[KYUUBI #7078] Make data masking and row filter configurable

wForget · wForget · commit de332de63691 · 2025-06-05T21:49:07.000+08:00
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/config/AuthzConfigurationChecker.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/config/AuthzConfigurationChecker.scala
@@ -17,6 +17,7 @@
 
 package org.apache.kyuubi.plugin.spark.authz.rule.config
 
+import org.apache.spark.authz.AuthzConf._
 import org.apache.spark.sql.SparkSession
 import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan
 import org.apache.spark.sql.execution.command.SetCommand
@@ -28,11 +29,9 @@ import org.apache.kyuubi.plugin.spark.authz.AccessControlException
  */
 case class AuthzConfigurationChecker(spark: SparkSession) extends (LogicalPlan => Unit) {
 
-  final val RESTRICT_LIST_KEY = "spark.kyuubi.conf.restricted.list"
-
   private val restrictedConfList: Set[String] =
-    Set(RESTRICT_LIST_KEY, "spark.sql.runSQLOnFiles", "spark.sql.extensions") ++
-      spark.conf.getOption(RESTRICT_LIST_KEY).map(_.split(',').toSet).getOrElse(Set.empty)
+    Set(CONF_RESTRICTED_LIST.key, "spark.sql.runSQLOnFiles", "spark.sql.extensions") ++
+      confRestrictedList(spark.sparkContext.getConf).map(_.split(',').toSet).getOrElse(Set.empty)
 
   override def apply(plan: LogicalPlan): Unit = plan match {
     case SetCommand(Some((
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/datamasking/RuleApplyDataMaskingStage0.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/datamasking/RuleApplyDataMaskingStage0.scala
@@ -17,6 +17,7 @@
 
 package org.apache.kyuubi.plugin.spark.authz.rule.datamasking
 
+import org.apache.spark.authz.AuthzConf.dataMaskingEnabled
 import org.apache.spark.sql.SparkSession
 import org.apache.spark.sql.catalyst.expressions.Alias
 import org.apache.spark.sql.catalyst.plans.logical.{LogicalPlan, Project}
@@ -45,15 +46,19 @@ import org.apache.kyuubi.plugin.spark.authz.serde._
 case class RuleApplyDataMaskingStage0(spark: SparkSession) extends RuleHelper {
 
   override def apply(plan: LogicalPlan): LogicalPlan = {
-    val newPlan = mapChildren(plan) {
-      case p: DataMaskingStage0Marker => p
-      case p: DataMaskingStage1Marker => p
-      case scan if isKnownScan(scan) && scan.resolved =>
-        val tables = getScanSpec(scan).tables(scan, spark)
-        tables.headOption.map(applyMasking(scan, _)).getOrElse(scan)
-      case other => apply(other)
+    if (!dataMaskingEnabled(conf)) {
+      plan
+    } else {
+      val newPlan = mapChildren(plan) {
+        case p: DataMaskingStage0Marker => p
+        case p: DataMaskingStage1Marker => p
+        case scan if isKnownScan(scan) && scan.resolved =>
+          val tables = getScanSpec(scan).tables(scan, spark)
+          tables.headOption.map(applyMasking(scan, _)).getOrElse(scan)
+        case other => apply(other)
+      }
+      newPlan
     }
-    newPlan
   }
 
   private def applyMasking(
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/datamasking/RuleApplyDataMaskingStage1.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/datamasking/RuleApplyDataMaskingStage1.scala
@@ -17,6 +17,7 @@
 
 package org.apache.kyuubi.plugin.spark.authz.rule.datamasking
 
+import org.apache.spark.authz.AuthzConf.dataMaskingEnabled
 import org.apache.spark.sql.SparkSession
 import org.apache.spark.sql.catalyst.expressions.NamedExpression
 import org.apache.spark.sql.catalyst.plans.logical.{Command, LogicalPlan}
@@ -33,25 +34,28 @@ import org.apache.kyuubi.plugin.spark.authz.serde._
 case class RuleApplyDataMaskingStage1(spark: SparkSession) extends RuleHelper {
 
