test RuleFunctionAuthorization in RangerSparkExtensionSuite.

Author: ygjia

extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleFunctionAuthorization.scala

@@ -50,12 +50,7 @@ case class RuleFunctionAuthorization(spark: SparkSession) extends (LogicalPlan =
     }
 
     addAccessRequest(inputs, isInput = true)
-    checkPrivileges(requests, auditHandler)
-  }
 
-  def checkPrivileges(
-      requests: mutable.ArrayBuffer[AccessRequest],
-      auditHandler: SparkRangerAuditHandler): Unit = {
     val requestArrays = requests.map(Seq(_))
     if (authorizeInSingleCall) {
       verify(requestArrays.flatten, auditHandler)

extensions/spark/kyuubi-spark-authz/src/test/gen/scala/org/apache/kyuubi/plugin/spark/authz/gen/PolicyJsonFileGenerator.scala

@@ -110,6 +110,7 @@ class PolicyJsonFileGenerator extends AnyFunSuite {
       policyAccessForPermViewAccessOnly,
       policyAccessForTable2AccessOnly,
       policyAccessForPaimonNsTable1SelectOnly,
+      policyAccessForDefaultDbUDF,
       // row filter
       policyFilterForSrcTableKeyLessThan20,
       policyFilterForPermViewKeyLessThan20,
@@ -371,4 +372,20 @@ class PolicyJsonFileGenerator extends AnyFunSuite {
         users = List(table1OnlyUserForNs),
         accesses = allowTypes(select),
         delegateAdmin = true)))
+
+  private val policyAccessForDefaultDbUDF = KRangerPolicy(
+    name = "defaultdb_udf",
+    description = "Policy for default db udf",
+    resources = Map(
+      databaseRes(defaultDb),
+      "udf" -> KRangerPolicyResource(values = List("kyuubi_func*"))),
+    policyItems = List(
+      KRangerPolicyItem(
+        users = List(bob),
+        accesses = allowTypes(select, update, create, drop, alter, index, lock, all, read, write),
+        delegateAdmin = true),
+      KRangerPolicyItem(
+        users = List(kent),
+        accesses = allowTypes(select),
+        delegateAdmin = true)))
 }

extensions/spark/kyuubi-spark-authz/src/test/resources/sparkSql_hive_jenkins.json

@@ -510,6 +510,72 @@
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
+    "name" : "defaultdb_udf",
+    "policyType" : 0,
+    "policyPriority" : 0,
+    "description" : "Policy for default db udf",
+    "isAuditEnabled" : true,
+    "resources" : {
+      "database" : {
+        "values" : [ "default" ],
+        "isExcludes" : false,
+        "isRecursive" : false
+      },
+      "udf" : {
+        "values" : [ "kyuubi_func*" ],
+        "isExcludes" : false,
+        "isRecursive" : false
+      }
+    },
+    "policyItems" : [ {
+      "accesses" : [ {
+        "type" : "select",
+        "isAllowed" : true
+      }, {
+        "type" : "update",
+        "isAllowed" : true
+      }, {
+        "type" : "create",
+        "isAllowed" : true
+      }, {
+        "type" : "drop",
+        "isAllowed" : true
+      }, {
+        "type" : "alter",
+        "isAllowed" : true
+      }, {
+        "type" : "index",
+        "isAllowed" : true
+      }, {
+        "type" : "lock",
+        "isAllowed" : true
+      }, {
+        "type" : "all",
+        "isAllowed" : true
+      }, {
+        "type" : "read",
+        "isAllowed" : true
+      }, {
+        "type" : "write",
+        "isAllowed" : true
+      } ],
+      "users" : [ "bob" ],
+      "delegateAdmin" : true
+    }, {
+      "accesses" : [ {
+        "type" : "select",
+        "isAllowed" : true
+      } ],
+      "users" : [ "kent" ],
+      "delegateAdmin" : true
+    } ],
+    "isDenyAllElse" : false
+  }, {
+    "id" : 11,
+    "guid" : "6512bd43-d9ca-36e0-ac99-0b0a82652dca",
+    "isEnabled" : true,
+    "version" : 1,
+    "service" : "hive_jenkins",
     "name" : "src_key_less_than_20",
     "policyType" : 2,
     "policyPriority" : 0,
@@ -539,8 +605,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 11,
-    "guid" : "6512bd43-d9ca-36e0-ac99-0b0a82652dca",
+    "id" : 12,
+    "guid" : "c20ad4d7-6fe9-3759-aa27-a0c99bff6710",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
@@ -573,8 +639,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 12,
-    "guid" : "c20ad4d7-6fe9-3759-aa27-a0c99bff6710",
+    "id" : 13,
+    "guid" : "c51ce410-c124-310e-8db5-e4b97fc2af39",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
@@ -612,8 +678,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 13,
-    "guid" : "c51ce410-c124-310e-8db5-e4b97fc2af39",
+    "id" : 14,
+    "guid" : "aab32389-22bc-325a-af60-6eb525ffdc56",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
@@ -651,8 +717,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 14,
-    "guid" : "aab32389-22bc-325a-af60-6eb525ffdc56",
+    "id" : 15,
+    "guid" : "9bf31c7f-f062-336a-96d3-c8bd1f8f2ff3",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
@@ -690,8 +756,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 15,
-    "guid" : "9bf31c7f-f062-336a-96d3-c8bd1f8f2ff3",
+    "id" : 16,
+    "guid" : "c74d97b0-1eae-357e-84aa-9d5bade97baf",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
@@ -729,8 +795,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 16,
-    "guid" : "c74d97b0-1eae-357e-84aa-9d5bade97baf",
+    "id" : 17,
+    "guid" : "70efdf2e-c9b0-3607-9795-c442636b55fb",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",
@@ -768,8 +834,8 @@
     } ],
     "isDenyAllElse" : false
   }, {
-    "id" : 17,
-    "guid" : "70efdf2e-c9b0-3607-9795-c442636b55fb",
+    "id" : 18,
+    "guid" : "6f4922f4-5568-361a-8cdf-4ad2299f6d23",
     "isEnabled" : true,
     "version" : 1,
     "service" : "hive_jenkins",

