Kyuubi Spark Ranger AuthZ plugin denies with `user [XX] does not have [write] privilege on [s3a://XXX]

[sujitrect]

Hi,
I am just experimenting on Ranger and Kyuubi Spark Ranger plugin.
I have setup all components on docker namely HMS (standalone), Minio (for s3), and Ranger docker containers (as in https://hub.docker.com/r/apache/ranger)
I have setup a allow policy on dev-hive service in Ranger and mapped to my user-role.
I am then trying to create a table through Spark running in my local mac after placing ranger shaded jar and required config as instructed at https://kyuubi.readthedocs.io/en/v1.7.3/security/authorization/spark/install.html

I am using below to get spark session

val spark = SparkSession
      .builder()
      .appName("SparkHiveTest")
      .config("hive.metastore.uris", "thrift://localhost:19083")
      .config("spark.sql.warehouse.dir", warehouseLocation)
      .config("spark.hadoop.fs.s3a.aws.credentials.provider", "org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider")
      .config("spark.sql.extensions","org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension")
      .enableHiveSupport()
      .getOrCreate()

Below code is failing:

spark.sql("CREATE DATABASE IF NOT EXISTS spark_tests")
spark.sql("CREATE EXTERNAL TABLE IF NOT EXISTS spark_tests.s3_table_1 (key INT, value STRING) STORED AS PARQUET LOCATION 's3a://spark/s3_table_1'")

Below is the exception

Exception in thread "main" org.apache.kyuubi.plugin.spark.authz.AccessControlException: Permission denied: user [sujit_mahapatra] does not have [write] privilege on [[s3a://spark/s3_table_1, s3a://spark/s3_table_1/]]
	at org.apache.kyuubi.plugin.spark.authz.ranger.SparkRangerAdminPlugin$.verify(SparkRangerAdminPlugin.scala:167)
	at org.apache.kyuubi.plugin.spark.authz.ranger.RuleAuthorization.checkPrivileges(RuleAuthorization.scala:73)
	at org.apache.kyuubi.plugin.spark.authz.rule.Authorization.apply(Authorization.scala:34)
	at org.apache.kyuubi.plugin.spark.authz.rule.Authorization.apply(Authorization.scala:29)
	at org.apache.spark.sql.catalyst.rules.RuleExecutor.$anonfun$execute$2(RuleExecutor.scala:222)
	at scala.collection.LinearSeqOptimized.foldLeft(LinearSeqOptimized.scala:126)
	at scala.collection.LinearSeqOptimized.foldLeft$(LinearSeqOptimized.scala:122)

I am able to execute the code and create tables without kyuubi (and thus ranger) i.e without .config("spark.sql.extensions","org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension")
I also noted that Ranger policy defined for hive is taking effect i.e. table level auth are passing through by spark-kyuubi-ranger trio (tested separately by removing role mapping, which showed create table perms error in addition to s3 write perms)

Essentially, what I am asking is where to define policy for granting permissions to the s3 location and make spark-kyuubi recognise that as per policy.

Versions:
Spark: 3.4.4 local
kyuubi-spark-authz-shaded: 2.12-1.9.0
HMS standalone:3.0.0 (Used this tute)
Ranger: 2.4.0

[sujitrect]

On further tries, the conclusion I am drawing is any statement mentioning a path or accessing a path using Spark DF API is not going through with similar error as per the title.
I was able to for example get a table created and populated as below with ranger policies in place:

val table = "spark_tests5.s3_table_5"
val db = table.split("\\.")(0)
    
spark.sql(s"CREATE DATABASE IF NOT EXISTS $db")
spark.sql(s"CREATE TABLE IF NOT EXISTS $table (key INT, value STRING) USING PARQUET")
spark.sql(s"INSERT INTO $table(key, value) values(1, 'val1')")
spark.sql(s"select count(*) from $table").show(false)

I came across #5166 (comment)
and thinking my issue is related to this. Is this still not supported?