update

AngersZhuuuu · AngersZhuuuu · commit 4f5e8505f10c · 2023-11-29T20:56:20.000+08:00
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -107,16 +107,16 @@ object PrivilegesBuilder {
           // For case 1, we should pass it's input as projection list
           // since it's children's columns was pruned.
           // For case too, we just skip.
-          if (columnPrune(p.references.toSeq, p.inputSet).isEmpty) {
+          if (columnPrune(p.references.toSeq ++ p.output, p.inputSet).isEmpty) {
             // If plan is project and output don't have relation to input, can ignore.
-            if (!p.isInstanceOf[Project]) {
+//            if (!p.isInstanceOf[Project]) {
               buildQuery(
                 child,
                 privilegeObjects,
                 p.inputSet.map(_.toAttribute).toSeq,
                 Nil,
                 spark)
-            }
+//            }
           } else {
             buildQuery(
               child,
@@ -314,6 +314,7 @@ object PrivilegesBuilder {
       case cmd: Command => buildCommand(cmd, inputObjs, outputObjs, spark)
       // Queries
       case _ =>
+        println(Project(plan.output, plan))
         buildQuery(Project(plan.output, plan), inputObjs, spark = spark)
         OperationType.QUERY
     }
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilderSuite.scala
@@ -367,7 +367,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
     assertEqualsIgnoreCase(reusedPartTableShort)(po0.objectName)
     if (isSparkV32OrGreater) {
       // Query in AlterViewAsCommand can not be resolved before SPARK-34698
-      assert(po0.columns === Seq("key", "value", "pid"))
+      assert(po0.columns === Seq("key", "pid", "value"))
       checkTableOwner(po0)
     }
     val accessType0 = ranger.AccessType(po0, operationType, isInput = true)
@@ -995,15 +995,15 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
   test("Query: Function") {
     checkColumns(
       s"select coalesce(max(key), pid, 1) from $reusedPartTable group by pid",
-      Seq("pid", "key"))
+      Seq("key", "pid"))
   }
 
   test("Query: CTE") {
     checkColumns(
       s"""
          |with t(c) as (select coalesce(max(key), pid, 1) from $reusedPartTable group by pid)
          |select c from t where c = 1""".stripMargin,
-      Seq( "pid", "key"))
+      Seq("key", "pid"))
   }
 
   test("Query: Nested query") {
@@ -1052,7 +1052,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
       assertEqualsIgnoreCase(reusedDb)(po.dbname)
       assertStartsWithIgnoreCase(reusedTableShort)(po.objectName)
       assert(
-        po.columns === Seq("value", "pid", "key"),
+        po.columns === Seq("value", "key", "pid"),
         s"$reusedPartTable both 'key', 'value' and 'pid' should be authenticated")
       checkTableOwner(po)
       val accessType = ranger.AccessType(po, operationType, isInput = true)
@@ -1220,7 +1220,7 @@ abstract class PrivilegesBuilderSuite extends AnyFunSuite
       assertEqualsIgnoreCase(reusedDb)(po.dbname)
       assertStartsWithIgnoreCase(reusedTableShort)(po.objectName)
       assert(
-        po.columns === Seq("key", "value", "pid"),
+        po.columns === Seq("key", "pid", "value"),
         s"$reusedPartTable both 'key', 'value' and 'pid' should be authenticated")
       checkTableOwner(po)
       val accessType = ranger.AccessType(po, operationType, isInput = true)
@@ -1491,7 +1491,7 @@ class HiveCatalogPrivilegeBuilderSuite extends PrivilegesBuilderSuite {
     assert(po0.privilegeObjectType === PrivilegeObjectType.TABLE_OR_VIEW)
     assertEqualsIgnoreCase(reusedDb)(po0.dbname)
     assert(po0.objectName equalsIgnoreCase reusedPartTable.split("\\.").last)
-    assert(po0.columns === Seq("key", "value", "pid"))
+    assert(po0.columns === Seq("key", "pid", "value"))
     checkTableOwner(po0)
     val accessType0 = ranger.AccessType(po0, operationType, isInput = true)
     assert(accessType0 === AccessType.SELECT)
@@ -1622,7 +1622,7 @@ class HiveCatalogPrivilegeBuilderSuite extends PrivilegesBuilderSuite {
     assert(po0.privilegeObjectType === PrivilegeObjectType.TABLE_OR_VIEW)
     assertEqualsIgnoreCase(reusedDb)(po0.dbname)
     assert(po0.objectName equalsIgnoreCase reusedPartTable.split("\\.").last)
-    assert(po0.columns === Seq("key", "value", "pid"))
+    assert(po0.columns === Seq("key", "pid", "value"))
     checkTableOwner(po0)
     val accessType0 = ranger.AccessType(po0, operationType, isInput = true)
     assert(accessType0 === AccessType.SELECT)
@@ -1655,7 +1655,7 @@ class HiveCatalogPrivilegeBuilderSuite extends PrivilegesBuilderSuite {
     assert(po0.privilegeObjectType === PrivilegeObjectType.TABLE_OR_VIEW)
     assertEqualsIgnoreCase(reusedDb)(po0.dbname)
     assert(po0.objectName equalsIgnoreCase reusedPartTable.split("\\.").last)
-    assert(po0.columns === Seq("key", "value", "pid"))
+    assert(po0.columns === Seq("key", "pid", "value"))
     checkTableOwner(po0)
     val accessType0 = ranger.AccessType(po0, operationType, isInput = true)
     assert(accessType0 === AccessType.SELECT)
@@ -1751,7 +1751,7 @@ class HiveCatalogPrivilegeBuilderSuite extends PrivilegesBuilderSuite {
     assert(out1.isEmpty)
     val pi1 = in1.head
     assert(pi1.columns.size === 3)
-    assert(pi1.columns === Seq("pid", "key", "value"))
+    assert(pi1.columns === Seq("key", "pid", "value"))
 
