Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables #3326

Closed
wants to merge 15 commits into from
Closed

[KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables #3326

wants to merge 15 commits into from

Conversation

bowenliang123
Copy link
Contributor

@bowenliang123 bowenliang123 commented Aug 24, 2022
edited
Loading

Why are the changes needed?

fix #3325

Permanent views are generally registed globally and then used for unifing, masking, joining tables for different practical purposes. The data manager would like to authorize views to users , but not all the source tables.

Authz plugin is not satisfiying this senario as it checks privileges all the source table instead of the permanent views.

Suggesting chaning behaviour of PrivilegesBuilder

  • check privileges for permanent view
  • skip privileges check for shadowed source view of permanent views

How was this patch tested?

  • Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • Add screenshots for manual tests if appropriate

  • Run test locally before make a pull request

@bowenliang123 bowenliang123 changed the title [KYUUBI #3325] [FEATURE] [AUTHZ] Privileges check for permanent views and skipping shadowed source tables [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables Aug 24, 2022
@codecov-commenter
Copy link

codecov-commenter commented Aug 24, 2022
edited
Loading

Codecov Report

Merging #3326 (468f47a) into master (8f57c43) will decrease coverage by 0.03%.
The diff coverage is 68.42%.

@@             Coverage Diff              @@
##             master    #3326      +/-   ##
============================================
- Coverage     51.49%   51.45%   -0.04%     
  Complexity       13       13              
============================================
  Files           475      479       +4     
  Lines         26491    26556      +65     
  Branches       3698     3707       +9     
============================================
+ Hits          13641    13664      +23     
- Misses        11522    11560      +38     
- Partials       1328     1332       +4
Impacted Files Coverage Δ
...he/kyuubi/plugin/spark/authz/util/AuthZUtils.scala 41.02% <25.00%> (-1.84%) ⬇️
...gin/spark/authz/util/RuleEliminateViewMarker.scala 50.00% <50.00%> (ø)
.../plugin/spark/authz/util/PermanentViewMarker.scala 66.66% <66.66%> (ø)
...rk/authz/ranger/RuleApplyPermanentViewMarker.scala 83.33% <83.33%> (ø)
.../kyuubi/plugin/spark/authz/PrivilegesBuilder.scala 69.34% <100.00%> (+0.19%) ⬆️
...ugin/spark/authz/ranger/RangerSparkExtension.scala 100.00% <100.00%> (ø)
...apache/kyuubi/engine/JpsApplicationOperation.scala 77.41% <0.00%> (-3.23%) ⬇️
...g/apache/kyuubi/operation/BatchJobSubmission.scala 72.00% <0.00%> (-2.41%) ⬇️
...n/scala/org/apache/kyuubi/engine/ProcBuilder.scala 82.60% <0.00%> (-0.63%) ⬇️
.../org/apache/kyuubi/jdbc/hive/KyuubiConnection.java 3.97% <0.00%> (-0.16%) ⬇️
... and 8 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@yaooqinn
Copy link
Member

cc @minyk @packyan who might be interested.

@yaooqinn yaooqinn added this to the v1.7.0 milestone Aug 25, 2022
@bowenliang123 bowenliang123 changed the title [KYUUBI #3325] [FEATURE] [AUTHZ] WIP: Privileges check for permanent views and skipping shadowed source tables [KYUUBI #3325] [FEATURE] [AUTHZ] Privileges check for permanent views and skipping shadowed source tables Aug 25, 2022
@bowenliang123 bowenliang123 changed the title [KYUUBI #3325] [FEATURE] [AUTHZ] Privileges check for permanent views and skipping shadowed source tables [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed source tables Aug 25, 2022
@bowenliang123 bowenliang123 changed the title [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed source tables [KYUUBI #3325] [FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables Aug 25, 2022
yaooqinn
yaooqinn reviewed Aug 25, 2022
View reviewed changes
...uubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -129,6 +130,9 @@ object PrivilegesBuilder {
val db = quote(parts.init)
privilegeObjects += tablePrivileges(TableIdentifier(parts.last, Some(db)))

case permanentViewMarker: PermanentViewMarker =>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

  case PermanentViewMarker(child, table) => mergeProjection(table, child)

looks we need to change to the above one, we may still project a view

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.
Changed to mergeProjection, and checking column level privileges for perm views.

@bowenliang123
add PermanentViewMarker for marking perm view catalogTable and check …
a0072c0 
…PrivilegesBuilder with PermanentViewMarker, finally maker cleanup in RuleEliminateViewMarker
@bowenliang123
add ut for permanent view privilege checks
94a837f
@bowenliang123
use reflection for isTempView of View
41c67ac
@bowenliang123
ut for spark30 and spark31greater
aea561c
@bowenliang123
simplify and remove applyPermanentViewMarker (+2 squashed commits)
76ec6b4 
Squashed commits:
[802e522] nit
[ba1beb4] nit
@bowenliang123
use isSparkVersionAtLeast 3.1.0 instead of try-catch RuntimeException…
6ef8131 
… non-existed isTempView field
@bowenliang123
rename ViewAccessAnalysis to RuleApplyPermanentViewMarker (+2 squashe…
3706dda 
…d commits)

Squashed commits:
[207ed7b] rename ViewAccessAnalysis to RuleApplyPermanentViewMarker
[f58be00] nit
@bowenliang123
view casting (+1 squashed commit)
78ff9d3 
Squashed commits:
[98f523d] fix error in view casting
@bowenliang123
change to use mergeProjection in PivilegesBuilder , checking column l…
4903f0a 
…evel privilege.
@bowenliang123
rename to hasResolvedPermanentView and check if plan resolved
81e8b99
@yaooqinn
Copy link
Member

hi @bowenliang123, please help resolve the conflicts when you have time

@bowenliang123
Copy link
Contributor Author

@yaooqinn sure. will do it soon.

@bowenliang123
Merge branch 'master' into feature-authz-perm-view
3cfb432 
# Conflicts:
#	extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@bowenliang123
Copy link
Contributor Author

some ut for selecting unauthed view added and it remains unexpected error.

@bowenliang123 bowenliang123 mentioned this pull request Aug 29, 2022
Closed
3 tasks
@yaooqinn
Copy link
Member

thanks, merged to master

@yaooqinn yaooqinn closed this in 1989e4c Aug 30, 2022
@bowenliang123 bowenliang123 deleted the feature-authz-perm-view branch August 31, 2022 00:33
@iodone iodone mentioned this pull request Feb 14, 2023
Closed
4 tasks
@bowenliang123 bowenliang123 mentioned this pull request Mar 14, 2023
Closed
4 tasks
@bowenliang123 bowenliang123 mentioned this pull request Oct 13, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaooqinn yaooqinn yaooqinn approved these changes

Assignees

@bowenliang123 bowenliang123

Labels
module:spark
Projects
None yet
Milestone
v1.7.0
Development

Successfully merging this pull request may close these issues.

[FEATURE] [AUTHZ] Privilege checks for permanent views and skipping shadowed tables
3 participants
@bowenliang123 @codecov-commenter @yaooqinn