[KYUUBI #7068] Iceberg ranger support check branch and tag ddl

### Why are the changes needed?

Iceberg ranger check support branch and tag ddl

### How was this patch tested?

- [x] create branch
- [x] replace branch
- [x] drop branch
- [x] create tag
- [x] replace tag
- [x] drop tag

issue #7068
### Was this patch authored or co-authored using generative AI tooling?

Closes #7069 from davidyuan1223/iceberg_branch_check.

Closes #7068

d060a24 [davidyuan] update
1e05018 [davidyuan] Merge branch 'master' into iceberg_branch_check
be26846 [davidyuan] update
231ed33 [davidyuan] sort spi file
6d2a5bf [davidyuan] sort spi file
bc21310 [davidyuan] update
52ca367 [davidyuan] update

Authored-by: davidyuan <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>

Author: davidyuan1223

extensions/spark/kyuubi-spark-authz/src/main/resources/table_command_spec.json

@@ -1841,6 +1841,38 @@
   "opType" : "ALTERTABLE_PROPERTIES",
   "queryDescs" : [ ],
   "uriDescs" : [ ]
+}, {
+  "classname" : "org.apache.spark.sql.catalyst.plans.logical.CreateOrReplaceBranch",
+  "tableDescs" : [ {
+    "fieldName" : "table",
+    "fieldExtractor" : "ArrayBufferTableExtractor",
+    "columnDesc" : null,
+    "actionTypeDesc" : null,
+    "tableTypeDesc" : null,
+    "catalogDesc" : null,
+    "isInput" : false,
+    "setCurrentDatabaseIfMissing" : false,
+    "comment" : "Iceberg"
+  } ],
+  "opType" : "ALTERTABLE_PROPERTIES",
+  "queryDescs" : [ ],
+  "uriDescs" : [ ]
+}, {
+  "classname" : "org.apache.spark.sql.catalyst.plans.logical.CreateOrReplaceTag",
+  "tableDescs" : [ {
+    "fieldName" : "table",
+    "fieldExtractor" : "ArrayBufferTableExtractor",
+    "columnDesc" : null,
+    "actionTypeDesc" : null,
+    "tableTypeDesc" : null,
+    "catalogDesc" : null,
+    "isInput" : false,
+    "setCurrentDatabaseIfMissing" : false,
+    "comment" : "Iceberg"
+  } ],
+  "opType" : "ALTERTABLE_PROPERTIES",
+  "queryDescs" : [ ],
+  "uriDescs" : [ ]
 }, {
   "classname" : "org.apache.spark.sql.catalyst.plans.logical.DeleteFromIcebergTable",
   "tableDescs" : [ {
@@ -1862,6 +1894,22 @@
   "opType" : "QUERY",
   "queryDescs" : [ ],
   "uriDescs" : [ ]
+}, {
+  "classname" : "org.apache.spark.sql.catalyst.plans.logical.DropBranch",
+  "tableDescs" : [ {
+    "fieldName" : "table",
+    "fieldExtractor" : "ArrayBufferTableExtractor",
+    "columnDesc" : null,
+    "actionTypeDesc" : null,
+    "tableTypeDesc" : null,
+    "catalogDesc" : null,
+    "isInput" : false,
+    "setCurrentDatabaseIfMissing" : false,
+    "comment" : "Iceberg"
+  } ],
+  "opType" : "ALTERTABLE_PROPERTIES",
+  "queryDescs" : [ ],
+  "uriDescs" : [ ]
 }, {
   "classname" : "org.apache.spark.sql.catalyst.plans.logical.DropIdentifierFields",
   "tableDescs" : [ {
@@ -1894,6 +1942,22 @@
   "opType" : "ALTERTABLE_PROPERTIES",
   "queryDescs" : [ ],
   "uriDescs" : [ ]
+}, {
+  "classname" : "org.apache.spark.sql.catalyst.plans.logical.DropTag",
+  "tableDescs" : [ {
+    "fieldName" : "table",
+    "fieldExtractor" : "ArrayBufferTableExtractor",
+    "columnDesc" : null,
+    "actionTypeDesc" : null,
+    "tableTypeDesc" : null,
+    "catalogDesc" : null,
+    "isInput" : false,
+    "setCurrentDatabaseIfMissing" : false,
+    "comment" : "Iceberg"
+  } ],
+  "opType" : "ALTERTABLE_PROPERTIES",
+  "queryDescs" : [ ],
+  "uriDescs" : [ ]
 }, {
   "classname" : "org.apache.spark.sql.catalyst.plans.logical.MergeIntoIcebergTable",
   "tableDescs" : [ {

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/gen/IcebergCommands.scala

@@ -93,6 +93,26 @@ object IcebergCommands extends CommandSpecs[TableCommandSpec] {
     AddPartitionFiled.copy(cmd)
   }
 
