Skip to content

Commit c969433

Browse files
committed
[KYUUBI #2472] Support FilteredShowTablesCommand for AuthZ module
### _Why are the changes needed?_ Support FilteredShowTablesCommand for AuthZ module ### _How was this patch tested?_ - [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #2476 from yaooqinn/2472. Closes #2472 8f6befe [Kent Yao] [KYUUBI #2472] Support FilteredShowTablesCommand for AuthZ module cc5b7a6 [Kent Yao] [KYUUBI #2472] Support FilteredShowTablesCommand for AuthZ module 7d6812f [Kent Yao] [KYUUBI #2472] Support FilteredShowTablesCommand for AuthZ module Authored-by: Kent Yao <yao@apache.org> Signed-off-by: Kent Yao <yao@apache.org>
1 parent 5a36db6 commit c969433

File tree

4 files changed

+103
-0
lines changed

4 files changed

+103
-0
lines changed

extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ class RangerSparkExtension extends (SparkSessionExtensions => Unit) {
3939
SparkRangerAdminPlugin.init()
4040

4141
override def apply(v1: SparkSessionExtensions): Unit = {
42+
v1.injectResolutionRule(_ => new RuleReplaceShowObjectCommands())
4243
v1.injectResolutionRule(new RuleApplyRowFilterAndDataMasking(_))
4344
v1.injectOptimizerRule(_ => new RuleEliminateMarker())
4445
v1.injectOptimizerRule(new RuleAuthorization(_))
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
/*
2+
* Licensed to the Apache Software Foundation (ASF) under one or more
3+
* contributor license agreements. See the NOTICE file distributed with
4+
* this work for additional information regarding copyright ownership.
5+
* The ASF licenses this file to You under the Apache License, Version 2.0
6+
* (the "License"); you may not use this file except in compliance with
7+
* the License. You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
18+
package org.apache.kyuubi.plugin.spark.authz.ranger
19+
20+
import org.apache.hadoop.security.UserGroupInformation
21+
import org.apache.spark.sql.{Row, SparkSession}
22+
import org.apache.spark.sql.catalyst.expressions.Attribute
23+
import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan
24+
import org.apache.spark.sql.catalyst.rules.Rule
25+
import org.apache.spark.sql.execution.command.RunnableCommand
26+
27+
import org.apache.kyuubi.plugin.spark.authz.{ObjectType, OperationType}
28+
import org.apache.kyuubi.plugin.spark.authz.util.{AuthZUtils, WithInternalChild}
29+
30+
class RuleReplaceShowObjectCommands extends Rule[LogicalPlan] {
31+
override def apply(plan: LogicalPlan): LogicalPlan = plan match {
32+
case r: RunnableCommand if r.nodeName == "ShowTablesCommand" => FilteredShowTablesCommand(r)
33+
case _ => plan
34+
}
35+
}
36+
37+
case class FilteredShowTablesCommand(delegated: RunnableCommand)
38+
extends RunnableCommand with WithInternalChild {
39+
40+
override val output: Seq[Attribute] = delegated.output
41+
42+
override def run(spark: SparkSession): Seq[Row] = {
43+
val rows = delegated.run(spark)
44+
val ugi = AuthZUtils.getAuthzUgi(spark.sparkContext)
45+
rows.filter(r => isAllowed(r, ugi))
46+
}
47+
48+
private def isAllowed(r: Row, ugi: UserGroupInformation): Boolean = {
49+
val database = r.getString(0)
50+
val table = r.getString(1)
51+
val isTemp = r.getBoolean(2)
52+
val objectType = if (isTemp) ObjectType.VIEW else ObjectType.TABLE
53+
val resource = AccessResource(objectType, database, table, null)
54+
val request = AccessRequest(resource, ugi, OperationType.SHOWTABLES, AccessType.USE)
55+
val result = SparkRangerAdminPlugin.isAccessAllowed(request)
56+
result != null && result.getIsAllowed
57+
}
58+
59+
override def withNewChildrenInternal(newChildren: IndexedSeq[LogicalPlan]): LogicalPlan = this
60+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
/*
2+
* Licensed to the Apache Software Foundation (ASF) under one or more
3+
* contributor license agreements. See the NOTICE file distributed with
4+
* this work for additional information regarding copyright ownership.
5+
* The ASF licenses this file to You under the Apache License, Version 2.0
6+
* (the "License"); you may not use this file except in compliance with
7+
* the License. You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
18+
package org.apache.kyuubi.plugin.spark.authz.util
19+
20+
import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan
21+
22+
trait WithInternalChild {
23+
def withNewChildrenInternal(newChildren: IndexedSeq[LogicalPlan]): LogicalPlan
24+
}

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -255,6 +255,24 @@ abstract class RangerSparkExtensionSuite extends KyuubiFunSuite with SparkSessio
255255
doAs("admin", sql(s"DROP TABLE IF EXISTS $db.$table"))
256256
}
257257
}
258+
259+
test("show tables") {
260+
val db = "default2"
261+
val table = "src"
262+
try {
263+
doAs("admin", sql(s"CREATE DATABASE IF NOT EXISTS $db"))
264+
doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $db.$table (key int) USING $format"))
265+
doAs("admin", sql(s"CREATE TABLE IF NOT EXISTS $db.${table}for_show (key int) USING $format"))
266+
267+
doAs("admin", assert(sql(s"show tables from $db").collect().length === 2))
268+
doAs("bob", assert(sql(s"show tables from $db").collect().length === 0))
269+
doAs("i_am_invisible", assert(sql(s"show tables from $db").collect().length === 0))
270+
} finally {
271+
doAs("admin", sql(s"DROP TABLE IF EXISTS $db.$table"))
272+
doAs("admin", sql(s"DROP TABLE IF EXISTS $db.${table}for_show"))
273+
doAs("admin", sql(s"DROP DATABASE IF EXISTS $db"))
274+
}
275+
}
258276
}
259277

260278
class InMemoryCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {

0 commit comments

Comments
 (0)