Search in sources :

Example 1 with AccessDeniedException

use of com.facebook.presto.spi.security.AccessDeniedException in project presto by prestodb.

the class TestFileBasedAccessControl method testSessionPropertyRules.

@Test
public void testSessionPropertyRules() throws IOException {
    ConnectorAccessControl accessControl = createAccessControl("session_property.json");
    accessControl.checkCanSetCatalogSessionProperty(user("admin"), "dangerous");
    accessControl.checkCanSetCatalogSessionProperty(user("alice"), "safe");
    accessControl.checkCanSetCatalogSessionProperty(user("alice"), "unsafe");
    accessControl.checkCanSetCatalogSessionProperty(user("bob"), "safe");
    try {
        accessControl.checkCanSetCatalogSessionProperty(user("bob"), "unsafe");
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
    try {
        accessControl.checkCanSetCatalogSessionProperty(user("alice"), "dangerous");
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
    try {
        accessControl.checkCanSetCatalogSessionProperty(user("charlie"), "safe");
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
}
Also used : AccessDeniedException(com.facebook.presto.spi.security.AccessDeniedException) ConnectorAccessControl(com.facebook.presto.spi.connector.ConnectorAccessControl) Test(org.testng.annotations.Test)

Example 2 with AccessDeniedException

use of com.facebook.presto.spi.security.AccessDeniedException in project presto by prestodb.

the class TestFileBasedAccessControl method testTableRules.

@Test
public void testTableRules() throws IOException {
    ConnectorAccessControl accessControl = createAccessControl("table.json");
    accessControl.checkCanSelectFromTable(TRANSACTION_HANDLE, user("alice"), SchemaTableName.valueOf("test.test"));
    accessControl.checkCanSelectFromTable(TRANSACTION_HANDLE, user("alice"), SchemaTableName.valueOf("bobschema.bobtable"));
    accessControl.checkCanSelectFromTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("bobschema.bobtable"));
    accessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("bobschema.bobtable"));
    accessControl.checkCanDeleteFromTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("bobschema.bobtable"));
    accessControl.checkCanCreateViewWithSelectFromTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("bobschema.bobtable"));
    accessControl.checkCanDropTable(TRANSACTION_HANDLE, user("admin"), SchemaTableName.valueOf("bobschema.bobtable"));
    try {
        accessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("alice"), SchemaTableName.valueOf("bobschema.bobtable"));
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
    try {
        accessControl.checkCanDropTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("bobschema.bobtable"));
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
    try {
        accessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("test.test"));
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
    try {
        accessControl.checkCanSelectFromTable(TRANSACTION_HANDLE, user("admin"), SchemaTableName.valueOf("secret.secret"));
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
}
Also used : AccessDeniedException(com.facebook.presto.spi.security.AccessDeniedException) ConnectorAccessControl(com.facebook.presto.spi.connector.ConnectorAccessControl) Test(org.testng.annotations.Test)

Example 3 with AccessDeniedException

use of com.facebook.presto.spi.security.AccessDeniedException in project presto by prestodb.

the class TestFileBasedAccessControl method testSchemaRules.

@Test
public void testSchemaRules() throws IOException {
    ConnectorAccessControl accessControl = createAccessControl("schema.json");
    accessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("admin"), SchemaTableName.valueOf("test.test"));
    accessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("bob.test"));
    try {
        accessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("bob"), SchemaTableName.valueOf("test.test"));
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
    try {
        accessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("admin"), SchemaTableName.valueOf("secret.test"));
        fail();
    } catch (AccessDeniedException e) {
    // expected
    }
}
Also used : AccessDeniedException(com.facebook.presto.spi.security.AccessDeniedException) ConnectorAccessControl(com.facebook.presto.spi.connector.ConnectorAccessControl) Test(org.testng.annotations.Test)

Example 4 with AccessDeniedException

use of com.facebook.presto.spi.security.AccessDeniedException in project presto by prestodb.

the class TestAccessControlManager method testReadOnlySystemAccessControl.

@Test
public void testReadOnlySystemAccessControl() throws Exception {
    Identity identity = new Identity(USER_NAME, Optional.of(PRINCIPAL));
    QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
    accessControlManager.checkCanSetUser(PRINCIPAL, USER_NAME);
    accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSetCatalogSessionProperty(transactionId, identity, "catalog", "property");
        accessControlManager.checkCanSelectFromTable(transactionId, identity, tableName);
        accessControlManager.checkCanSelectFromView(transactionId, identity, tableName);
        accessControlManager.checkCanCreateViewWithSelectFromTable(transactionId, identity, tableName);
        accessControlManager.checkCanCreateViewWithSelectFromView(transactionId, identity, tableName);
        accessControlManager.checkCanShowSchemas(transactionId, identity, "catalog");
        accessControlManager.checkCanShowTables(transactionId, identity, new CatalogSchemaName("catalog", "schema"));
        Set<String> catalogs = ImmutableSet.of("catalog");
        assertEquals(accessControlManager.filterCatalogs(identity, catalogs), catalogs);
        Set<String> schemas = ImmutableSet.of("schema");
        assertEquals(accessControlManager.filterSchemas(transactionId, identity, "catalog", schemas), schemas);
        Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
        assertEquals(accessControlManager.filterTables(transactionId, identity, "catalog", tableNames), tableNames);
    });
    try {
        transaction(transactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanInsertIntoTable(transactionId, identity, tableName);
        });
        fail();
    } catch (AccessDeniedException expected) {
    }
}
Also used : AccessDeniedException(com.facebook.presto.spi.security.AccessDeniedException) TransactionManager(com.facebook.presto.transaction.TransactionManager) TransactionManager.createTestTransactionManager(com.facebook.presto.transaction.TransactionManager.createTestTransactionManager) CatalogSchemaName(com.facebook.presto.spi.CatalogSchemaName) Identity(com.facebook.presto.spi.security.Identity) SchemaTableName(com.facebook.presto.spi.SchemaTableName) CatalogSchemaTableName(com.facebook.presto.spi.CatalogSchemaTableName) QualifiedObjectName(com.facebook.presto.metadata.QualifiedObjectName) Test(org.testng.annotations.Test)

Aggregations

AccessDeniedException (com.facebook.presto.spi.security.AccessDeniedException)4 Test (org.testng.annotations.Test)4 ConnectorAccessControl (com.facebook.presto.spi.connector.ConnectorAccessControl)3 QualifiedObjectName (com.facebook.presto.metadata.QualifiedObjectName)1 CatalogSchemaName (com.facebook.presto.spi.CatalogSchemaName)1 CatalogSchemaTableName (com.facebook.presto.spi.CatalogSchemaTableName)1 SchemaTableName (com.facebook.presto.spi.SchemaTableName)1 Identity (com.facebook.presto.spi.security.Identity)1 TransactionManager (com.facebook.presto.transaction.TransactionManager)1 TransactionManager.createTestTransactionManager (com.facebook.presto.transaction.TransactionManager.createTestTransactionManager)1