AngersZhuuuu commented on code in PR #5627:
URL: https://github.com/apache/kyuubi/pull/5627#discussion_r1382758155
##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala:
##########
@@ -1097,4 +1100,31 @@ class HiveCatalogRangerSparkExtensionSuite extends
RangerSparkExtensionSuite {
}
}
}
+
+ test("[KYUUBI #5594][AUTHZ] BuildQuery should respect normal node's input ")
{
+ val db1 = defaultDb
+ val table1 = "table1"
+ withSingleCallEnabled {
+ withCleanTmpResources(Seq((s"$db1.$table1", "table"))) {
+ doAs(admin, sql(s"CREATE TABLE IF NOT EXISTS $db1.$table1 (id int,
scope int)"))
+ val df = spark.read.table(s"$db1.$table1")
+ val mapInPandasUDF = PythonUDF(
+ "mapInPandasUDF",
+ null,
+ StructType(Seq(StructField("id", IntegerType), StructField("scope",
IntegerType))),
+ df.queryExecution.analyzed.output,
+ 205,
+ true)
+ interceptContains[AccessControlException](
+ doAs(
+ someone,
+ invokeAs(
+ df,
+ "mapInPandas",
+ (classOf[PythonUDF], mapInPandasUDF))
+ .asInstanceOf[DataFrame].select(col("id"),
col("scope")).limit(1).show(true)))(
+ s"does not have [select] privilege on
[$db1/$table1/id,$db1/$table1/scope]")
+ }
+ }
+ }
Review Comment:
Add a UT, the plan is
```
GlobalLimit 1
+- LocalLimit 1
+- Project [cast(id#22 as string) AS id#30, cast(scope#23 as string) AS
scope#31]
+- MapInPandas mapInPandasUDF(id#17, scope#18)#21, [id#22, scope#23]
+- HiveTableRelation [`spark_catalog`.`default`.`table1`,
org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe, Data Cols: [id#17,
scope#18], Partition Cols: []]
```
Without this pr, this query only extract table, miss column privilege
```
"Permission denied: user [someone] does not have [select] privilege on
[default/table1]" did not contain "does not have [select] privilege on
[default/table1/id,default/table1/scope]"
ScalaTestFailureLocation:
org.apache.kyuubi.plugin.spark.authz.ranger.HiveCatalogRangerSparkExtensionSuite
at (RangerSparkExtensionSuite.scala:1125)
org.scalatest.exceptions.TestFailedException: "Permission denied: user
[someone] does not have [select] privilege on [default/table1]" did not contain
"does not have [select] privilege on [default/table1/id,default/table1/scope]"
at
org.scalatest.Assertions.newAssertionFailedException(Assertions.scala:472)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