+  val CreateOrReplaceBranch = {
+    val cmd = "org.apache.spark.sql.catalyst.plans.logical.CreateOrReplaceBranch"
+    AddPartitionFiled.copy(cmd)
+  }
+
+  val CreateOrReplaceTag = {
+    val cmd = "org.apache.spark.sql.catalyst.plans.logical.CreateOrReplaceTag"
+    AddPartitionFiled.copy(cmd)
+  }
+
+  val DropBranch = {
+    val cmd = "org.apache.spark.sql.catalyst.plans.logical.DropBranch"
+    AddPartitionFiled.copy(cmd)
+  }
+
+  val DropTag = {
+    val cmd = "org.apache.spark.sql.catalyst.plans.logical.DropTag"
+    AddPartitionFiled.copy(cmd)
+  }
+
   override def specs: Seq[TableCommandSpec] = Seq(
     CallProcedure,
     DeleteFromIcebergTable,
@@ -104,6 +124,10 @@ object IcebergCommands extends CommandSpecs[TableCommandSpec] {
     WriteDistributionAndOrdering,
     SetIdentifierFields,
     DropIdentifierFields,
+    CreateOrReplaceBranch,
+    CreateOrReplaceTag,
+    DropBranch,
+    DropTag,
     MergeIntoIcebergTable.copy(classname =
       "org.apache.spark.sql.catalyst.plans.logical.UnresolvedMergeIntoIcebergTable"))
 }

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/IcebergCatalogRangerSparkExtensionSuite.scala

@@ -484,4 +484,106 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
       doAs(admin, sql(dropIdentifierSql))
     }
   }
+
+  test("CREATE BRANCH for Iceberg") {
+    val table = s"$catalogV2.$namespace1.partitioned_table"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs(
+        admin,
+        sql(
+          s"CREATE TABLE $table (id int NOT NULL, name string, city string) USING iceberg"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (1, 'test', 'city')"))
+      val createBranchSql = s"ALTER TABLE $table CREATE BRANCH test_branch"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(createBranchSql))
+      }(s"does not have [alter] privilege on [$namespace1/partitioned_table]")
+      doAs(admin, sql(createBranchSql))
+    }
+  }
+
+  test("CREATE TAG for Iceberg") {
+    val table = s"$catalogV2.$namespace1.partitioned_table"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs(
+        admin,
+        sql(
+          s"CREATE TABLE $table (id int NOT NULL, name string, city string) USING iceberg"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (1, 'test', 'city')"))
+      val createTagSql = s"ALTER TABLE $table CREATE TAG test_tag"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(createTagSql))
+      }(s"does not have [alter] privilege on [$namespace1/partitioned_table]")
+      doAs(admin, sql(createTagSql))
+    }
+  }
+
+  test("REPLACE BRANCH for Iceberg") {
+    val table = s"$catalogV2.$namespace1.partitioned_table"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs(
+        admin,
+        sql(
+          s"CREATE TABLE $table (id int NOT NULL, name string, city string) USING iceberg"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (1, 'test', 'city')"))
+      doAs(admin, sql(s"ALTER TABLE $table CREATE BRANCH test_branch"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (2, 'test2', 'city2')"))
+      val replaceBranchSql = s"ALTER TABLE $table REPLACE BRANCH test_branch"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(replaceBranchSql))
+      }(s"does not have [alter] privilege on [$namespace1/partitioned_table]")
+      doAs(admin, sql(replaceBranchSql))
+    }
+  }
+
+  test("REPLACE TAG for Iceberg") {
+    val table = s"$catalogV2.$namespace1.partitioned_table"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs(
+        admin,
+        sql(
+          s"CREATE TABLE $table (id int NOT NULL, name string, city string) USING iceberg"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (1, 'test', 'city')"))
+      doAs(admin, sql(s"ALTER TABLE $table CREATE TAG test_tag"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (2, 'test2', 'city2')"))
+      val replaceTagSql = s"ALTER TABLE $table REPLACE TAG test_tag"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(replaceTagSql))
+      }(s"does not have [alter] privilege on [$namespace1/partitioned_table]")
+      doAs(admin, sql(replaceTagSql))
+    }
+  }
+
+  test("DROP BRANCH for Iceberg") {
+    val table = s"$catalogV2.$namespace1.partitioned_table"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs(
+        admin,
+        sql(
+          s"CREATE TABLE $table (id int NOT NULL, name string, city string) USING iceberg"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (1, 'test', 'city')"))
+      doAs(admin, sql(s"ALTER TABLE $table CREATE BRANCH test_branch"))
+      val dropBranchSql = s"ALTER TABLE $table DROP BRANCH test_branch"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(dropBranchSql))
+      }(s"does not have [alter] privilege on [$namespace1/partitioned_table]")
+      doAs(admin, sql(dropBranchSql))
+    }
+  }
+
+  test("DROP TAG for Iceberg") {
+    val table = s"$catalogV2.$namespace1.partitioned_table"
+    withCleanTmpResources(Seq((table, "table"))) {
+      doAs(
+        admin,
+        sql(
+          s"CREATE TABLE $table (id int NOT NULL, name string, city string) USING iceberg"))
+      doAs(admin, sql(s"INSERT INTO $table VALUES (1, 'test', 'city')"))
+      doAs(admin, sql(s"ALTER TABLE $table CREATE TAG test_tag"))
+      val dropTagSql = s"ALTER TABLE $table DROP TAG test_tag"
+      interceptEndsWith[AccessControlException] {
+        doAs(someone, sql(dropTagSql))
+      }(s"does not have [alter] privilege on [$namespace1/partitioned_table]")
+      doAs(admin, sql(dropTagSql))
+    }
+  }
 }