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/FunctionPrivilegesBuilderSuite.scala

@@ -17,19 +17,13 @@
 
 package org.apache.kyuubi.plugin.spark.authz
 
-import scala.collection.mutable
-
 import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan
-import org.mockito.ArgumentMatchers.any
-import org.mockito.Mockito
-import org.mockito.invocation.InvocationOnMock
-import org.mockito.stubbing.Answer
 import org.scalatest.{BeforeAndAfterAll, BeforeAndAfterEach}
 // scalastyle:off
 import org.scalatest.funsuite.AnyFunSuite
 
 import org.apache.kyuubi.plugin.spark.authz.OperationType.QUERY
-import org.apache.kyuubi.plugin.spark.authz.ranger.{AccessRequest, AccessResource, AccessType, RuleFunctionAuthorization, SparkRangerAuditHandler}
+import org.apache.kyuubi.plugin.spark.authz.ranger.AccessType
 
 abstract class FunctionPrivilegesBuilderSuite extends AnyFunSuite
   with SparkSessionProvider with BeforeAndAfterAll with BeforeAndAfterEach {
@@ -200,13 +194,15 @@ class HiveFunctionPrivilegesBuilderSuite extends FunctionPrivilegesBuilderSuite
   }
 
   test("Built in and UDF Function Call Query") {
-    val plan = sql(s"SELECT kyuubi_fun_0('TESTSTRING'), " +
-      s"kyuubi_fun_0(value)," +
-      s"abs(key)," +
-      s"abs(-100)," +
-      s"lower(value)," +
-      s"lower('TESTSTRING') " +
-      s"FROM $reusedTable").queryExecution.analyzed
+    val plan = sql(
+      s"""
+         |SELECT
+         |  kyuubi_fun_0('TESTSTRING') AS col1,
+         |  kyuubi_fun_0(value) AS col2,
+         |  abs(key) AS col3, abs(-100) AS col4,
+         |  lower(value) AS col5,lower('TESTSTRING') AS col6
+         |FROM $reusedTable
+         |""".stripMargin).queryExecution.analyzed
     val (inputs, _, _) = PrivilegesBuilder.buildFunctions(plan, spark)
     assert(inputs.size === 2)
     inputs.foreach { po =>
@@ -219,36 +215,67 @@ class HiveFunctionPrivilegesBuilderSuite extends FunctionPrivilegesBuilderSuite
     }
   }
 
-  test("[KYUUBI #7186] Introduce RuleFunctionAuthorization") {
-
-    val ruleFunc = Mockito.spy[RuleFunctionAuthorization](RuleFunctionAuthorization(spark))
-    Mockito.doAnswer(new Answer[Unit] {
-      override def answer(invocation: InvocationOnMock): Unit = {
-        val requests = invocation.getArgument[mutable.ArrayBuffer[AccessRequest]](0)
-        requests.foreach { request =>
-          // deny udf `reusedDb.kyuubi_fun_0`
-          var database: String = request.getResource.asInstanceOf[AccessResource].getDatabase
-          var udf: String = request.getResource.asInstanceOf[AccessResource].getUdf
-          if (database.equalsIgnoreCase(reusedDb) && udf.equalsIgnoreCase("kyuubi_fun_0")) {
-            throw new AccessControlException("Access denied")
-          }
-        }
-      }
-    }).when(ruleFunc).checkPrivileges(
-      any[mutable.ArrayBuffer[AccessRequest]](),
-      any[SparkRangerAuditHandler]())
-
-    val query1 = sql(s"SELECT " +
-      s"${reusedDb}.kyuubi_fun_0('KYUUBI_STRING')," +
-      s"${reusedDb}.kyuubi_fun_1('KYUUBI_STRING') ").queryExecution.analyzed
-    intercept[AccessControlException] { ruleFunc.apply(query1) }
-
-    val query2 = sql(s"SELECT " +
-      s"${reusedDb}.kyuubi_fun_0('KYUUBI_STRING')").queryExecution.analyzed
-    intercept[AccessControlException] { ruleFunc.apply(query2) }
-
-    val query3 = sql(s"SELECT " +
-      s"${reusedDb}.kyuubi_fun_1('KYUUBI_STRING')").queryExecution.analyzed
-    ruleFunc.apply(query3)
+  test("Function Call in Crate Table/View") {
+    val plan1 = sql(
+      s"""
+         |CREATE TABLE table1 AS
+         |SELECT
+         |  kyuubi_fun_0('KYUUBI_TESTSTRING'),
+         |  kyuubi_fun_0(value)
+         |FROM $reusedTable
+         |""".stripMargin).queryExecution.analyzed
+    val (inputs1, _, _) = PrivilegesBuilder.buildFunctions(plan1, spark)
+    assert(inputs1.size === 2)
+    inputs1.foreach { po =>
+      assert(po.actionType === PrivilegeObjectActionType.OTHER)
+      assert(po.privilegeObjectType === PrivilegeObjectType.FUNCTION)
+      assert(po.dbname startsWith reusedDb.toLowerCase)
+      assert(po.objectName startsWith functionNamePrefix.toLowerCase)
+      val accessType = ranger.AccessType(po, QUERY, isInput = true)
+      assert(accessType === AccessType.SELECT)
+    }
+    val plan2 = sql("DROP TABLE IF EXISTS table1").queryExecution.analyzed
+    val (inputs2, _, _) = PrivilegesBuilder.buildFunctions(plan2, spark)
+    assert(inputs2.size === 0)
+
+    val plan3 = sql(
+      s"""
+         |CREATE VIEW view1 AS SELECT
+         |  kyuubi_fun_0('KYUUBI_TESTSTRING') AS fun1,
+         |  kyuubi_fun_0(value) AS fun2
+         |FROM $reusedTable
+         |""".stripMargin).queryExecution.analyzed
+    val (inputs3, _, _) = PrivilegesBuilder.buildFunctions(plan3, spark)
+    assert(inputs3.size === 2)
+    inputs3.foreach { po =>
+      assert(po.actionType === PrivilegeObjectActionType.OTHER)
+      assert(po.privilegeObjectType === PrivilegeObjectType.FUNCTION)
+      assert(po.dbname startsWith reusedDb.toLowerCase)
+      assert(po.objectName startsWith functionNamePrefix.toLowerCase)
+      val accessType = ranger.AccessType(po, QUERY, isInput = true)
+      assert(accessType === AccessType.SELECT)
+    }
+    val plan4 = sql("DROP VIEW IF EXISTS view1").queryExecution.analyzed
+    val (inputs4, _, _) = PrivilegesBuilder.buildFunctions(plan4, spark)
+    assert(inputs4.size === 0)
+  }
+
+  test("Function Call in INSERT OVERWRITE") {
+    val plan = sql(
+      s"""
+         |INSERT OVERWRITE TABLE $reusedTable
+         |SELECT key, kyuubi_fun_0(value)
+         |FROM $reusedPartTable
+         |""".stripMargin).queryExecution.analyzed
+    val (inputsUpdate, _, _) = PrivilegesBuilder.buildFunctions(plan, spark)
+    assert(inputsUpdate.size === 1)
+    inputsUpdate.foreach { po =>
+      assert(po.actionType === PrivilegeObjectActionType.OTHER)
+      assert(po.privilegeObjectType === PrivilegeObjectType.FUNCTION)
+      assert(po.dbname startsWith reusedDb.toLowerCase)
+      assert(po.objectName startsWith functionNamePrefix.toLowerCase)
+      val accessType = ranger.AccessType(po, QUERY, isInput = true)
+      assert(accessType === AccessType.SELECT)
+    }
   }
 }