Update

apache · Oct 10, 2023 · 1ed1f3a · 1ed1f3a
1 parent 7ee3c7d
commit 1ed1f3a
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 42 deletions.
diff --git a/...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala b/...i-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
@@ -37,6 +37,7 @@ object AccessType extends Enumeration {
             if (isInput) SELECT else CREATE
           case ALTERDATABASE |
               ALTERDATABASE_LOCATION |
+              ALTERTABLE |
               ALTERTABLE_ADDCOLS |
               ALTERTABLE_ADDPARTS |
               ALTERTABLE_DROPPARTS |

diff --git a/...ubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala b/...ubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/util/AuthZUtils.scala
@@ -87,6 +87,8 @@ private[authz] object AuthZUtils {
   lazy val isSparkV31OrGreater: Boolean = SPARK_RUNTIME_VERSION >= "3.1"
   lazy val isSparkV32OrGreater: Boolean = SPARK_RUNTIME_VERSION >= "3.2"
   lazy val isSparkV33OrGreater: Boolean = SPARK_RUNTIME_VERSION >= "3.3"
+  lazy val isSparkV34OrGreater: Boolean = SPARK_RUNTIME_VERSION >= "3.4"
+  lazy val isSparkV35OrGreater: Boolean = SPARK_RUNTIME_VERSION >= "3.5"
 
   def quoteIfNeeded(part: String): String = {
     if (part.matches("[a-zA-Z0-9_]+") && !part.matches("\\d+")) {

diff --git a/.../org/apache/kyuubi/plugin/spark/authz/ranger/HoodieCatalogRangerSparkExtensionSuite.scala b/.../org/apache/kyuubi/plugin/spark/authz/ranger/HoodieCatalogRangerSparkExtensionSuite.scala
@@ -32,9 +32,9 @@ import org.apache.kyuubi.util.AssertionUtils.interceptContains
  */
 @HoodieTest
 class HoodieCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
-  override protected val catalogImpl: String = "in-memory"
+  override protected val catalogImpl: String = "hive"
   override protected val sqlExtensions: String =
-    if (isSparkV31OrGreater) {
+    if (isSparkV31OrGreater && !isSparkV35OrGreater) {
       "org.apache.spark.sql.hudi.HoodieSparkSessionExtension"
     } else {
       ""
@@ -50,17 +50,16 @@ class HoodieCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
   val outputTable1 = "outputTable_hoodie"
 
   override def withFixture(test: NoArgTest): Outcome = {
-    assume(isSparkV31OrGreater)
+    assume(isSparkV31OrGreater && !isSparkV35OrGreater)
     test()
   }
 
   override def beforeAll(): Unit = {
-    if (isSparkV31OrGreater) {
+    if (isSparkV31OrGreater && !isSparkV35OrGreater) {
       if (isSparkV32OrGreater) {
         spark.conf.set(
           s"spark.sql.catalog.$sparkCatalog",
           "org.apache.spark.sql.hudi.catalog.HoodieCatalog")
-        spark.conf.set("hoodie.schema.on.read.enable", "true")
         spark.conf.set(s"spark.sql.catalog.$sparkCatalog.type", "hadoop")
         spark.conf.set(
           s"spark.sql.catalog.$sparkCatalog.warehouse",
@@ -71,49 +70,78 @@ class HoodieCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
   }
 
   override def afterAll(): Unit = {
-    if (isSparkV31OrGreater) {
+    if (isSparkV31OrGreater && !isSparkV35OrGreater) {
       super.afterAll()
       spark.sessionState.catalog.reset()
       spark.sessionState.conf.clear()
     }
   }
 
   test("[KYUUBI #5284] Kyuubi authz support Hoodie Alter Table Command") {
-    doAs(admin, sql(s"CREATE DATABASE IF NOT EXISTS $namespace1"))
-    doAs(
-      admin,
-      sql(
-        s"""
-           |CREATE TABLE IF NOT EXISTS $namespace1.$table1(id int, name string, city string)
-           |USING hudi
-           |OPTIONS (
-           | type = 'cow',
-           | primaryKey = 'id',
-           | 'hoodie.datasource.hive_sync.enable' = 'false'
-           |)
-           |PARTITIONED BY(city)
-           |""".stripMargin))
-
-    interceptContains[AccessControlException](
-      doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 ADD COLUMNS(age int)")))(
-      s"does not have [alter] privilege on [$namespace1/$table1/age]")
-
-    interceptContains[AccessControlException](
-      doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 CHANGE COLUMN id id bigint")))(
-      s"does not have [alter] privilege" +
-        s" on [$namespace1/$table1/id]")
-
-    interceptContains[AccessControlException](
-      doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 DROP PARTITION (city='test')")))(
-      s"does not have [alter] privilege" +
-        s" on [$namespace1/$table1/city]")
-
-    interceptContains[AccessControlException](
-      doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 RENAME TO $namespace1.$table2")))(
-      s"does not have [alter] privilege" +
-        s" on [$namespace1/$table1]")
-
-    doAs(admin, s"DROP TABLE IF EXISTS $namespace1.$table1")
-    doAs(admin, s"DROP DATABASE IF EXISTS $namespace1")
+    withCleanTmpResources(Seq((s"$namespace1.$table1", "table"), (namespace1, "database"))) {
+      doAs(admin, sql(s"CREATE DATABASE IF NOT EXISTS $namespace1"))
+      doAs(
+        admin,
+        sql(
+          s"""
+             |CREATE TABLE IF NOT EXISTS $namespace1.$table1(id int, name string, city string)
+             |USING hudi
+             |OPTIONS (
+             | type = 'cow',
+             | primaryKey = 'id',
+             | 'hoodie.datasource.hive_sync.enable' = 'false'
+             |)
+             |PARTITIONED BY(city)
+             |""".stripMargin))
+
+      if (isSparkV34OrGreater) {
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 ADD COLUMNS(age int)")))(
+          s"does not have [alter] privilege on [$namespace1/$table1/age]")
+
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 CHANGE COLUMN id id bigint")))(
+          s"does not have [alter] privilege" +
+            s" on [$namespace1/$table1/id]")
+
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 DROP PARTITION (city='test')")))(
+          s"does not have [alter] privilege" +
+            s" on [$namespace1/$table1/city]")
+
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 RENAME TO $namespace1.$table2")))(
+          s"does not have [alter] privilege" +
+            s" on [$namespace1/$table1]")
+      } else {
+        // All generate AlterTableCommand
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 ADD COLUMNS(age int)")))(
+          s"does not have [alter] privilege on [$namespace1/$table1]")
+
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 CHANGE COLUMN id id bigint")))(
+          s"does not have [alter] privilege" +
+            s" on [$namespace1/$table1]")
+
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 DROP PARTITION (city='test')")))(
+          s"does not have [alter] privilege" +
+            s" on [$namespace1/$table1]")
+
+        interceptContains[AccessControlException](
+          doAs(someone,
+            sql(s"ALTER TABLE $namespace1.$table1 RENAME TO $namespace1.$table2")))(
+          s"does not have [alter] privilege" +
+            s" on [$namespace1/$table1]")
+      }
+    }
   }
 }