[SPARK-45124][CONNET] Do not use local user ID for Local Relations#42880
Closed
HyukjinKwon wants to merge 1 commit intoapache:masterfrom
Closed
[SPARK-45124][CONNET] Do not use local user ID for Local Relations#42880HyukjinKwon wants to merge 1 commit intoapache:masterfrom
HyukjinKwon wants to merge 1 commit intoapache:masterfrom
Conversation
Member
Author
|
This has to be backported to branch-3.5. |
zhengruifeng
approved these changes
Sep 12, 2023
grundprinzip
approved these changes
Sep 12, 2023
Member
Author
|
Merged to master and branch-3.5. |
HyukjinKwon
added a commit
that referenced
this pull request
Sep 12, 2023
### What changes were proposed in this pull request? This PR removes the use of `userId` and `sessionId` in `CachedLocalRelation` messages and subsequently make `SparkConnectPlanner` use the `userId`/`sessionId` of the active session rather than the user-provided information. ### Why are the changes needed? Allowing a fetch of a local relation using user-provided information is a potential security risk since this allows users to fetch arbitrary local relations. ### Does this PR introduce _any_ user-facing change? Virtually no. It will ignore the session id or user id that users set (but instead use internal ones that users cannot manipulate). ### How was this patch tested? Manually. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #42880 from HyukjinKwon/no-local-user. Authored-by: Hyukjin Kwon <gurwls223@apache.org> Signed-off-by: Hyukjin Kwon <gurwls223@apache.org> (cherry picked from commit 47d801e) Signed-off-by: Hyukjin Kwon <gurwls223@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This PR removes the use of
userIdandsessionIdinCachedLocalRelationmessages and subsequently makeSparkConnectPlanneruse theuserId/sessionIdof the active session rather than the user-provided information.Why are the changes needed?
Allowing a fetch of a local relation using user-provided information is a potential security risk since this allows users to fetch arbitrary local relations.
Does this PR introduce any user-facing change?
Virtually no. It will ignore the session id or user id that users set (but instead use internal ones that users cannot manipulate).
How was this patch tested?
Manually.
Was this patch authored or co-authored using generative AI tooling?
No.