[Improvement] [authz] Implement Ranger URL Policy, support read/write permission control of cloud storage paths

[elonlo]

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

Search before asking

• [X] I have searched in the issues and found no similar issues.

What would you like to be improved?

Specify the cloud storage path (for example s3a://dev-admin/demo/) where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.

Permissions:

• READ operation on the URL permits the user to perform SparkSQL operations which use S3 as data source for Hive tables.
• WRITE operation on the URL permits the user to perform SparkSQL operations which write data to the specified S3 location.

ref: https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/authorization-ranger/content/resource_policy_create_a_hive_policy.html

How should we improve?

Get the locations of the DDL or Insert operation, construct the URL Privilege, and use the ranger interface for verify

Are you willing to submit PR?

• [X] Yes. I can submit a PR independently to improve.
• [ ] Yes. I would be willing to submit a PR with guidance from the Kyuubi community to improve.
• [ ] No. I cannot submit a PR at this time.

[github-actions[bot]]

Hello @elonlo, Thanks for finding the time to report the issue! We really appreciate the community's efforts to improve Apache Kyuubi (Incubating).