   override def apply(plan: LogicalPlan): LogicalPlan = {
-
-    plan match {
-      case marker0: DataMaskingStage0Marker => marker0
-      case marker1: DataMaskingStage1Marker => marker1
-      case cmd if isKnownTableCommand(cmd) =>
-        val tableCommandSpec = getTableCommandSpec(cmd)
-        val queries = tableCommandSpec.queries(cmd)
-        cmd.mapChildren {
-          case marker0: DataMaskingStage0Marker => marker0
-          case marker1: DataMaskingStage1Marker => marker1
-          case query if queries.contains(query) && query.resolved =>
-            applyDataMasking(query)
-          case o => o
-        }
-      case cmd: Command if cmd.childrenResolved =>
-        cmd.mapChildren(applyDataMasking)
-      case cmd: Command => cmd
-      case other if other.resolved => applyDataMasking(other)
-      case other => other
+    if (!dataMaskingEnabled(conf)) {
+      plan
+    } else {
+      plan match {
+        case marker0: DataMaskingStage0Marker => marker0
+        case marker1: DataMaskingStage1Marker => marker1
+        case cmd if isKnownTableCommand(cmd) =>
+          val tableCommandSpec = getTableCommandSpec(cmd)
+          val queries = tableCommandSpec.queries(cmd)
+          cmd.mapChildren {
+            case marker0: DataMaskingStage0Marker => marker0
+            case marker1: DataMaskingStage1Marker => marker1
+            case query if queries.contains(query) && query.resolved =>
+              applyDataMasking(query)
+            case o => o
+          }
+        case cmd: Command if cmd.childrenResolved =>
+          cmd.mapChildren(applyDataMasking)
+        case cmd: Command => cmd
+        case other if other.resolved => applyDataMasking(other)
+        case other => other
+      }
     }
   }
 
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/rowfilter/RuleApplyRowFilter.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/rule/rowfilter/RuleApplyRowFilter.scala
@@ -17,6 +17,7 @@
 
 package org.apache.kyuubi.plugin.spark.authz.rule.rowfilter
 
+import org.apache.spark.authz.AuthzConf.rowFilterEnabled
 import org.apache.spark.sql.SparkSession
 import org.apache.spark.sql.catalyst.plans.logical.{Filter, LogicalPlan}
 
@@ -29,14 +30,18 @@ import org.apache.kyuubi.plugin.spark.authz.serde._
 case class RuleApplyRowFilter(spark: SparkSession) extends RuleHelper {
 
   override def apply(plan: LogicalPlan): LogicalPlan = {
-    val newPlan = mapChildren(plan) {
-      case p: RowFilterMarker => p
-      case scan if isKnownScan(scan) && scan.resolved =>
-        val tables = getScanSpec(scan).tables(scan, spark)
-        tables.headOption.map(applyFilter(scan, _)).getOrElse(scan)
-      case other => apply(other)
+    if (!rowFilterEnabled(conf)) {
+      plan
+    } else {
+      val newPlan = mapChildren(plan) {
+        case p: RowFilterMarker => p
+        case scan if isKnownScan(scan) && scan.resolved =>
+          val tables = getScanSpec(scan).tables(scan, spark)
+          tables.headOption.map(applyFilter(scan, _)).getOrElse(scan)
+        case other => apply(other)
+      }
+      newPlan
     }
-    newPlan
   }
 
   private def applyFilter(
diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/spark/authz/AuthzConf.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/spark/authz/AuthzConf.scala
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.authz
+
+import org.apache.spark.SparkConf
+import org.apache.spark.internal.config.ConfigBuilder
+import org.apache.spark.sql.internal.SQLConf
+
+object AuthzConf {
+
+  def confRestrictedList(conf: SparkConf): Option[String] = {
+    conf.get(CONF_RESTRICTED_LIST)
+  }
+
+  def dataMaskingEnabled(conf: SQLConf): Boolean = {
+    conf.getConf(DATA_MASKING_ENABLED)
+  }
+
+  def rowFilterEnabled(conf: SQLConf): Boolean = {
+    conf.getConf(ROW_FILTER_ENABLED)
+  }
+
+  val CONF_RESTRICTED_LIST =
+    ConfigBuilder("spark.kyuubi.conf.restricted.list")
+      .doc("The config key in the restricted list cannot set dynamic configuration via SET syntax.")
+      .version("1.7.0")
+      .stringConf
+      .createOptional
+
+  val DATA_MASKING_ENABLED =
+    ConfigBuilder("spark.sql.authz.dataMasking.enabled")
+      .doc("")
+      .version("1.11.0")
+      .booleanConf
+      .createWithDefault(true)
+
+  val ROW_FILTER_ENABLED =
+    ConfigBuilder("spark.sql.authz.rowFilter.enabled")
+      .doc("")
+      .version("1.11.0")
+      .booleanConf
+      .createWithDefault(true)
+
+}
