Skip to content

[KYUUBI #5417] Authz should not check dependent subquery plan privilege #5418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AngersZhuuuu wants to merge 15 commits into from
Closed

[KYUUBI #5417] Authz should not check dependent subquery plan privilege #5418

AngersZhuuuu wants to merge 15 commits into from

Conversation

@AngersZhuuuu
Copy link
Contributor

@AngersZhuuuu AngersZhuuuu commented Oct 13, 2023
edited
Loading

Why are the changes needed?

Fix #5417
If there is is a view with subquery, authz will still request this subquery's interval privilege, it's not we want.
For view

CREATE VIEW db.view1
AS
WITH temp AS (
    SELECT max(scope) max_scope
    FROM db1.table1)
SELECT id as new_id FROM db1.table2
WHERE scope = (SELECT max_scope FROM temp)

When we query the view

SEELCT * FROM db.view1

Before this pr, since spark will first execute subquery, it will first request [default/table1/scope] then request [default/view1/new_id]

after this pr, it only request [default/view1/new_id]

How was this patch tested?

  • Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • Add screenshots for manual tests if appropriate

  • Run test locally before make a pull request

Was this patch authored or co-authored using generative AI tooling?

No

@AngersZhuuuu AngersZhuuuu marked this pull request as draft October 13, 2023 11:20
@AngersZhuuuu AngersZhuuuu marked this pull request as ready for review October 13, 2023 11:59
@AngersZhuuuu AngersZhuuuu changed the title [KYUUBI #5417]Authz will still check source table when persist view contains a subquery [KYUUBI #5417] Authz should not check dependent subquery plan privilege Oct 13, 2023
@codecov-commenter
Copy link

codecov-commenter commented Oct 13, 2023
edited
Loading

Codecov Report

Merging #5418 (e2669fa) into master (1b229b6) will not change coverage.
Report is 3 commits behind head on master.
The diff coverage is 0.00%.

@@          Coverage Diff           @@
##           master   #5418   +/-   ##
======================================
  Coverage    0.00%   0.00%           
======================================
  Files         588     588           
  Lines       33423   33435   +12     
  Branches     4391    4399    +8     
======================================
- Misses      33423   33435   +12
Files Coverage Δ
...gin/spark/authz/util/RuleEliminateViewMarker.scala 0.00% <0.00%> (ø)
...rk/authz/ranger/RuleApplyPermanentViewMarker.scala 0.00% <0.00%> (ø)
...ubi/plugin/spark/authz/serde/tableExtractors.scala 0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@bowenliang123
Copy link
Contributor

bowenliang123 commented Oct 13, 2023
edited
Loading

Last year, I have done this PR #3326 for skipping shadowed source tables of the permanent view. The PermanentViewMarker was introduced with the RuleApplyPermanentViewMarker rule to get it done. Proper tests "KYUUBI #3326] check persisted view and skip shadowed table" are testing cases with permanent views.

Could you have a deep look at this and tell the difference before further implementations?

Skipping all the subqueries may be risky and not robust.

@yaooqinn
Copy link
Member

yaooqinn commented Oct 16, 2023

Please fix the PR title and description according to the latest updates. Thanks.

LGTM overall.

@yaooqinn yaooqinn added this to the v1.9.0 milestone Oct 17, 2023
@yaooqinn yaooqinn closed this in f75e4ac Oct 17, 2023
@yaooqinn
Copy link
Member

yaooqinn commented Oct 17, 2023

Thank you @AngersZhuuuu

Merged to master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bowenliang123 bowenliang123 bowenliang123 left review comments

@yaooqinn yaooqinn yaooqinn approved these changes

Assignees

@AngersZhuuuu AngersZhuuuu

Labels

module:authz module:extensions module:spark

Projects

None yet

Milestone

v1.9.0

Development

Successfully merging this pull request may close these issues.

[TASK][EASY] Authz will still check source table when persist view contains a subquery

4 participants

@AngersZhuuuu @codecov-commenter @bowenliang123 @yaooqinn