From 4a0cdaa6dde2f557efc094c15f40e124ae3f30e2 Mon Sep 17 00:00:00 2001
From: Angerszhuuuu <angers.zhu@gmail.com>
Date: Fri, 24 Nov 2023 15:27:36 +0800
Subject: [PATCH 1/3] [KYUUBI #5768][AUTHZ] Authz internal place holder should
 skip privilege check

---
 .../kyuubi/plugin/spark/authz/PrivilegesBuilder.scala    | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 81dfa6e4ecd..224dd9cc5e7 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -29,6 +29,7 @@ import org.apache.kyuubi.plugin.spark.authz.OperationType.OperationType
 import org.apache.kyuubi.plugin.spark.authz.PrivilegeObjectActionType._
 import org.apache.kyuubi.plugin.spark.authz.rule.Authorization._
 import org.apache.kyuubi.plugin.spark.authz.rule.permanentview.PermanentViewMarker
+import org.apache.kyuubi.plugin.spark.authz.rule.rowfilter._
 import org.apache.kyuubi.plugin.spark.authz.serde._
 import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
 import org.apache.kyuubi.util.reflect.ReflectUtils._
@@ -303,6 +304,14 @@ object PrivilegesBuilder {
     val inputObjs = new ArrayBuffer[PrivilegeObject]
     val outputObjs = new ArrayBuffer[PrivilegeObject]
     val opType = plan match {
+      case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowTables" =>
+        OperationType.SHOWTABLES
+      case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowNamespaces" =>
+        OperationType.SHOWTABLES
+      case _: FilteredShowTablesCommand => OperationType.SHOWTABLES
+      case _: FilteredShowFunctionsCommand => OperationType.SHOWFUNCTIONS
+      case _: FilteredShowColumnsCommand => OperationType.SHOWCOLUMNS
+
       // ExplainCommand run will execute the plan, should avoid check privilege for the plan.
       case _: ExplainCommand =>
         setExplainCommandExecutionId(spark)

From a51172c14475cc15c58ea625e4244a22135f456f Mon Sep 17 00:00:00 2001
From: Angerszhuuuu <angers.zhu@gmail.com>
Date: Fri, 24 Nov 2023 15:50:30 +0800
Subject: [PATCH 2/3] Update PrivilegesBuilder.scala

---
 .../apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
index 224dd9cc5e7..d0f6e48ebe3 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -307,7 +307,7 @@ object PrivilegesBuilder {
       case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowTables" =>
         OperationType.SHOWTABLES
       case ObjectFilterPlaceHolder(child) if child.nodeName == "ShowNamespaces" =>
-        OperationType.SHOWTABLES
+        OperationType.SHOWDATABASES
       case _: FilteredShowTablesCommand => OperationType.SHOWTABLES
       case _: FilteredShowFunctionsCommand => OperationType.SHOWFUNCTIONS
       case _: FilteredShowColumnsCommand => OperationType.SHOWCOLUMNS

From 2018e784f803f346aff4e0a27a0b896be0223809 Mon Sep 17 00:00:00 2001
From: Angerszhuuuu <angers.zhu@gmail.com>
Date: Fri, 24 Nov 2023 18:45:29 +0800
Subject: [PATCH 3/3] Update RuleAuthorization.scala

---
 .../kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala  | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
index afb4f7c54fd..c5c39c51197 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala
@@ -35,10 +35,6 @@ class RuleAuthorization(spark: SparkSession) extends Authorization(spark) {
     val ugi = getAuthzUgi(spark.sparkContext)
     val (inputs, outputs, opType) = PrivilegesBuilder.build(plan, spark)
     val requests = new ArrayBuffer[AccessRequest]()
-    if (inputs.isEmpty && opType == OperationType.SHOWDATABASES) {
-      val resource = AccessResource(DATABASE, null, None)
-      requests += AccessRequest(resource, ugi, opType, AccessType.USE)
-    }
 
     def addAccessRequest(objects: Iterable[PrivilegeObject], isInput: Boolean): Unit = {
       objects.foreach { obj =>