Examples with RoleGrant com.facebook.presto.spi.security.RoleGrant used on opensource projects

Example 1 with RoleGrant

use of com.facebook.presto.spi.security.RoleGrant in project presto by prestodb.

the class FileHiveMetastore method listRoleGrants.

@Override
public synchronized Set<RoleGrant> listRoleGrants(MetastoreContext metastoreContext, PrestoPrincipal principal) {
    ImmutableSet.Builder<RoleGrant> result = ImmutableSet.builder();
    if (principal.getType() == USER) {
        result.add(new RoleGrant(principal, PUBLIC_ROLE_NAME, false));
        if (ADMIN_USERS.contains(principal.getName())) {
            result.add(new RoleGrant(principal, ADMIN_ROLE_NAME, true));
        }
    }
    result.addAll(listRoleGrantsSanitized(metastoreContext).stream().filter(grant -> grant.getGrantee().equals(principal)).collect(toSet()));
    return result.build();
}

Example 2 with RoleGrant

use of com.facebook.presto.spi.security.RoleGrant in project presto by prestodb.

the class FileHiveMetastore method revokeRoles.

@Override
public synchronized void revokeRoles(MetastoreContext metastoreContext, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOptionFor, PrestoPrincipal grantor) {
    Set<RoleGrant> existingGrants = listRoleGrantsSanitized(metastoreContext);
    Set<RoleGrant> modifiedGrants = new HashSet<>(existingGrants);
    for (PrestoPrincipal grantee : grantees) {
        for (String role : roles) {
            RoleGrant grantWithAdminOption = new RoleGrant(grantee, role, true);
            RoleGrant grantWithoutAdminOption = new RoleGrant(grantee, role, false);
            if (modifiedGrants.contains(grantWithAdminOption) || modifiedGrants.contains(grantWithoutAdminOption)) {
                if (adminOptionFor) {
                    modifiedGrants.remove(grantWithAdminOption);
                    modifiedGrants.add(grantWithoutAdminOption);
                } else {
                    modifiedGrants.remove(grantWithAdminOption);
                    modifiedGrants.remove(grantWithoutAdminOption);
                }
            }
        }
    }
    modifiedGrants = removeDuplicatedEntries(modifiedGrants);
    if (!existingGrants.equals(modifiedGrants)) {
        writeRoleGrantsFile(modifiedGrants);
    }
}

Example 3 with RoleGrant

use of com.facebook.presto.spi.security.RoleGrant in project presto by prestodb.

the class FileHiveMetastore method grantRoles.

@Override
public synchronized void grantRoles(MetastoreContext metastoreContext, Set<String> roles, Set<PrestoPrincipal> grantees, boolean withAdminOption, PrestoPrincipal grantor) {
    Set<String> existingRoles = listRoles(metastoreContext);
    Set<RoleGrant> existingGrants = listRoleGrantsSanitized(metastoreContext);
    Set<RoleGrant> modifiedGrants = new HashSet<>(existingGrants);
    for (PrestoPrincipal grantee : grantees) {
        for (String role : roles) {
            checkArgument(existingRoles.contains(role), "Role does not exist: %s", role);
            if (grantee.getType() == ROLE) {
                checkArgument(existingRoles.contains(grantee.getName()), "Role does not exist: %s", grantee.getName());
            }
            RoleGrant grantWithAdminOption = new RoleGrant(grantee, role, true);
            RoleGrant grantWithoutAdminOption = new RoleGrant(grantee, role, false);
            if (withAdminOption) {
                modifiedGrants.remove(grantWithoutAdminOption);
                modifiedGrants.add(grantWithAdminOption);
            } else {
                modifiedGrants.remove(grantWithAdminOption);
                modifiedGrants.add(grantWithoutAdminOption);
            }
        }
    }
    modifiedGrants = removeDuplicatedEntries(modifiedGrants);
    if (!existingGrants.equals(modifiedGrants)) {
        writeRoleGrantsFile(modifiedGrants);
    }
}

Example 4 with RoleGrant

use of com.facebook.presto.spi.security.RoleGrant in project presto by prestodb.

the class SqlStandardAccessControl method hasAdminOptionForRoles.

private boolean hasAdminOptionForRoles(ConnectorTransactionHandle transaction, ConnectorIdentity identity, MetastoreContext metastoreContext, Set<String> roles) {
    if (isAdmin(transaction, identity, metastoreContext)) {
        return true;
    }
    SemiTransactionalHiveMetastore metastore = getMetastore(transaction);
    Set<String> rolesWithGrantOption = listApplicableRoles(new PrestoPrincipal(USER, identity.getUser()), (PrestoPrincipal p) -> metastore.listRoleGrants(metastoreContext, p)).filter(RoleGrant::isGrantable).map(RoleGrant::getRoleName).collect(toSet());
    return rolesWithGrantOption.containsAll(roles);
}

Example 5 with RoleGrant

use of com.facebook.presto.spi.security.RoleGrant in project presto by prestodb.

the class ThriftMetastoreUtil method listEnabledRoles.

public static Stream<String> listEnabledRoles(ConnectorIdentity identity, Function<PrestoPrincipal, Set<RoleGrant>> listRoleGrants) {
    Optional<SelectedRole> role = identity.getRole();
    if (role.isPresent() && role.get().getType() == SelectedRole.Type.NONE) {
        return Stream.of(PUBLIC_ROLE_NAME);
    }
    PrestoPrincipal principal;
    if (!role.isPresent() || role.get().getType() == SelectedRole.Type.ALL) {
        principal = new PrestoPrincipal(USER, identity.getUser());
    } else {
        principal = new PrestoPrincipal(ROLE, role.get().getRole().get());
    }
    Stream<String> roles = Stream.of(PUBLIC_ROLE_NAME);
    if (principal.getType() == ROLE) {
        roles = Stream.concat(roles, Stream.of(principal.getName()));
    }
    return Stream.concat(roles, listApplicableRoles(principal, listRoleGrants).map(RoleGrant::getRoleName).filter(Predicate.isEqual(ADMIN_ROLE_NAME).negate()));
}