update

apache · Oct 23, 2023 · 3bfd9e6 · 3bfd9e6
1 parent 6b8c0e6
commit 3bfd9e6
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 3 deletions.
diff --git a/...main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyPermanentViewMarker.scala b/...main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleApplyPermanentViewMarker.scala
@@ -39,9 +39,6 @@ class RuleApplyPermanentViewMarker extends Rule[LogicalPlan] {
       case permanentView: View if hasResolvedPermanentView(permanentView) =>
         val resolvedSubquery = permanentView.transformAllExpressions {
           case subquery: SubqueryExpression =>
-            // TODO: Currently, we do not do an auth check in the subquery
-            //  as the main query part also secures it. But for performance consideration,
-            //  we also pre-check it in subqueries and fail fast with negative privileges.
             subquery.withNewPlan(plan =
               PermanentViewMarker(
                 subquery.plan,

diff --git a/...rc/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/...rc/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -835,4 +835,49 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
       assert(e2.getMessage.contains(s"does not have [select] privilege on [$db1/$view1/new_id]"))
     }
   }
+
+  test("[KYUUBI #5475] Check permanent view's subquery should check view's correct privilege") {
+    val db1 = defaultDb
+    val table1 = "table1"
+    val table2 = "table2"
+    val view1 = "view1"
+    withSingleCallEnabled {
+      withCleanTmpResources(
+        Seq((s"$db1.$table1", "table"), (s"$db1.$table2", "table"), (s"$db1.$view1", "view"))) {
+        doAs(admin, sql(s"CREATE TABLE IF NOT EXISTS $db1.$table1(id int, scope int)"))
+        doAs(
+          admin,
+          sql(
+            s"""
+               | CREATE TABLE IF NOT EXISTS $db1.$table2(
+               |  id int,
+               |  name string,
+               |  age int,
+               |  scope int)
+               | """.stripMargin))
+        doAs(
+          admin,
+          sql(
+            s"""
+               |CREATE VIEW $db1.$view1
+               |AS
+               |WITH temp AS (
+               |    SELECT max(scope) max_scope
+               |    FROM $db1.$table1)
+               |SELECT id, name, max(scope) as max_scope, sum(age) sum_age
+               |FROM $db1.$table2
+               |WHERE scope in (SELECT max_scope FROM temp)
+               |GROUP BY id, name
+               |""".stripMargin))
+        // Will just check permanent view privilege.
+        val e2 = intercept[AccessControlException](
+          doAs(
+            someone,
+            sql(s"SELECT id as new_id, name, max_scope FROM $db1.$view1".stripMargin).show()))
+        assert(e2.getMessage.contains(
+          s"does not have [select] privilege on " +
+            s"[$db1/$view1/id,$db1/$view1/name,$db1/$view1/max_scope,$db1/$view1/sum_age]"))
+      }
+    }
+  }
 }