This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new d643e3531 [KYUUBI #6592] Add uploadWorkDir into local dir allow list
and do not skip check for resource uploaded use case
d643e3531 is described below
commit d643e35310edb1ea7837f63e6cc53eb78b6648af
Author: Wang, Fei <[email protected]>
AuthorDate: Wed Aug 7 18:00:48 2024 +0800
[KYUUBI #6592] Add uploadWorkDir into local dir allow list and do not skip
check for resource uploaded use case
# :mag: Description
## Issue References ๐
As title, for security concern.
Before, it skips to check the local dir access for resource upload use
case, which is not expected.
## Describe Your Solution ๐ง
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that are
required for this change.
## Types of changes :bookmark:
- [ ] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
## Test Plan ๐งช
#### Behavior Without This Pull Request :coffin:
#### Behavior With This Pull Request :tada:
#### Related Unit Tests
---
# Checklist ๐
- [x] This patch was not authored or co-authored using [Generative
Tooling](https://www.apache.org/legal/generative-tooling.html)
**Be nice. Be informative.**
Closes #6592 from turboFei/check_batch_access.
Closes #6592
80cbc7414 [Wang, Fei] do not check if is empty
a82fe8e87 [Wang, Fei] check batch access
Authored-by: Wang, Fei <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
.../main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala | 3 ++-
.../src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git
a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
index f2887b3e9..247f0c813 100644
---
a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
+++
b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
@@ -133,8 +133,9 @@ object KyuubiApplicationManager {
}
private[kyuubi] def checkApplicationAccessPath(path: String, conf:
KyuubiConf): Unit = {
- val localDirAllowList = conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST)
+ var localDirAllowList: Set[String] =
conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST)
if (localDirAllowList.nonEmpty) {
+ localDirAllowList ++= Set(uploadWorkDir.toUri.getPath)
val uri =
try {
new URI(path)
diff --git
a/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
b/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
index 149c7ab01..5dc3a605d 100644
---
a/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
+++
b/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
@@ -150,7 +150,7 @@ class KyuubiBatchSession(
batchType,
optimizedConf,
sessionManager.getConf)
- if (resource != SparkProcessBuilder.INTERNAL_RESOURCE &&
!isResourceUploaded) {
+ if (resource != SparkProcessBuilder.INTERNAL_RESOURCE) {
KyuubiApplicationManager.checkApplicationAccessPath(resource,
sessionManager.getConf)
}
}
