql.catalyst.trees.TreeNodeTag
import org.apache.kyuubi.plugin.spark.authz._
import org.apache.kyuubi.plugin.spark.authz.ObjectType._
-import org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization._
import org.apache.kyuubi.plugin.spark.authz.ranger.SparkRangerAdminPlugin._
-import
org.apache.kyuubi.plugin.spark.authz.rule.permanentview.PermanentViewMarker
+import org.apache.kyuubi.plugin.spark.authz.rule.Authorization
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
-class RuleAuthorization(spark: SparkSession) extends Rule[LogicalPlan] {
- override def apply(plan: LogicalPlan): LogicalPlan = {
- plan match {
- case plan if isAuthChecked(plan) => plan // do nothing if checked
privileges already.
- case p => checkPrivileges(spark, p)
- }
- }
-}
-
-object RuleAuthorization {
-
- val KYUUBI_AUTHZ_TAG = TreeNodeTag[Unit]("__KYUUBI_AUTHZ_TAG")
-
- private def checkPrivileges(spark: SparkSession, plan: LogicalPlan):
LogicalPlan = {
+class RuleAuthorization(spark: SparkSession) extends Authorization(spark) {
+ override def checkPrivileges(spark: SparkSession, plan: LogicalPlan): Unit =
{
val auditHandler = new SparkRangerAuditHandler
val ugi = getAuthzUgi(spark.sparkContext)
val (inputs, outputs, opType) = PrivilegesBuilder.build(plan, spark)
@@ -95,23 +80,5 @@ object RuleAuthorization {
verify(Seq(req), auditHandler)
}
}
- markAuthChecked(plan)
- }
-
- private def markAuthChecked(plan: LogicalPlan): LogicalPlan = {
- plan match {
- case _: PermanentViewMarker =>
- plan.transformUp { case p =>
- p.setTagValue(KYUUBI_AUTHZ_TAG, ())
- p
- }
- case _ =>
- plan.setTagValue(KYUUBI_AUTHZ_TAG, ())
- }
- plan
- }
-
- private def isAuthChecked(plan: LogicalPlan): Boolean = {
- plan.find(_.getTagValue(KYUUBI_AUTHZ_TAG).nonEmpty).nonEmpty
}
}
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/Authorization.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/Authorization.scala
new file mode 100644
index 000000000..db50873b3
--- /dev/null
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/Authorization.scala
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.plugin.spark.authz.rule
+
+import org.apache.spark.sql.SparkSession
+import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan
+import org.apache.spark.sql.catalyst.rules.Rule
+import org.apache.spark.sql.catalyst.trees.TreeNodeTag
+
+import org.apache.kyuubi.plugin.spark.authz.rule.Authorization._
+import
org.apache.kyuubi.plugin.spark.authz.rule.permanentview.PermanentViewMarker
+
+abstract class Authorization(spark: SparkSession) extends Rule[LogicalPlan] {
+ override def apply(plan: LogicalPlan): LogicalPlan = {
+ plan match {
+ case plan if isAuthChecked(plan) => plan // do nothing if checked
privileges already.
+ case p =>
+ checkPrivileges(spark, p)
+ markAuthChecked(p)
+ }
+ }
+
+ def checkPrivileges(spark: SparkSession, plan: LogicalPlan): Unit
+}
+
+object Authorization {
+
+ val KYUUBI_AUTHZ_TAG = TreeNodeTag[Unit]("__KYUUBI_AUTHZ_TAG")
+
+ protected def markAuthChecked(plan: LogicalPlan): LogicalPlan = {
+ plan match {
+ case _: PermanentViewMarker =>
+ plan.transformUp { case p =>
+ p.setTagValue(KYUUBI_AUTHZ_TAG, ())
+ p
+ }
+ case _ =>
+ plan.setTagValue(KYUUBI_AUTHZ_TAG, ())
+ }
+ plan
+ }
+
+ protected def isAuthChecked(plan: LogicalPlan): Boolean = {
+ plan.find(_.getTagValue(KYUUBI_AUTHZ_TAG).nonEmpty).nonEmpty
+ }
+}
diff --git
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index 8923819c3..672d7208f 100644
---
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -33,7 +33,7 @@ import org.scalatest.funsuite.AnyFunSuite
import org.apache.kyuubi.plugin.spark.authz.{AccessControlException,
SparkSessionProvider}
import org.apache.kyuubi.plugin.spark.authz.RangerTestNamespace._
import org.apache.kyuubi.plugin.spark.authz.RangerTestUsers._
-import
org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.KYUUBI_AUTHZ_TAG
+import org.apache.kyuubi.plugin.spark.authz.rule.Authorization.KYUUBI_AUTHZ_TAG
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
import org.apache.kyuubi.util.AssertionUtils._
import org.apache.kyuubi.util.reflect.ReflectUtils._
