This is an automated email from the ASF dual-hosted git repository.
yikaifei pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 3af755115 [KYUUBI #5965] [AUTHZ] Supports check hoodie procedures
show_commits resource privileges
3af755115 is described below
commit 3af755115ac44737017a6e5d9448f87592d7d26c
Author: yikaifei <[email protected]>
AuthorDate: Sun Jan 14 19:37:17 2024 +0800
[KYUUBI #5965] [AUTHZ] Supports check hoodie procedures show_commits
resource privileges
# :mag: Description
## Issue References ๐
This pull request aims to make AuthZ supports check [hoodie procedures
show_commits](https://hudi.apache.org/docs/procedures#show_commits) resource
privileges
## Describe Your Solution ๐ง
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that are
required for this change.
## Types of changes :bookmark:
- [x] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
## Test Plan ๐งช
#### Behavior Without This Pull Request :coffin:
`CALL show_commits` passes permission checks whether they have permission
or not
#### Behavior With This Pull Request :tada:
`CALL show_commits` will not pass without permission
#### Related Unit Tests
New test added,
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala#ShowCommitsProcedure
---
# Checklist ๐
- [x] This patch was not authored or co-authored using [Generative
Tooling](https://www.apache.org/legal/generative-tooling.html)
**Be nice. Be informative.**
Closes #5965 from Yikf/hudi-showcommits.
Closes #5965
4e609b09a [yikaifei] Supports check hoodie procedures show_commits resource
privileges
Authored-by: yikaifei <[email protected]>
Signed-off-by: yikaifei <[email protected]>
---
.../plugin/spark/authz/serde/tableExtractors.scala | 3 +++
.../HudiCatalogRangerSparkExtensionSuite.scala | 26 ++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/tableExtractors.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/tableExtractors.scala
index 8a7bc4522..952db0914 100644
---
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/tableExtractors.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/tableExtractors.scala
@@ -438,6 +438,9 @@ abstract class HudiCallProcedureTableExtractor extends
TableExtractor {
(
s"$PROCEDURE_CLASS_PATH.ShowClusteringProcedure",
ProcedureArgsInputOutputPair(input = Some("table"))),
+ (
+ s"$PROCEDURE_CLASS_PATH.ShowCommitsProcedure",
+ ProcedureArgsInputOutputPair(input = Some("table"))),
(
s"$PROCEDURE_CLASS_PATH.ShowCommitExtraMetadataProcedure",
ProcedureArgsInputOutputPair(input = Some("table"))),
diff --git
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala
index b6b9b6f31..f7b556686 100644
---
a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala
@@ -618,4 +618,30 @@ class HudiCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite {
doAs(admin, sql(dropIndex))
}
}
+
+ test("ShowCommitsProcedure") {
+ withCleanTmpResources(Seq((s"$namespace1.$table1", "table"), (namespace1,
"database"))) {
+ doAs(admin, sql(s"CREATE DATABASE IF NOT EXISTS $namespace1"))
+ doAs(
+ admin,
+ sql(
+ s"""
+ |CREATE TABLE IF NOT EXISTS $namespace1.$table1(id int, name
string, city string)
+ |USING HUDI
+ |OPTIONS (
+ | type = 'mor',
+ | primaryKey = 'id',
+ | 'hoodie.datasource.hive_sync.enable' = 'false'
+ |)
+ |PARTITIONED BY(city)
+ |TBLPROPERTIES ('hoodie.datasource.write.precombine.field' = 'id')
+ |""".stripMargin))
+
+ val showCommitsSql = s"CALL SHOW_COMMITS(table => '$namespace1.$table1',
limit => 10)"
+ interceptEndsWith[AccessControlException] {
+ doAs(someone, sql(showCommitsSql))
+ }(s"does not have [select] privilege on [$namespace1/$table1]")
+ doAs(admin, sql(showCommitsSql))
+ }
+ }
}
