Open wang-zhun opened 1 year ago
Hello @wang-zhun, Thanks for finding the time to report the issue! We really appreciate the community's efforts to improve Apache Kyuubi (Incubating).
cc @bowenliang123 @zhouyifan279
Currently the opType for privilege check, soly relies on the node name of the plan, which lacks of detail of plan.
1.see calling RuleAuthorization
https://github.com/apache/incubator-kyuubi/blob/master/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala#L50
2.see mapping CreateViewCommand
to CREATEVIEW
in OperationType
https://github.com/apache/incubator-kyuubi/blob/master/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/OperationType.scala#L73
In order to satisfy determining the opType of command , we have to,
OperationType.apply
to make it accept plan detailallowExisting
attribute of CreateViewCommand
to check whether the view existed. https://github.com/apache/spark/blob/v3.3.1/sql/core/src/main/scala/org/apache/spark/sql/execution/command/views.scala#L53@bowenliang123 ReplaceTable
and ReplaceTableAsSelect
also require r.catalog.tableExists(r.tableName)
The opType
(as operationType) is now hardcoded string value in spec json as in CommandSpec
.
We may need to find a way to decouple opType
with classname
in the spec, and allow it to be changed in extractor in runtime.
cc @yaooqinn
Code of Conduct
Search before asking
Describe the bug
role A
role B
role A
B has the permission to create tables in the default database, but does not have the permission to modify default.view_tst. In fact, B can be modified successfully, indicating that there is a permission leak in the table of A
Affects Version(s)
master