[KYUUBI #7458] Add server-side statement interceptor SPI#7530
[KYUUBI #7458] Add server-side statement interceptor SPI#7530wangzhigang1999 wants to merge 7 commits into
Conversation
Add a user-facing English doc for the statement interceptor SPI under docs/extensions/server and register it in the server extensions toctree.
…ptor Pre-allocate the operation handle before interception and reuse it for the operation instead of letting the operation self-generate one, and add StatementInterceptContext#statementId so an interceptor can correlate the intercepted statement with its later operation and result set. The id equals the operation handle the client receives.
…cted statements Expose StatementInterceptContext#realUser, the authenticated user before any impersonation, alongside user() which is documented as the effective (proxy) user the statement runs as, so an interceptor can authorize and audit both the effective and the real identity. Throw the REJECT error with SQLState 42000 (access rule violation) so JDBC and BI clients can tell a policy rejection from a syntax error programmatically rather than by parsing the message text. Claude-Session: https://claude.ai/code/session_01Mco2CEWmiF95hJFVy77usj
|
Design note —
Also manually verified on a Kubernetes deployment: REWRITE/REJECT over Beeline (reject surfaces SQLState |
…ommon unchanged Inject the pre-allocated operation handle through KyuubiOperation's `override protected val handle` constructor param and revert the AbstractOperation constructor in kyuubi-common to its original single-arg form. The handle stays a constructor paramaccessor so AbstractOperation's statementId reads it during superclass initialization. Other refinements: - Reduce StatementInterceptContextImpl to `override val` constructor params. - Drop the redundant defensive copies of the already read-only confOverlay and server conf maps; normalize null ipAddress/engineType with Option. - Mark statementInterceptors @volatile. - Document that engineType() returns the upper-cased kyuubi.engine.type enum names such as SPARK_SQL, and that batch and Data Agent REST paths are not intercepted.
Why are the changes needed?
First half of #7458 (the statement hook; the result-set hook is a follow-up PR). Kyuubi lacks a gateway-level, per-statement hook before a statement is routed to the engine (Spark AuthZ is Spark-specific). This adds a server-side
StatementInterceptorSPI, invoked for each interactive statement before operation creation and routing, that can inspect / rewrite / reject — one stable hook for authorization, risky-SQL interception, and rewriting.kyuubi-server-pluginmodule, JDK types only; does not expose session conf/credentials.kyuubi.operation.statement.interceptorsisserverOnly(no session bypass); fail-closed on throw/null; eager init at startup.statementId()(the client's operation handle id) to correlate a statement with its later operation/result set.Interactive path only.
How was this patch tested?
Unit (
StatementInterceptionSuite,PluginLoaderSuite) and end-to-end JDBC→server→engine (StatementInterceptorSuite) covering proceed/rewrite/reject, the executeOnServer path, fail-closed, concurrency, andstatementId.spotless/scalastyle/AllKyuubiConfigurationpass.Was this patch authored or co-authored using generative AI tooling?
Assisted-by: Claude Opus 4.8