[AUTHZ][Improvement] insert into table should check the update privilege for table

Question

[AUTHZ][Improvement] insert into table should check the update privilege for table

liujiayi771 opened this issue 2 months ago · 6 comments

liujiayi771 commented 2 months ago

Code of Conduct

I agree to follow this project's Code of Conduct

Search before asking

I have searched in the issues and found no similar issues.

What would you like to be improved?

Currently, Authz will check the update privilege for the column of the table. I think it is better to check the update privilege for the table.

insert into test values(1);
user [xxx] does not have [update] privilege on [database=testdb/table=test/column=id]

How should we improve?

check the update privilege for the table.

Are you willing to submit PR?

Yes. I would be willing to submit a PR with guidance from the Kyuubi community to improve.
No. I cannot submit a PR at this time.

Answer 1 · 2024-07-25T07:27:17.000Z

Hello @liujiayi771,
Thanks for finding the time to report the issue!
We really appreciate the community's efforts to improve Apache Kyuubi.

Answer 2 · 2024-07-25T07:27:47.000Z

Hi @pan3793. How do you think?

Answer 3 · 2024-07-29T02:39:27.000Z

cc @yaooqinn, thanks.

Answer 4 · 2024-07-29T06:45:10.000Z

sounds reasonable to me, but can we double check other DBs implementations?

Answer 5 · 2024-07-29T14:03:30.000Z

@pan3793 I have tested Hive and Trino ranger plugin. They all check the privilege of table when insert into table.

Hive:

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [ranger] does not have [UPDATE] privilege on [database=testdb/table=test] (state=42000,code=40000)

Trino:

trino:testdb> insert into test values(1);
Query 20240729_135814_00054_g5bf9 failed: Access Denied: Cannot insert into table test

So I will submit a PR for this change.

Answer 6 · 2024-07-29T14:18:56.000Z

Thanks for checking, please go ahead to submit PR to fix it.