Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KYUUBI #5503][FOLLOWUP][AUTHZ] Authz should skip inner plan that have been verified #5563

Closed
wants to merge 4 commits into from
Closed

[KYUUBI #5503][FOLLOWUP][AUTHZ] Authz should skip inner plan that have been verified #5563

wants to merge 4 commits into from

Conversation

AngersZhuuuu
Copy link
Contributor

@AngersZhuuuu AngersZhuuuu commented Oct 30, 2023
edited
Loading

Why are the changes needed?

To close #5503
For sql such as lateral join in test [KYUUBI #5503][AUTHZ] Check plan auth checked should not set tag to all child nodes, it will first verify subquery in lateral then verify whole plan, if there is a view, when verify the whole plan, the PermanentViewMarker will be remove by spark's optimizer.
Then it will verify both source table table1 and table2.
So I think we need to do 3 things:

  1. Mark all PermanentViewMarker's children's all nodes as checked and Subquery's all child marks as checked.
  2. isAuthChecked should only check the first level of the plan to avoid skipping the check of the whole plan in the demo test
  3. in buildQuery, if the current node has the tag, we just skip it.

Without this pr, the SQL in test will both check table1 and table2

How was this patch tested?

  • Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • Add screenshots for manual tests if appropriate

  • Run test locally before make a pull request

Was this patch authored or co-authored using generative AI tooling?

No

@AngersZhuuuu
Copy link
Contributor Author

ping @yaooqinn A follow up of #5503 to fix lateral join issue.

AngersZhuuuu
AngersZhuuuu commented Oct 30, 2023
View reviewed changes
...z/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
|)
|""".stripMargin).show()))(
s"does not have [select] privilege on " +
s"[$db1/$table1/id]")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Debug that when check the whole plan, only check table1, won't check table2 again.

@AngersZhuuuu
Copy link
Contributor Author

AngersZhuuuu commented Oct 31, 2023
edited
Loading

In our prod, this fix works well as expected. cc @yaooqinn

@yaooqinn yaooqinn added this to the v1.9.0 milestone Oct 31, 2023
@pan3793 pan3793 closed this in 9be2a9c Oct 31, 2023
@pan3793
Copy link
Member

pan3793 commented Oct 31, 2023

Thanks, merged to master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaooqinn yaooqinn yaooqinn approved these changes

Assignees

@AngersZhuuuu AngersZhuuuu

Labels
module:authz module:extensions module:spark
Projects
None yet
Milestone
v1.9.0
Development

Successfully merging this pull request may close these issues.

[TASK][EASY] LATERAL SQL miss check the whole plan
3 participants
@AngersZhuuuu @pan3793 @yaooqinn