[KYUUBI #3430] AlterTableRenameCommand should skip permission check i…

…f it's tempview ### _Why are the changes needed?_ Fix #3430 `AlterTableRenameCommand` should skip permission check if it's tempview ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3431 from Yikf/view-rename. Closes #3430 054948e [yikf] AlterTableRenameCommand should skip permission check if it is tempview Authored-by: yikf <yikaifei1@gmail.com> Signed-off-by: Kent Yao <yao@apache.org>
apache · Sep 7, 2022 · 365c1cc · 365c1cc
1 parent 9a53b2c
commit 365c1cc
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala b/...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala
@@ -222,8 +222,10 @@ object PrivilegesBuilder {
       case "AlterTableRenameCommand" =>
         val oldTable = getPlanField[TableIdentifier]("oldName")
         val newTable = getPlanField[TableIdentifier]("newName")
-        outputObjs += tablePrivileges(oldTable, actionType = PrivilegeObjectActionType.DELETE)
-        outputObjs += tablePrivileges(newTable)
+        if (!isTempView(oldTable, spark)) {
+          outputObjs += tablePrivileges(oldTable, actionType = PrivilegeObjectActionType.DELETE)
+          outputObjs += tablePrivileges(newTable)
+        }
 
       // this is for spark 3.1 or below
       case "AlterTableRecoverPartitionsCommand" =>

diff --git a/...rc/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/...rc/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -448,6 +448,29 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     }
   }
 
+  test("[KYUUBI #3430] AlterTableRenameCommand should skip permission check if it's tempview") {
+    val tempView = "temp_view"
+    val tempView2 = "temp_view2"
+    val globalTempView = "global_temp_view"
+    val globalTempView2 = "global_temp_view2"
+
+    // create or replace view
+    doAs("denyuser", sql(s"CREATE TEMPORARY VIEW $tempView AS select * from values(1)"))
+    doAs(
+      "denyuser",
+      sql(s"CREATE GLOBAL TEMPORARY VIEW $globalTempView AS SELECT * FROM values(1)"))
+
+    // rename view
+    doAs("denyuser2", sql(s"ALTER VIEW $tempView RENAME TO $tempView2"))
+    doAs(
+      "denyuser2",
+      sql(s"ALTER VIEW global_temp.$globalTempView RENAME TO global_temp.$globalTempView2"))
+
+    doAs("admin", sql(s"DROP VIEW IF EXISTS $tempView2"))
+    doAs("admin", sql(s"DROP VIEW IF EXISTS global_temp.$globalTempView2"))
+    doAs("admin", assert(sql("show tables from global_temp").collect().length == 0))
+  }
+
   test("[KYUUBI #3426] Drop temp view should be skipped permission check") {
     val tempView = "temp_view"
     val globalTempView = "global_temp_view"