     // case2: Some columns are involved, and the group column is not selected.
     val plan2 = sql(s"SELECT COUNT(key) FROM $reusedPartTable GROUP BY pid")
@@ -1761,7 +1761,7 @@ class HiveCatalogPrivilegeBuilderSuite extends PrivilegesBuilderSuite {
     assert(out2.isEmpty)
     val pi2 = in2.head
     assert(pi2.columns.size === 2)
-    assert(pi2.columns === Seq("pid", "key"))
+    assert(pi2.columns === Seq("key", "pid"))
 
     // case3: Some columns are involved, and the group column is selected.
     val plan3 = sql(s"SELECT COUNT(key), pid FROM $reusedPartTable GROUP BY pid")
@@ -1781,7 +1781,7 @@ class HiveCatalogPrivilegeBuilderSuite extends PrivilegesBuilderSuite {
     assert(out4.isEmpty)
     val pi4 = in4.head
     assert(pi4.columns.size === 2)
-    assert(pi4.columns === Seq("pid", "key"))
+    assert(pi4.columns === Seq("key", "pid"))
   }
 }
 
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -641,14 +641,12 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
         s" FROM $db1.$srcTable1 as tb1" +
         s" JOIN $db1.$srcTable2 as tb2" +
         s" on tb1.id = tb2.id"
-      val e1 = intercept[AccessControlException](doAs(someone, sql(insertSql1)))
-      assert(e1.getMessage.contains(s"does not have [select] privilege on [$db1/$srcTable1/id]"))
 
       withSingleCallEnabled {
-        val e2 = intercept[AccessControlException](doAs(someone, sql(insertSql1)))
-        assert(e2.getMessage.contains(s"does not have" +
+        val e = intercept[AccessControlException](doAs(someone, sql(insertSql1)))
+        assert(e.getMessage.contains(s"does not have" +
           s" [select] privilege on" +
-          s" [$db1/$srcTable1/id,$db1/$srcTable1/name,$db1/$srcTable1/city," +
+          s" [$db1/$srcTable1/city,$db1/$srcTable1/id,$db1/$srcTable1/name," +
           s"$db1/$srcTable2/age,$db1/$srcTable2/id]," +
           s" [update] privilege on [$db1/$sinkTable1/id,$db1/$sinkTable1/age," +
           s"$db1/$sinkTable1/name,$db1/$sinkTable1/city]"))
@@ -678,11 +676,14 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
           sql(s"CREATE TABLE IF NOT EXISTS $db1.$srcTable1" +
             s" (id int, name string, city string)"))
 
-        val e1 = intercept[AccessControlException](
-          doAs(someone, sql(s"CACHE TABLE $cacheTable2 select * from $db1.$srcTable1")))
-        assert(
-          e1.getMessage.contains(s"does not have [select] privilege on [$db1/$srcTable1/id]"))
+        withSingleCallEnabled {
+          val e1 = intercept[AccessControlException](
+            doAs(someone, sql(s"CACHE TABLE $cacheTable2 select * from $db1.$srcTable1")))
+          assert(
+            e1.getMessage.contains(s"does not have [select] privilege on " +
+              s"[$db1/$srcTable1/city,$db1/$srcTable1/id,$db1/$srcTable1/name]"))
 
+        }
         doAs(admin, sql(s"CACHE TABLE $cacheTable3 SELECT 1 AS a, 2 AS b "))
         doAs(someone, sql(s"CACHE TABLE $cacheTable4 select 1 as a, 2 as b "))
       }
@@ -1325,7 +1326,7 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
           doAs(
             someone,
             sql(s"SELECT typeof(id), typeof(typeof(day)) FROM $db1.$table1").collect()))(
-          s"does not have [select] privilege on [$db1/$table1/id,$db1/$table1/day]")
+          s"does not have [select] privilege on [$db1/$table1/day,$db1/$table1/id]")
         interceptEndsWith[AccessControlException](
           doAs(
             someone,
@@ -1335,7 +1336,7 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
                  |typeof(cast(id as string)),
                  |typeof(substring(day, 1, 3))
                  |FROM $db1.$table1""".stripMargin).collect()))(
-          s"does not have [select] privilege on [$db1/$table1/id,$db1/$table1/day]")
+          s"does not have [select] privilege on [$db1/$table1/day,$db1/$table1/id]")
         checkAnswer(
           admin,
           s"""
