[KYUUBI #6592] Add uploadWorkDir into local dir allow list and do not skip check for resource uploaded use case

# 🔍 Description ## Issue References 🔗 As title, for security concern. Before, it skips to check the local dir access for resource upload use case, which is not expected. ## Describe Your Solution 🔧 Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. ## Types of changes 🔖 - [ ] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ #### Behavior With This Pull Request 🎉 #### Related Unit Tests --- # Checklist 📝 - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #6592 from turboFei/check_batch_access. Closes #6592 80cbc7414 [Wang, Fei] do not check if is empty a82fe8e87 [Wang, Fei] check batch access Authored-by: Wang, Fei <fwang12@ebay.com> Signed-off-by: Cheng Pan <chengpan@apache.org> (cherry picked from commit d643e35310) Signed-off-by: Cheng Pan <chengpan@apache.org>
2024-08-07 18:00:48 +08:00 · 2024-08-07 18:00:48 +08:00 · 4043525df8
commit 4043525df8
parent 1e38f97480
2 changed files with 3 additions and 2 deletions
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
@ -123,8 +123,9 @@ object KyuubiApplicationManager {
  }

  private[kyuubi] def checkApplicationAccessPath(path: String, conf: KyuubiConf): Unit = {
-    val localDirAllowList = conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST)
+    var localDirAllowList: Set[String] = conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST)
    if (localDirAllowList.nonEmpty) {
+      localDirAllowList ++= Set(uploadWorkDir.toUri.getPath)
      val uri =
        try {
          new URI(path)
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
@ -145,7 +145,7 @@ class KyuubiBatchSession(
      batchType,
      optimizedConf,
      sessionManager.getConf)
-    if (resource != SparkProcessBuilder.INTERNAL_RESOURCE && !isResourceUploaded) {
+    if (resource != SparkProcessBuilder.INTERNAL_RESOURCE) {
      KyuubiApplicationManager.checkApplicationAccessPath(resource, sessionManager.getConf)
    }
  }