[Bug][Authz] `CREATE OR REPLACE` operation requires `ALTER` table privilege instead of `CREATE` table privilege when table exists

apache / kyuubi

Apache Kyuubi is a distributed and multi-tenant gateway to provide serverless SQL on data warehouses and lakehouses.

https://kyuubi.apache.org/

Apache License 2.0

2.09k stars 913 forks source link

[Bug][Authz] `CREATE OR REPLACE` operation requires `ALTER` table privilege instead of `CREATE` table privilege when table exists #3845

Open wang-zhun opened 1 year ago

wang-zhun commented 1 year ago

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Search before asking

[X] I have searched in the issues and found no similar issues.

Describe the bug

role A

CREATE VIEW default.view_tst(a, b) AS SELECT 1, 2;

DESC default.view_tst;

+---------+---------+----------+
| col_name|data_type|   comment|
+---------+---------+----------+
|        a|      int|      null|
|        b|      int|      null|
+---------+---------+----------+

role B

CREATE OR REPLACE VIEW default.view_tst(c, d) AS SELECT 1, 2;

role A

DESC default.view_tst;

+---------+---------+----------+
| col_name|data_type|   comment|
+---------+---------+----------+
|        c|      int|      null|
|        d|      int|      null|
+---------+---------+----------+

B has the permission to create tables in the default database, but does not have the permission to modify default.view_tst. In fact, B can be modified successfully, indicating that there is a permission leak in the table of A

Affects Version(s)

master

github-actions[bot] commented 1 year ago

Hello @wang-zhun, Thanks for finding the time to report the issue! We really appreciate the community's efforts to improve Apache Kyuubi (Incubating).

pan3793 commented 1 year ago

cc @bowenliang123 @zhouyifan279

bowenliang123 commented 1 year ago

Currently the opType for privilege check, soly relies on the node name of the plan, which lacks of detail of plan. 1.see calling RuleAuthorization https://github.com/apache/incubator-kyuubi/blob/master/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization.scala#L50 2.see mapping CreateViewCommand to CREATEVIEW in OperationType https://github.com/apache/incubator-kyuubi/blob/master/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/OperationType.scala#L73

In order to satisfy determining the opType of command , we have to,

modify OperationType.apply to make it accept plan detail
use the detail of the plan to determine opType, in this case, we may rely on the allowExisting attribute of CreateViewCommand to check whether the view existed. https://github.com/apache/spark/blob/v3.3.1/sql/core/src/main/scala/org/apache/spark/sql/execution/command/views.scala#L53

wang-zhun commented 1 year ago

@bowenliang123 ReplaceTable and ReplaceTableAsSelect also require r.catalog.tableExists(r.tableName)

bowenliang123 commented 1 year ago

The opType (as operationType) is now hardcoded string value in spec json as in CommandSpec. We may need to find a way to decouple opType with classname in the spec, and allow it to be changed in extractor in runtime. cc @yaooqinn