kyuubi icon indicating copy to clipboard operation
kyuubi copied to clipboard
verified publisher icon apache

[Bug] Kyuubi Spark Authz show databases/tables no data returned

Open lugela opened this issue 2 years ago • 9 comments

Code of Conduct

Search before asking

  • [X] I have searched in the issues and found no similar issues.

Describe the bug

Kyuubi Spark Authz is connected to ranger1.2.0 and configured with relevant policies image

This policy can be displayed normally on the spark-sql command line image

However, through access in kyuubi, the beeline/ldap method returns empty,the select specific strategy table can query data normally 2ed9ba82b6dd225421e5359192c8a98

Affects Version(s)

1.8.0

Kyuubi Server Log Output

no

Kyuubi Engine Log Output

no

Kyuubi Server Configurations

no

Kyuubi Engine Configurations

no

Additional context

no

Are you willing to submit PR?

  • [ ] Yes. I would be willing to submit a PR with guidance from the Kyuubi community to fix.
  • [X] No. I cannot submit a PR at this time.

lugela avatar Dec 06 '23 09:12 lugela

Did beeline and spark-sql have the same user identity?

yaooqinn avatar Dec 07 '23 02:12 yaooqinn

Did beeline and spark-sql have the same user identity?

yes ,It has been verified that it should be a bug in kyuubi 1.8.0. It is normal for kyuubi to fall back to 1.7.3

lugela avatar Dec 07 '23 02:12 lugela

Did beeline and spark-sql have the same user identity?

yes ,It has been verified that it should be a bug in kyuubi 1.8.0. It is normal for kyuubi to fall back to 1.7.3

It was found that it was caused by this parameter spark.submit.deployMode=cluster

lugela avatar Dec 08 '23 07:12 lugela

Do you know if there is any additional log for cluster mode? I guess it might be a problem for the driver to talk with the ranger admin or localize policy files

yaooqinn avatar Dec 08 '23 08:12 yaooqinn

I'm worried about the fact that getting ranger policy json files from ranger admin process to all the spark applications. It may be ddos attack to ranger admin process, isn't it?

eubnara avatar Mar 16 '24 12:03 eubnara

Also, I use both cluster and client for spark.submit.deployMode but show databases and show tables gives me empty result. However, select * from query works.

(HiveMetastore 3.1.3, Spark 3.2.3, Kyuubi 1.8.1)

eubnara avatar Mar 16 '24 12:03 eubnara

I'm worried about the fact that getting ranger policy json files from ranger admin process to all the spark applications. It may be ddos attack to ranger admin process, isn't it?

Definitely, especially when you have a lot of policies, TBH, it's a limitation of Ranger's architecture, AFAIK, there are many users extend the Ranger to support the server-side policy evaluation to address such issues.

pan3793 avatar Mar 16 '24 12:03 pan3793

Thanks for your opinion, I think if authorization only occurs on Kyuubi server side with ranger and uses spark just as engine like HiveServer2, the problem will be alleviated.

eubnara avatar Mar 16 '24 12:03 eubnara