Search in sources :

Example 1 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestColumnMask method testView.

@Test
public void testView() {
    // mask on the underlying table for view owner when running query as different user
    assertions.executeExclusively(() -> {
        accessControl.reset();
        accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.empty(), Optional.empty(), "reverse(name)"));
        Session session = Session.builder(SESSION).setIdentity(new Identity(RUN_AS_USER, Optional.empty())).build();
        assertions.assertQuery(session, "SELECT name FROM mock.default.nation_view WHERE nationkey = 1", "VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
    });
    // mask on the underlying table for view owner when running as themselves
    assertions.executeExclusively(() -> {
        accessControl.reset();
        accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
        Session session = Session.builder(SESSION).setIdentity(new Identity(VIEW_OWNER, Optional.empty())).build();
        assertions.assertQuery(session, "SELECT name FROM mock.default.nation_view WHERE nationkey = 1", "VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
    });
    // mask on the underlying table for user running the query (different from view owner) should not be applied
    assertions.executeExclusively(() -> {
        accessControl.reset();
        accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
        Session session = Session.builder(SESSION).setIdentity(new Identity(RUN_AS_USER, Optional.empty())).build();
        assertions.assertQuery(session, "SELECT name FROM mock.default.nation_view WHERE nationkey = 1", "VALUES CAST('ARGENTINA' AS VARCHAR(25))");
    });
}
Also used : Identity(io.prestosql.spi.security.Identity) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) ViewExpression(io.prestosql.spi.security.ViewExpression) Session(io.prestosql.Session) Test(org.testng.annotations.Test)

Example 2 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestRowFilter method testView.

@Test
public void testView() {
    // filter on the underlying table for view owner when running query as different user
    assertions.executeExclusively(() -> {
        accessControl.reset();
        accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.empty(), Optional.empty(), "nationkey = 1"));
        Session session = Session.builder(SESSION).setIdentity(new Identity(RUN_AS_USER, Optional.empty())).build();
        assertions.assertQuery(session, "SELECT name FROM mock.default.nation_view", "VALUES CAST('ARGENTINA' AS VARCHAR(25))");
    });
    // filter on the underlying table for view owner when running as themselves
    assertions.executeExclusively(() -> {
        accessControl.reset();
        accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.of(CATALOG), Optional.of("tiny"), "nationkey = 1"));
        Session session = Session.builder(SESSION).setIdentity(new Identity(VIEW_OWNER, Optional.empty())).build();
        assertions.assertQuery(session, "SELECT name FROM mock.default.nation_view", "VALUES CAST('ARGENTINA' AS VARCHAR(25))");
    });
    // filter on the underlying table for user running the query (different from view owner) should not be applied
    assertions.executeExclusively(() -> {
        accessControl.reset();
        accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "nation"), RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "nationkey = 1"));
        Session session = Session.builder(SESSION).setIdentity(new Identity(RUN_AS_USER, Optional.empty())).build();
        assertions.assertQuery(session, "SELECT count(*) FROM mock.default.nation_view", "VALUES BIGINT '25'");
    });
}
Also used : