[#5146] fix(core): Support to rename and delete metadata object in the authorization plugin #5321
Conversation
jerqi
changed the title
jerqi
force-pushed
the
ISSUE-5146
branch
6 times, most recently
from
699500c to
243f4a2
Compare
| @@ -588,6 +798,67 @@ void testAllowUseSchemaPrivilege() throws InterruptedException { | |||
| metalake.deleteRole(roleName); | |||
| } | |||
|
|
|||
| @Test | |||
| void testDenyPrivileges() throws InterruptedException { | |||
jerqi
force-pushed
the
ISSUE-5146
branch
2 times, most recently
from
85ae637 to
63355f9
Compare
… in the authorization plugin
| @@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws InterruptedException { | |||
| metalake.deleteRole(roleName); | |||
| } | |||
|
|
|||
| @Test | |||
| void testDeleteAndRecreateMetadataObject() throws InterruptedException { | |||
| // Create a role with CREATE_SCHEMA privilege | |||
There was a problem hiding this comment.
I think need to add sparkSession.sql(SQL_CREATE_SCHEMA); in the here to throw doesn't have permission.
|
|
||
| // Clean up | ||
| catalog.asSchemas().dropSchema(schemaName, true); | ||
| metalake.deleteRole(roleName); |
There was a problem hiding this comment.
I think need to add these tests in the here to throw doesn't have permission.
- SQL_CREATE_SCHEMA
- SQL_DROP_SCHEMA
| waitForUpdatingPolicies(); | ||
|
|
||
| // Create a schema | ||
| sparkSession.sql(SQL_CREATE_SCHEMA); |
There was a problem hiding this comment.
I think need to add sparkSession.sql(SQL_CREATA_TABLE); in the here to throw doesn't have permission.
| // Create a schema | ||
| sparkSession.sql(SQL_CREATE_SCHEMA); | ||
|
|
||
| // Set owner |
There was a problem hiding this comment.
I think need to add sparkSession.sql(SQL_DROP_SCHEMA); in the here to throw doesn't have permission.
| // Create a schema and a table | ||
| sparkSession.sql(SQL_CREATE_SCHEMA); | ||
| sparkSession.sql(SQL_USE_SCHEMA); | ||
| sparkSession.sql(SQL_CREATE_TABLE); |
There was a problem hiding this comment.
I think need to add these tests in the here
- SQL_INSERT_TABLE
There was a problem hiding this comment.
I added another test case.
| // Schema doesn't support to rename operation now. So we don't need to change | ||
| // authorization plugin privileges, too. |
There was a problem hiding this comment.
I think need call authorization plugin interface in the here.
There was a problem hiding this comment.
Schema doesn't support to rename.
| } | ||
|
|
||
| @Override | ||
| public boolean dropTable(NameIdentifier ident) { | ||
| return dispatcher.dropTable(ident); | ||
| boolean dropped = dispatcher.dropTable(ident); | ||
| AuthorizationUtils.removeAuthorizationPluginPrivileges(ident, Entity.EntityType.TABLE); |
There was a problem hiding this comment.
removeAuthorizationPluginPrivileges look like remove AuthorizationPlugin's Privileges, maybe can change to authorizationPluginRemovePrivileges or removePrivilegesInAuthorizationPlugin?
| AuthorizationUtils.authorizationPluginRemovePrivileges(ident, Entity.EntityType.CATALOG); | ||
| return dispatcher.dropCatalog(ident); |
There was a problem hiding this comment.
I think maybe we can call dropCatalog(ident, /*default value*/) in there, to avoid duplicate call return dispatcher.dropCatalog(ident); ?
| } | ||
|
|
||
| @Override | ||
| public boolean dropTable(NameIdentifier ident) { | ||
| return dispatcher.dropTable(ident); | ||
| boolean dropped = dispatcher.dropTable(ident); | ||
| AuthorizationUtils.authorizationPluginRemovePrivileges(ident, Entity.EntityType.TABLE); |
There was a problem hiding this comment.
Maybe we needs add judgement in here
if (dropped) {
AuthorizationUtils.authorizationPluginRemovePrivileges(ident, Entity.EntityType.TABLE);
}
Also other place have same problem.
There was a problem hiding this comment.
If we succeed to delete the table but fail to delete the policy in the authorization plugin. We can repeat to execute the operation to delete the policy but dispatcher may return zero.
| waitForUpdatingPolicies(); | ||
| Assertions.assertThrows(AccessControlException.class, () -> sparkSession.sql(SQL_INSERT_TABLE)); | ||
| Assertions.assertThrows( | ||
| AccessControlException.class, () -> sparkSession.sql(SQL_SELECT_TABLE).collectAsList()); |
There was a problem hiding this comment.
I think better to check all SQL operations.
- SQL_CREATE_SCHEMA
- SQL_USE_SCHEMA
- SQL_CREATE_TABLE
- SQL_INSERT_TABLE
- SQL_SELECT_TABLE
- SQL_UPDATE_TABLE
- SQL_DELETE_TABLE
- SQL_DROP_TABLE
| Assertions.assertThrows(AccessControlException.class, () -> sparkSession.sql(SQL_INSERT_TABLE)); | ||
| Assertions.assertThrows( | ||
| AccessControlException.class, () -> sparkSession.sql(SQL_SELECT_TABLE).collectAsList()); | ||
|
|
There was a problem hiding this comment.
I think better to check all SQL operations.
- SQL_CREATE_SCHEMA
- SQL_USE_SCHEMA
- SQL_CREATE_TABLE
- SQL_INSERT_TABLE
- SQL_SELECT_TABLE
- SQL_UPDATE_TABLE
- SQL_DELETE_TABLE
- SQL_DROP_TABLE
| // Delete the role and fail to create schema | ||
| metalake.deleteRole(roleName); | ||
| waitForUpdatingPolicies(); | ||
| ; |
…e authorization plugin (#5321) ### What changes were proposed in this pull request? Support to rename and delete metadata object in the authorization plugin ### Why are the changes needed? Fix: #5146 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? add new IT and UT
… in the authorization plugin (apache#5321) ### What changes were proposed in this pull request? Support to rename and delete metadata object in the authorization plugin ### Why are the changes needed? Fix: apache#5146 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? add new IT and UT
What changes were proposed in this pull request?
Support to rename and delete metadata object in the authorization plugin
Why are the changes needed?
Fix: #5146
Does this PR introduce any user-facing change?
No.
How was this patch tested?
add new IT and UT