[KYUUBI #5172] [AUTHZ] Check USE permissions for DESCRIBE FUNCTION

### _Why are the changes needed?_ Fix a bug, The `DESCRIBE FUNCTION` syntax should also be checked for USE permissions. However, prior to this PR, the syntax was not checked for any permissions ### _How was this patch tested?_ - [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests) locally before make a pull request ### _Was this patch authored or co-authored using generative AI tooling?_ No Closes #5172 from Yikf/auth-desc-function. Closes #5172 112f4f20b [yikaifei] The DESCRIBE FUNCTION syntax should also be checked for USE permissions Authored-by: yikaifei <yikaifei@apache.org> Signed-off-by: liangbowen <liangbowen@gf.com.cn>
2023-08-16 18:31:58 +08:00 · 2023-08-16 18:31:58 +08:00 · b57bc1cab6
commit b57bc1cab6
parent d513f1f1e6
2 changed files with 17 additions and 1 deletions
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
@ -58,7 +58,12 @@ object AccessType extends Enumeration {
              SHOWPARTITIONS |
              ANALYZE_TABLE => SELECT
          case SHOWCOLUMNS | DESCTABLE => SELECT
-          case SHOWDATABASES | SWITCHDATABASE | DESCDATABASE | SHOWTABLES | SHOWFUNCTIONS => USE
+          case SHOWDATABASES |
+              SWITCHDATABASE |
+              DESCDATABASE |
+              SHOWTABLES |
+              SHOWFUNCTIONS |
+              DESCFUNCTION => USE
          case TRUNCATETABLE => UPDATE
          case _ => NONE
        }
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@ -442,6 +442,17 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
    }
    doAs(admin, assert(sql("show tables from global_temp").collect().length == 0))
  }
+
+  test("[KYUUBI #5172] Check USE permissions for DESCRIBE FUNCTION") {
+    val fun = s"$defaultDb.function1"
+
+    withCleanTmpResources(Seq((s"$fun", "function"))) {
+      doAs(admin, sql(s"CREATE FUNCTION $fun AS 'Function1'"))
+      doAs(admin, sql(s"DESC FUNCTION $fun").collect().length == 1)
+      val e = intercept[AccessControlException](doAs(denyUser, sql(s"DESC FUNCTION $fun")))
+      assert(e.getMessage === errorMessage("_any", "default/function1", denyUser))
+    }
+  }
 }

 class InMemoryCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {