[TASK][EASY] Authz Treat PVM as leaf node to make it logic more simple #5780
Assignees
Comments
AngersZhuuuu
added a commit
to AngersZhuuuu/incubator-kyuubi
that referenced
this issue
Nov 27, 2023
18 tasks
yaooqinn
pushed a commit
that referenced
this issue
Nov 30, 2023
…le privilege # 🔍 Description ## Issue References 🔗 This pull request fixes #5793 ## Describe Your Solution 🔧 For SQL have nested scalar-subquery, since the scalar-subquery in scalar-subquery was not wrapped by `PVM`, this pr fix this. Note :This bug is not imported by #5780 ## Types of changes 🔖 - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ ``` CREATE VIEW $db1.$view1 AS SELECT id, name, max(scope) as max_scope, sum(age) sum_age FROM $db1.$table2 WHERE scope in ( SELECT max(scope) max_scope FROM $db1.$table1 WHERE id IN (SELECT id FROM $db1.$table3) ) GROUP BY id, name ``` when we query `$db1.$view1` and if we have `view1`'s privilege, it will throw ``` Permission denied: user [user_perm_view_only] does not have [select] privilege on [default/table3/id] org.apache.kyuubi.plugin.spark.authz.AccessControlException: Permission denied: user [user_perm_view_only] does not have [select] privilege on [default/table3/id] at org.apache.kyuubi.plugin.spark.authz.ranger.SparkRangerAdminPlugin$.verify(SparkRangerAdminPlugin.scala:167) ``` #### Behavior With This Pull Request 🎉 Won't request `table3`'s privilege #### Related Unit Tests --- # Checklists ## 📝 Author Self Checklist - [x] My code follows the [style guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html) of this project - [x] I have performed a self-review - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) ## 📝 Committer Pre-Merge Checklist - [x] Pull request title is okay. - [x] No license issues. - [x] Milestone correctly set? - [x] Test coverage is ok - [x] Assignees are selected. - [x] Minimum number of approvals - [x] No changes are requested **Be nice. Be informative.** Closes #5794 from AngersZhuuuu/KYUUBI-5793. Closes #5793 f364d89 [Angerszhuuuu] [KYUUBI #5793][BUG] PVM with nested scala-subquery should not src table privilege" Authored-by: Angerszhuuuu <angers.zhu@gmail.com> Signed-off-by: Kent Yao <yao@apache.org>
18 tasks
yaooqinn
pushed a commit
that referenced
this issue
Dec 1, 2023
… check src table privilege # 🔍 Description ## Issue References 🔗 This pull request fixes #5793 ## Describe Your Solution 🔧 For SQL have nested scalar-subquery, since the scalar-subquery in scalar-subquery was not wrapped by `PVM`, this pr fix this. Note :This bug is not imported by #5780 ## Types of changes 🔖 - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ ``` CREATE VIEW $db1.$view1 AS SELECT id, name, max(scope) as max_scope, sum(age) sum_age FROM $db1.$table2 WHERE scope in ( SELECT max(scope) max_scope FROM $db1.$table1 WHERE id IN (SELECT id FROM $db1.$table3) ) GROUP BY id, name ``` when we query `$db1.$view1` and if we have `view1`'s privilege, it will throw ``` Permission denied: user [user_perm_view_only] does not have [select] privilege on [default/table3/id] org.apache.kyuubi.plugin.spark.authz.AccessControlException: Permission denied: user [user_perm_view_only] does not have [select] privilege on [default/table3/id] at org.apache.kyuubi.plugin.spark.authz.ranger.SparkRangerAdminPlugin$.verify(SparkRangerAdminPlugin.scala:167) ``` #### Behavior With This Pull Request 🎉 Won't request `table3`'s privilege #### Related Unit Tests --- # Checklists ## 📝 Author Self Checklist - [x] My code follows the [style guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html) of this project - [x] I have performed a self-review - [x] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) ## 📝 Committer Pre-Merge Checklist - [x] Pull request title is okay. - [x] No license issues. - [x] Milestone correctly set? - [x] Test coverage is ok - [x] Assignees are selected. - [x] Minimum number of approvals - [x] No changes are requested **Be nice. Be informative.** Closes #5796 from AngersZhuuuu/KYUUBI-5793. Closes #5793 0f5ebc1 [Angerszhuuuu] Update RuleEliminatePermanentViewMarker.scala f364d89 [Angerszhuuuu] [KYUUBI #5793][BUG] PVM with nested scala-subquery should not src table privilege" Authored-by: Angerszhuuuu <angers.zhu@gmail.com> Signed-off-by: Kent Yao <yao@apache.org>
pan3793
pushed a commit
that referenced
this issue
Dec 1, 2023
# 🔍 Description ## Issue References 🔗 This pull request fixes #5780 ## Describe Your Solution 🔧 Format PermanentViewMarker tree string ## Types of changes 🔖 - [ ] Bugfix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ ``` Project [new_id2#100] +- Project [new_id#102 AS new_id2#100] +- RamPermanentViewMarker View (`test_default`.`my_view`, [new_id#102]), `test_default`.`my_view`, org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe ``` #### Behavior With This Pull Request 🎉 ``` Project [new_id2#100] +- Project [new_id#102 AS new_id2#100] +- RamPermanentViewMarker +- View (`test_default`.`my_view`, [new_id#102]) +- Project [cast(new_id#101 as int) AS new_id#102] +- Project [id#103 AS new_id#101] +- SubqueryAlias spark_catalog.test_default.v1 +- HiveTableRelation [`test_default`.`v1`, org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe, Data Cols: [id#103, name#104, grade#105, sex#106], Partition Cols: []] ``` #### Related Unit Tests --- # Checklists ## 📝 Author Self Checklist - [x] My code follows the [style guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html) of this project - [x] I have performed a self-review - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) ## 📝 Committer Pre-Merge Checklist - [ ] Pull request title is okay. - [ ] No license issues. - [ ] Milestone correctly set? - [ ] Test coverage is ok - [ ] Assignees are selected. - [ ] Minimum number of approvals - [ ] No changes are requested **Be nice. Be informative.** Closes #5792 from AngersZhuuuu/KYUUBI-5780-FOLLOWUP. Closes #5780 d38b7d1 [Angerszhuuuu] trigger 3073f6e [Angerszhuuuu] Update PermanentViewMarker.scala a3f025b [Angerszhuuuu] Update PermanentViewMarker.scala 432f1b5 [Angerszhuuuu] Update PermanentViewMarker.scala 6175e90 [Angerszhuuuu] [KYUUBI-5780][FOLLOWUP] Format PermanentViewMarker tree string Authored-by: Angerszhuuuu <angers.zhu@gmail.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
pan3793
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Code of Conduct
Search before asking
What would you like to be improved?
Authz Treat PVM as leaf node to make it logic more simple
How should we improve?
No response
Are you willing to submit PR?
The text was updated successfully, but these errors were encountered: