wForget commented on code in PR #7204:
URL: https://github.com/apache/kyuubi/pull/7204#discussion_r2348186377
##########
extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala:
##########
@@ -100,13 +101,18 @@ object PrivilegesBuilder {
privilegeObjects += PrivilegeObject(table)
case p =>
+ val existsChildOutputHolder =
p.exists(_.isInstanceOf[ChildOutputHolder])
for (child <- p.children) {
// If current plan's references don't have relation to it's input,
have two cases
// 1. `MapInPandas`, `ScriptTransformation`
// 2. `Project` output only have constant value
if (columnPrune(p.references.toSeq ++ p.output, p.inputSet).isEmpty)
{
- // If plan is project and output don't have relation to input, can
ignore.
- if (!p.isInstanceOf[Project]) {
+ // 1. If plan is project and output don't have relation to input,
can ignore.
+ // 2. If sub logic plan tree exists ChildOutputHolder node, it
means that the output of
+ // some nodes in the tree is fixed by RuleChildOutputMarker in
some special
+ // scenarios, such as the Aggregate(count(*)) child node. To
avoid missing child node
+ // permissions, we need to continue checking down.
+ if (!p.isInstanceOf[Project] || existsChildOutputHolder) {
Review Comment:
This logic is in `for (child <- p.children) {`, which will be applied to all
children of `p`. Do we need it for children of `p` that are not
`ChildOutputHolder`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@kyuubi.apache.org
For additional commands, e-mail: notifications-h...@kyuubi.apache.org
