This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 7f02809e5 [KYUUBI #5768][AUTHZ] Authz internal place holder should
skip privilege check
7f02809e5 is described below
commit 7f02809e54686fa43ae0bffcf7c546d5374458eb
Author: Angerszhuuuu <[email protected]>
AuthorDate: Mon Nov 27 14:47:34 2023 +0800
[KYUUBI #5768][AUTHZ] Authz internal place holder should skip privilege
check
# :mag: Description
## Issue References π
This pull request fixes #5768
## Describe Your Solution π§
Currently all UT have a `ShowNamespace command` and wrapped by
`ObjectFilterPlaceHolder`
<img width="1196" alt="ζͺε±2023-11-24 δΈε3 29 53"
src="https://github.com/apache/kyuubi/assets/46485123/ab7a93ec-22aa-425f-bbbc-894d3d8f19c0";>
And `ObjectFilterPlaceHolder` such command will go through `buildQuery()`,
it's noisy when dev to debug and unnecessary, we should just skip it since we
have check privilege when executing.
## Types of changes :bookmark:
- [x] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
## Test Plan π§ͺ
#### Behavior Without This Pull Request :coffin:
#### Behavior With This Pull Request :tada:
#### Related Unit Tests
---
# Checklists
## π Author Self Checklist
- [x] My code follows the [style
guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html)
of this project
- [x] I have performed a self-review
- [x] I have commented my code, particularly in hard-to-understand areas
- [x] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my feature
works
- [x] New and existing unit tests pass locally with my changes
- [x] This patch was not authored or co-authored using [Generative
Tooling](https://www.apache.org/legal/generative-tooling.html)
## π Committer Pre-Merge Checklist
- [x] Pull request title is okay.
- [x] No license issues.
- [x] Milestone correctly set?
- [x] Test coverage is ok
- [x] Assignees are selected.
- [x] Minimum number of approvals
- [x] No changes are requested
**Be nice. Be informative.**
Closes #5769 from AngersZhuuuu/KYUUBI-5768.
Closes #5768
2018e784f [Angerszhuuuu] Update RuleAuthorization.scala
a51172c14 [Angerszhuuuu] Update PrivilegesBuilder.scala
4a0cdaa6d [Angerszhuuuu] [KYUUBI #5768][AUTHZ] Authz internal place holder
should skip privilege check
Authored-by: Angerszhuuuu <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
.../org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala | 9 +++++++++
.../kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala | 4 ----
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 81dfa6e4e..d0f6e48eb 100644
---
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -29,6 +29,7 @@ import
org.apache.kyuubi.plugin.spark.authz.OperationType.OperationType
import org.apache.kyuubi.plugin.spark.authz.PrivilegeObjectActionType._
import org.apache.kyuubi.plugin.spark.authz.rule.Authorization._
import
org.apache.kyuubi.plugin.spark.authz.rule.permanentview.PermanentViewMarker
+import org.apache.kyuubi.plugin.spark.authz.rule.rowfilter._
import org.apache.kyuubi.plugin.spark.authz.serde._
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
import org.apache.kyuubi.util.reflect.ReflectUtils._
@@ -303,6 +304,14 @@ object PrivilegesBuilder {
val inputObjs = new ArrayBuffer[PrivilegeObject]
val outputObjs = new ArrayBuffer[PrivilegeObject]
val opType = plan match {
+ case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowTables" =>
+ OperationType.SHOWTABLES
+ case ObjectFilterPlaceHolder(child) if child.nodeName ==
"ShowNamespaces" =>
+ OperationType.SHOWDATABASES
+ case _: FilteredShowTablesCommand => OperationType.SHOWTABLES
+ case _: FilteredShowFunctionsCommand => OperationType.SHOWFUNCTIONS
+ case _: FilteredShowColumnsCommand => OperationType.SHOWCOLUMNS
+
// ExplainCommand run will execute the plan, should avoid check
privilege for the plan.
case _: ExplainCommand =>
setExplainCommandExecutionId(spark)
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
index afb4f7c54..c5c39c511 100644
---
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
@@ -35,10 +35,6 @@ class RuleAuthorization(spark: SparkSession) extends
Authorization(spark) {
val ugi = getAuthzUgi(spark.sparkContext)
val (inputs, outputs, opType) = PrivilegesBuilder.build(plan, spark)
val requests = new ArrayBuffer[AccessRequest]()
- if (inputs.isEmpty && opType == OperationType.SHOWDATABASES) {
- val resource = AccessResource(DATABASE, null, None)
- requests += AccessRequest(resource, ugi, opType, AccessType.USE)
- }
def addAccessRequest(objects: Iterable[PrivilegeObject], isInput:
Boolean): Unit = {
objects.foreach { obj =>
