[KYUUBI #5768][AUTHZ] Authz internal place holder should skip privile…

…ge check # 🔍 Description ## Issue References 🔗 This pull request fixes #5768 ## Describe Your Solution 🔧 Currently all UT have a `ShowNamespace command` and wrapped by `ObjectFilterPlaceHolder` <img width="1196" alt="截屏2023-11-24 下午3 29 53" src="https://github.com/apache/kyuubi/assets/46485123/ab7a93ec-22aa-425f-bbbc-894d3d8f19c0"> And `ObjectFilterPlaceHolder` such command will go through `buildQuery()`, it's noisy when dev to debug and unnecessary, we should just skip it since we have check privilege when executing. ## Types of changes 🔖 - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ #### Behavior With This Pull Request 🎉 #### Related Unit Tests --- # Checklists ## 📝 Author Self Checklist - [x] My code follows the [style guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html) of this project - [x] I have performed a self-review - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) ## 📝 Committer Pre-Merge Checklist - [x] Pull request title is okay. - [x] No license issues. - [x] Milestone correctly set? - [x] Test coverage is ok - [x] Assignees are selected. - [x] Minimum number of approvals - [x] No changes are requested **Be nice. Be informative.** Closes #5769 from AngersZhuuuu/KYUUBI-5768. Closes #5768 2018e78 [Angerszhuuuu] Update RuleAuthorization.scala a51172c [Angerszhuuuu] Update PrivilegesBuilder.scala 4a0cdaa [Angerszhuuuu] [KYUUBI #5768][AUTHZ] Authz internal place holder should skip privilege check Authored-by: Angerszhuuuu <[email protected]> Signed-off-by: Cheng Pan <[email protected]>
apache · Nov 27, 2023 · 7f02809 · 7f02809
1 parent 65ba3b1
commit 7f02809
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -29,6 +29,7 @@ import org.apache.kyuubi.plugin.spark.authz.OperationType.OperationType
 import org.apache.kyuubi.plugin.spark.authz.PrivilegeObjectActionType._
 import org.apache.kyuubi.plugin.spark.authz.rule.Authorization._
 import org.apache.kyuubi.plugin.spark.authz.rule.permanentview.PermanentViewMarker
+import org.apache.kyuubi.plugin.spark.authz.rule.rowfilter._
 import org.apache.kyuubi.plugin.spark.authz.serde._
 import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
 import org.apache.kyuubi.util.reflect.ReflectUtils._
@@ -303,6 +304,14 @@ object PrivilegesBuilder {
     val inputObjs = new ArrayBuffer[PrivilegeObject]
     val outputObjs = new ArrayBuffer[PrivilegeObject]
     val opType = plan match {
+      case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowTables" =>
+        OperationType.SHOWTABLES
+      case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowNamespaces" =>
+        OperationType.SHOWDATABASES
+      case _: FilteredShowTablesCommand => OperationType.SHOWTABLES
+      case _: FilteredShowFunctionsCommand => OperationType.SHOWFUNCTIONS
+      case _: FilteredShowColumnsCommand => OperationType.SHOWCOLUMNS
+
       // ExplainCommand run will execute the plan, should avoid check privilege for the plan.
       case _: ExplainCommand =>
         setExplainCommandExecutionId(spark)

diff --git a/...-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala b/...-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
@@ -35,10 +35,6 @@ class RuleAuthorization(spark: SparkSession) extends Authorization(spark) {
     val ugi = getAuthzUgi(spark.sparkContext)
     val (inputs, outputs, opType) = PrivilegesBuilder.build(plan, spark)
     val requests = new ArrayBuffer[AccessRequest]()
-    if (inputs.isEmpty && opType == OperationType.SHOWDATABASES) {
-      val resource = AccessResource(DATABASE, null, None)
-      requests += AccessRequest(resource, ugi, opType, AccessType.USE)
-    }
 
     def addAccessRequest(objects: Iterable[PrivilegeObject], isInput: Boolean): Unit = {
       objects.foreach { obj =>