From abbbc10c3d8ee54fbbdb7552a332de206812e80f Mon Sep 17 00:00:00 2001 From: Angerszhuuuu Date: Mon, 23 Oct 2023 19:17:43 +0800 Subject: [PATCH] [KYUUBI #5503][AUTHZ] Auth check should not check Subquery since passed subquery from OptimizeSubqueries --- .../authz/ranger/RuleAuthorization.scala | 3 +- .../ranger/RangerSparkExtensionSuite.scala | 29 +++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala index 3203108dfae..3309baacbfd 100644 --- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala +++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala @@ -21,7 +21,7 @@ import scala.collection.mutable.ArrayBuffer import org.apache.ranger.plugin.policyengine.RangerAccessRequest import org.apache.spark.sql.SparkSession -import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan +import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, Subquery} import org.apache.spark.sql.catalyst.rules.Rule import org.apache.spark.sql.catalyst.trees.TreeNodeTag @@ -33,6 +33,7 @@ import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._ class RuleAuthorization(spark: SparkSession) extends Rule[LogicalPlan] { override def apply(plan: LogicalPlan): LogicalPlan = { plan match { + case subquery: Subquery => subquery case plan if isAuthChecked(plan) => plan // do nothing if checked privileges already. case p => checkPrivileges(spark, p) } diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala index e4e3014f50a..658cf741d78 100644 --- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala +++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala @@ -850,4 +850,33 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite { } } } + + test("[KYUUBI #5503][AUTHZ] Auth check should not check Subquery") { + val db1 = defaultDb + val table1 = "table1" + val table2 = "table2" + val view1 = "view1" + withSingleCallEnabled { + withCleanTmpResources( + Seq((s"$db1.$table1", "table"), (s"$db1.$table2", "table"), (s"$db1.$view1", "view"))) { + doAs(admin, sql(s"CREATE TABLE IF NOT EXISTS $db1.$table1 (id int, scope int)")) + doAs(admin, sql(s"CREATE TABLE IF NOT EXISTS $db1.$table2 (id int, age int)")) + interceptContains[AccessControlException]( + doAs( + someone, + sql( + s""" + |SELECT t1.id, age + |FROM $db1.$table1 t1, + |LATERAL ( + | SELECT * + | FROM $db1.$table2 t2 + | WHERE t1.id = t2.id + |) + |""".stripMargin).show()))( + s"does not have [select] privilege on " + + s"[$db1/$table1/id,$db1/$table2/age,$db1/$table2/id]") + } + } + } }