Skip to content

[KYUUBI #7186] Introduce RuleFunctionAuthorization for persistent function calls authorization #7187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ygjia wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[KYUUBI #7186] Introduce RuleFunctionAuthorization for persistent function calls authorization #7187

ygjia wants to merge 9 commits into from
+343 −33

Conversation

@ygjia
Copy link

@ygjia ygjia commented Sep 2, 2025
edited
Loading

Why are the changes needed?

Close #7186

How was this patch tested?

Add new UTs and verified in a cluster with ranger hive spark service.

Was this patch authored or co-authored using generative AI tooling?

No

@ygjia
Copy link
Author

ygjia commented Sep 13, 2025

Kindly ping @pan3793 , I’ve added a Ranger policy to cover the RuleFunctionAuthorization tests. Ready for review~

@ygjia ygjia requested a review from pan3793 September 15, 2025 02:22
@ygjia
Copy link
Author

ygjia commented Sep 20, 2025

Kindly ping @pan3793 @bowenliang123 @packyan
Would you mind taking a look when convenient? Thank you!

@ygjia
Copy link
Author

ygjia commented Nov 25, 2025

Kindly ping @pan3793
Would you mind taking a look when convenient? Thank you!

@ygjia ygjia closed this Dec 1, 2025
@ygjia ygjia reopened this Dec 1, 2025
@pan3793
Copy link
Member

pan3793 commented Dec 1, 2025

cc @bowenliang123 and @wForget, do you have time to take a look?

wForget
wForget reviewed Dec 8, 2025
View reviewed changes
...-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala

override def apply(v1: SparkSessionExtensions): Unit = {
v1.injectCheckRule(AuthzConfigurationChecker)
v1.injectCheckRule(RuleFunctionAuthorization)
Copy link
Member

@wForget wForget Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use injectOptimizerRule like RuleAuthorization? We should apply this rule after RuleApplyPermanentViewMarker to avoid checking functions in the view.

Copy link
Author

@ygjia ygjia Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During the injectOptimizerRule stage, some UDFs may be optimized away, which can prevent permission control. For example, in the SQL:

SELECT my_to_upper("AaaAe") AS col_upper, my_constant() AS col_constant;

Here, my_to_upper converts a string to uppercase, and my_constant returns a constant value. Using injectCheckRule, these two UDFs can be detected,

Project [HiveSimpleUDF#xxx.xxx.hive.custom.ToUpperCaseUDF(AaaAe) AS col_upper#4, HiveSimpleUDF#xxx.xxx.hive.custom.ConstantUDF() AS col_constant#5]
+- OneRowRelation
image

but during the injectOptimizerRule stage, they will be optimized to their resulting values.

Project [AAAAE AS col_upper#4, 10086 AS col_constant#5]
+- OneRowRelation
image

wForget
wForget reviewed Dec 8, 2025
View reviewed changes
...z/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RuleFunctionAuthorization.scala
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._

case class RuleFunctionAuthorization(spark: SparkSession) extends (LogicalPlan => Unit) {
override def apply(plan: LogicalPlan): Unit = {
Copy link
Member

@wForget wForget Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this rule configurable? It might not always be necessary.

Copy link
Author

@ygjia ygjia Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let me add a config to make this rule configurable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wForget wForget wForget left review comments

@pan3793 pan3793 Awaiting requested review from pan3793

Assignees

No one assigned

Labels

module:authz module:extensions module:spark

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Subtask] [Authz] Introduce RuleFunctionAuthorization for persistent function calls authorization

3 participants

@ygjia @pan3793 @wForget