[KYUUBI #7230][AUTHZ] Support skipping privilege check for DataSourceV2Relation without catalog and identifier#7557
Open
j1wonpark wants to merge 1 commit into
Conversation
…SourceV2Relation without catalog and identifier Signed-off-by: Jiwon Park <jpark92@outlook.kr>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why are the changes needed?
DSv2
TableProviders that do not implementSupportsCatalogOptions(the MongoDB connector, the ClickHouse native connector, etc.), when used directly viaformat(...).load()/.save(), produce aDataSourceV2Relationwith neithercatalognoridentifier— Spark's non-catalog fallback inDataSourceV2Utils.loadV2Source/DataFrameWriterpasses(None, None), and the read-side fallback carries Spark's own TODO note that "Non-catalog paths for DSV2 are currently not well defined".For such relations
DataSourceV2RelationTableExtractorfalls back totable.name(), which is connector-defined and usually synthetic (e.g.MongoTable()). The resulting Ranger resource has nodatabaseelement, and a resource missing a parent level of thedatabase → table → columnhierarchy matches no policy at all — not evendatabase=* / table=*(RangerDefaultPolicyResourceMatcher.isHierarchyValidForResources, Ranger 2.6.0). So the current behavior is an unconditional deny that operators cannot lift with any policy, reported in #7230. Meanwhile the v1 path is already skipped: aLogicalRelationwithoutcatalogTableproduces no privilege object.This PR adds an operator-level opt-out, default
falseso default behavior is unchanged:spark.kyuubi.authz.skip.catalogless.v2.relation.enabled(defaultfalse): when enabled, the extractor returnsNonefor aDataSourceV2Relationwhose catalog and identifier are both empty, restoring parity with the v1 path.AuthzConfigurationChecker's built-in restricted list (likespark.sql.runSQLOnFiles), so end users cannot flip it withSET. Operators should also consider listing it inkyuubi.session.conf.restrict.list.Note: whether skipping is safe is deployment-specific — fine when credentials for the external system are supplied per query by the end user, risky when the shared Spark principal holds ambient credentials. Hence opt-in rather than unconditional. Skipped relations produce no Ranger audit events.
How was this patch tested?
DataSourceV2RelationTableExtractorSuite:table.name()is still extracted verbatim when the conf is off;AuthzConfigurationCheckerSuite:SETon the new key throwsAccessControlException.Was this patch authored or co-authored using generative AI tooling?
Assisted-by: Claude Opus 4.8