Re: [PR] [KYUUBI #5628][AUTHZ] Support path privilege check for resource command [kyuubi]

via GitHub Mon, 06 Nov 2023 19:09:31 -0800


AngersZhuuuu commented on code in PR #5629:
URL: https://github.com/apache/kyuubi/pull/5629#discussion_r1384302630



##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/OperationType.scala:
##########
@@ -22,7 +22,7 @@ object OperationType extends Enumeration {
   type OperationType = Value
   // According to https://scalameta.org/scalafmt/docs/known-issues.html
   // format: off
-  val ALTERDATABASE, ALTERDATABASE_LOCATION, ALTERTABLE_ADDCOLS, 
ALTERTABLE_ADDPARTS,
+  val ADD, ALTERDATABASE, ALTERDATABASE_LOCATION, ALTERTABLE_ADDCOLS, 
ALTERTABLE_ADDPARTS,

Review Comment:
   Follow hive's code, we add a `ADD` operation type here.
   <img width="1222" alt="截屏2023-11-07 上午11 01 43" 
src="https://github.com/apache/kyuubi/assets/46485123/974c38e6-3c3e-4af7-a17c-fc2aa8ac33f4";>
   



##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala:
##########
@@ -25,11 +25,13 @@ object AccessType extends Enumeration {
 
   type AccessType = Value
 
-  val NONE, CREATE, ALTER, DROP, SELECT, UPDATE, USE, READ, WRITE, ALL, ADMIN, 
INDEX = Value
+  val NONE, CREATE, ALTER, DROP, SELECT, UPDATE, USE, READ, WRITE, ALL, ADMIN, 
INDEX, TEMPUDFADMIN =
+    Value
 
   def apply(obj: PrivilegeObject, opType: OperationType, isInput: Boolean): 
AccessType = {
     obj.actionType match {
       case PrivilegeObjectActionType.OTHER => opType match {
+          case ADD => TEMPUDFADMIN

Review Comment:
   According ranger's mapping code, here is `TEMPUDFADMIN `
   <img width="711" alt="截屏2023-11-07 上午10 46 04" 
src="https://github.com/apache/kyuubi/assets/46485123/d151f18c-391e-45eb-98f1-2c854975c1ce";>
   



##########
extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/TableCommands.scala:
##########
@@ -617,7 +617,16 @@ object TableCommands extends 
CommandSpecs[TableCommandSpec] {
     TableCommandSpec(cmd, Seq(tableDesc), ALTERTABLE_PROPERTIES)
   }
 
+  val AddArchivesCommand = {
+    val cmd = "org.apache.spark.sql.execution.command.AddArchivesCommand"
+    val uriDesc = UriDesc("paths", classOf[StringSeqURIExtractor], isInput = 
true)
+    TableCommandSpec(cmd, Nil, ADD, uriDescs = Seq(uriDesc))
+  }
+
   override def specs: Seq[TableCommandSpec] = Seq(
+    AddArchivesCommand,
+    AddArchivesCommand.copy(classname = 
"org.apache.spark.sql.execution.command.AddFilesCommand"),
+    AddArchivesCommand.copy(classname = 
"org.apache.spark.sql.execution.command.AddJarsCommand"),

Review Comment:
   According to hive code, it only check `ADD`, `DELETE` resource, didn't check 
`LIST` resource command's privilege.



##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/OperationType.scala:
##########
@@ -22,7 +22,7 @@ object OperationType extends Enumeration {
   type OperationType = Value
   // According to https://scalameta.org/scalafmt/docs/known-issues.html
   // format: off
-  val ALTERDATABASE, ALTERDATABASE_LOCATION, ALTERTABLE_ADDCOLS, 
ALTERTABLE_ADDPARTS,
+  val ADD, ALTERDATABASE, ALTERDATABASE_LOCATION, ALTERTABLE_ADDCOLS, 
ALTERTABLE_ADDPARTS,

Review Comment:
   Follow hive's code, we add a `ADD` operation type here.
   <img width="1222" alt="截屏2023-11-07 上午11 01 43" 
src="https://github.com/apache/kyuubi/assets/46485123/974c38e6-3c3e-4af7-a17c-fc2aa8ac33f4";>
   



##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala:
##########
@@ -25,11 +25,13 @@ object AccessType extends Enumeration {
 
   type AccessType = Value
 
-  val NONE, CREATE, ALTER, DROP, SELECT, UPDATE, USE, READ, WRITE, ALL, ADMIN, 
INDEX = Value
+  val NONE, CREATE, ALTER, DROP, SELECT, UPDATE, USE, READ, WRITE, ALL, ADMIN, 
INDEX, TEMPUDFADMIN =
+    Value
 
   def apply(obj: PrivilegeObject, opType: OperationType, isInput: Boolean): 
AccessType = {
     obj.actionType match {
       case PrivilegeObjectActionType.OTHER => opType match {
+          case ADD => TEMPUDFADMIN

Review Comment:
   According ranger's mapping code, here is `TEMPUDFADMIN `
   <img width="711" alt="截屏2023-11-07 上午10 46 04" 
src="https://github.com/apache/kyuubi/assets/46485123/d151f18c-391e-45eb-98f1-2c854975c1ce";>
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] [KYUUBI #5628][AUTHZ] Support path privilege check for resource command [kyuubi]

Reply via email to