[KYUUBI #5965] [AUTHZ] Supports check hoodie procedures show_commits …

…resource privileges # 🔍 Description ## Issue References 🔗 This pull request aims to make AuthZ supports check [hoodie procedures show_commits](https://hudi.apache.org/docs/procedures#show_commits) resource privileges ## Describe Your Solution 🔧 Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. ## Types of changes 🔖 - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ `CALL show_commits` passes permission checks whether they have permission or not #### Behavior With This Pull Request 🎉 `CALL show_commits` will not pass without permission #### Related Unit Tests New test added, extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala#ShowCommitsProcedure --- # Checklist 📝 - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #5965 from Yikf/hudi-showcommits. Closes #5965 4e609b0 [yikaifei] Supports check hoodie procedures show_commits resource privileges Authored-by: yikaifei <[email protected]> Signed-off-by: yikaifei <[email protected]>
apache · Jan 14, 2024 · 3af7551 · 3af7551
1 parent b9ce95b
commit 3af7551
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/...ark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/tableExtractors.scala b/...ark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/serde/tableExtractors.scala
@@ -438,6 +438,9 @@ abstract class HudiCallProcedureTableExtractor extends TableExtractor {
     (
       s"$PROCEDURE_CLASS_PATH.ShowClusteringProcedure",
       ProcedureArgsInputOutputPair(input = Some("table"))),
+    (
+      s"$PROCEDURE_CLASS_PATH.ShowCommitsProcedure",
+      ProcedureArgsInputOutputPair(input = Some("table"))),
     (
       s"$PROCEDURE_CLASS_PATH.ShowCommitExtraMetadataProcedure",
       ProcedureArgsInputOutputPair(input = Some("table"))),

diff --git a/...la/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala b/...la/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala
@@ -618,4 +618,30 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
       doAs(admin, sql(dropIndex))
     }
   }
+
+  test("ShowCommitsProcedure") {
+    withCleanTmpResources(Seq((s"$namespace1.$table1", "table"), (namespace1, "database"))) {
+      doAs(admin, sql(s"CREATE DATABASE IF NOT EXISTS $namespace1"))
+      doAs(
+        admin,
+        sql(
+          s"""
+             |CREATE TABLE IF NOT EXISTS $namespace1.$table1(id int, name string, city string)
+             |USING HUDI
+             |OPTIONS (
+             | type = 'mor',
+             | primaryKey = 'id',
+             | 'hoodie.datasource.hive_sync.enable' = 'false'
+             |)
+             |PARTITIONED BY(city)
+             |TBLPROPERTIES ('hoodie.datasource.write.precombine.field' = 'id')
+             |""".stripMargin))
+
+      val showCommitsSql = s"CALL SHOW_COMMITS(table => '$namespace1.$table1', limit => 10)"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(showCommitsSql))
+      }(s"does not have [select] privilege on [$namespace1/$table1]")
+      doAs(admin, sql(showCommitsSql))
+    }
+  }
 }