Skip to content

[KYUUBI #5475][FOLLOWUP] Authz check permanent view's subquery should check view's correct privilege #5476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
AngersZhuuuu wants to merge 5 commits into from
Closed

[KYUUBI #5475][FOLLOWUP] Authz check permanent view's subquery should check view's correct privilege #5476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
faea9c6
[KYUUBI #5475] Authz check permanent view's subquery should check vie…
AngersZhuuuu Oct 19, 2023
f7585a4
Update PrivilegesBuilder.scala
AngersZhuuuu Oct 19, 2023
6b8c0e6
Merge branch 'master' into KYUUBI-5475
AngersZhuuuu Oct 23, 2023
3bfd9e6
update
AngersZhuuuu Oct 23, 2023
e1f7920
Merge branch 'master' into KYUUBI-5475
AngersZhuuuu Oct 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions ...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import org.apache.kyuubi.plugin.spark.authz.OperationType.OperationType
import org.apache.kyuubi.plugin.spark.authz.PrivilegeObjectActionType._
import org.apache.kyuubi.plugin.spark.authz.serde._
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
import org.apache.kyuubi.plugin.spark.authz.util.PermanentViewMarker
import org.apache.kyuubi.util.reflect.ReflectUtils._

object PrivilegesBuilder {
Expand Down Expand Up @@ -102,6 +103,11 @@ object PrivilegesBuilder {
val cols = conditionList ++ aggCols
buildQuery(a.child, privilegeObjects, projectionList, cols, spark)

case pvm: PermanentViewMarker =>
getScanSpec(pvm).tables(pvm, spark).foreach { table =>
privilegeObjects += PrivilegeObject(table, pvm.visitColNames)
}

case scan if isKnownScan(scan) && scan.resolved =>
getScanSpec(scan).tables(scan, spark).foreach(mergeProjection(_, scan))

Expand Down
14 changes: 9 additions & 5 deletions ...main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyPermanentViewMarker.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,16 @@ class RuleApplyPermanentViewMarker extends Rule[LogicalPlan] {
case permanentView: View if hasResolvedPermanentView(permanentView) =>
val resolvedSubquery = permanentView.transformAllExpressions {
case subquery: SubqueryExpression =>
// TODO: Currently, we do not do an auth check in the subquery
// as the main query part also secures it. But for performance consideration,
// we also pre-check it in subqueries and fail fast with negative privileges.
subquery.withNewPlan(plan = PermanentViewMarker(subquery.plan, null))
subquery.withNewPlan(plan =
PermanentViewMarker(
subquery.plan,
permanentView.desc,
permanentView.output.map(_.name)))
}
PermanentViewMarker(resolvedSubquery, resolvedSubquery.desc)
PermanentViewMarker(
resolvedSubquery,
Copy link
Member

@yaooqinn yaooqinn Oct 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it's not resolvedSubquery but a view?

resolvedSubquery.desc,
resolvedSubquery.output.map(_.name))
case other => apply(other)
}
}
Expand Down
5 changes: 4 additions & 1 deletion ...-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/PermanentViewMarker.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@ import org.apache.spark.sql.catalyst.catalog.CatalogTable
import org.apache.spark.sql.catalyst.expressions.Attribute
import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, UnaryNode}

case class PermanentViewMarker(child: LogicalPlan, catalogTable: CatalogTable) extends UnaryNode
case class PermanentViewMarker(
child: LogicalPlan,
catalogTable: CatalogTable,
visitColNames: Seq[String]) extends UnaryNode
with WithInternalChild {

override def output: Seq[Attribute] = child.output
Expand Down
45 changes: 45 additions & 0 deletions ...rc/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -837,6 +837,51 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
}
}

test("[KYUUBI #5475] Check permanent view's subquery should check view's correct privilege") {
val db1 = defaultDb
val table1 = "table1"
val table2 = "table2"
val view1 = "view1"
withSingleCallEnabled {
withCleanTmpResources(
Seq((s"$db1.$table1", "table"), (s"$db1.$table2", "table"), (s"$db1.$view1", "view"))) {
doAs(admin, sql(s"CREATE TABLE IF NOT EXISTS $db1.$table1(id int, scope int)"))
doAs(
admin,
sql(
s"""
| CREATE TABLE IF NOT EXISTS $db1.$table2(
| id int,
| name string,
| age int,
| scope int)
| """.stripMargin))
doAs(
admin,
sql(
s"""
|CREATE VIEW $db1.$view1
|AS
|WITH temp AS (
| SELECT max(scope) max_scope
| FROM $db1.$table1)
|SELECT id, name, max(scope) as max_scope, sum(age) sum_age
|FROM $db1.$table2
|WHERE scope in (SELECT max_scope FROM temp)
|GROUP BY id, name
|""".stripMargin))
// Will just check permanent view privilege.
val e2 = intercept[AccessControlException](
doAs(
someone,
sql(s"SELECT id as new_id, name, max_scope FROM $db1.$view1".stripMargin).show()))
assert(e2.getMessage.contains(
s"does not have [select] privilege on " +
s"[$db1/$view1/id,$db1/$view1/name,$db1/$view1/max_scope,$db1/$view1/sum_age]"))
}
}
}

test("[KYUUBI #5492] saveAsTable create DataSource table miss db info") {
val table1 = "table1"
withSingleCallEnabled {
Expand Down