Support checks for Iceberg system procudures in Authz

[bowenliang123]

Code of Conduct

• I agree to follow this project's Code of Conduct

Search before creating

• I have searched in the task list and found no similar tasks.

Mentor

• I have sufficient knowledge and experience of this task, and I volunteer to be the mentor of this task to guide contributors to complete the task.

Skill requirements

• Familiarize the Authz plugin, Ranger and Iceberg Spark plugin
• Familiarize the Authz testing

Background and Goals

Iceberg provides a series of system procedures for lifecycle management, which are essential for the lakehouse's administrator and users. And multiple plans may be executed in single procedure.
Now the Authz plugin supports checking privileges for DMLs and DDLs on Iceberg tables, but system procedures are not in the range. It leaves a permission leaking to the Iceberg table management.

Doc reference: https://iceberg.apache.org/docs/latest/spark-procedures/
This task is targeted to ensure privilege checking on the Spark system procedures of Iceberg, including:

• Snapshot management [TASK][EASY] Authz Tests for Iceberg system procedures of snapshot management #5407
  • rollback_to_snapshot
  • rollback_to_timestamp
  • set_current_snapshot
  • cherrypick_snapshot
  • fast_forward
• Metadata management
  • expire_snapshots
  • remove_orphan_files
  • rewrite_data_files
  • rewrite_manifests
  • rewrite_position_delete_files
• Table migration
  • snapshot
  • migrate
  • add_files
  • register_table
• Metadata information (Optional)
  • ancestors_of
  • Change Data Capture
  • create_changelog_view

Implementation steps

1. Create e-2-e tests for Iceberg in Authz tests for each procedures
2. Prepare and provide proper test cases for positive and negative conditions in each procedure
3. Solve the unsupported logical plans of the procedures, which may have multiple plans in single procedure

Additional context

No response

[bowenliang123]

cc @yabola @AngersZhuuuu

[bowenliang123]

Hi @pan3793 , it fails to assign this issue to @yabola on the right sidebar. How to achieve it?

[pan3793]

it requires the contributor to leave some comments under the issue before assigning

[bowenliang123]

it requires the contributor to leave some comments under the issue before assigning

Hi @yabola , would you like to accept this issue and leave a comment here ?

[yabola]

I can take this task~

[bowenliang123]

I can take this task~

Thank you @yabola . Look forward to your following pull requests.