address review comments

Author: ygjia

extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala

@@ -45,6 +45,9 @@ class RangerSparkExtension extends (SparkSessionExtensions => Unit) {
 
   override def apply(v1: SparkSessionExtensions): Unit = {
     v1.injectCheckRule(AuthzConfigurationChecker)
+    // RuleFunctionAuthorization should use injectCheckRule instead of injectOptimizerRule,
+    // because ConstantFolding will optimize deterministic UDFs with foldable
+    // inputs (e.g., literals), replacing them with their results and bypassing permission checks.
     v1.injectCheckRule(RuleFunctionAuthorization)
     v1.injectResolutionRule(_ => RuleReplaceShowObjectCommands)
     v1.injectResolutionRule(_ => RuleApplyPermanentViewMarker)

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala

@@ -220,16 +220,8 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     val e = intercept[AccessControlException](sql(create))
     assert(e.getMessage === errorMessage("create", "mydb"))
     withCleanTmpResources(Seq((testDb, "database"))) {
-      doAs(
-        admin,
-        assert(Try {
-          sql(create)
-        }.isSuccess))
-      doAs(
-        admin,
-        assert(Try {
-          sql(alter)
-        }.isSuccess))
+      doAs(admin, assert(Try { sql(create) }.isSuccess))
+      doAs(admin, assert(Try { sql(alter) }.isSuccess))
       val e1 = intercept[AccessControlException](sql(alter))
       assert(e1.getMessage === errorMessage("alter", "mydb"))
       val e2 = intercept[AccessControlException](sql(drop))
@@ -251,34 +243,14 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     assert(e.getMessage === errorMessage("create"))
 
     withCleanTmpResources(Seq((s"$db.$table", "table"))) {
-      doAs(
-        bob,
-        assert(Try {
-          sql(create0)
-        }.isSuccess))
-      doAs(
-        bob,
-        assert(Try {
-          sql(alter0)
-        }.isSuccess))
+      doAs(bob, assert(Try { sql(create0) }.isSuccess))
+      doAs(bob, assert(Try { sql(alter0) }.isSuccess))
 
       val e1 = intercept[AccessControlException](sql(drop0))
       assert(e1.getMessage === errorMessage("drop"))
-      doAs(
-        bob,
-        assert(Try {
-          sql(alter0)
-        }.isSuccess))
-      doAs(
-        bob,
-        assert(Try {
-          sql(select).collect()
-        }.isSuccess))
-      doAs(
-        kent,
-        assert(Try {
-          sql(s"SELECT key FROM $db.$table").collect()
-        }.isSuccess))
+      doAs(bob, assert(Try { sql(alter0) }.isSuccess))
+      doAs(bob, assert(Try { sql(select).collect() }.isSuccess))
+      doAs(kent, assert(Try { sql(s"SELECT key FROM $db.$table").collect() }.isSuccess))
 
       Seq(
         select,
@@ -669,18 +641,12 @@ class HiveCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
       // query all columns of the permanent view
       // with access privileges to the permanent view but no privilege to the source table
       val sql1 = s"SELECT * FROM $db1.$permView"
-      doAs(
-        userPermViewOnly, {
-          sql(sql1).collect()
-        })
+      doAs(userPermViewOnly, { sql(sql1).collect() })
 
       // query the second column of permanent view with multiple columns
       // with access privileges to the permanent view but no privilege to the source table
       val sql2 = s"SELECT name FROM $db1.$permView"
-      doAs(
-        userPermViewOnly, {
-          sql(sql2).collect()
-        })
+      doAs(userPermViewOnly, { sql(sql2).collect() })
     }
   }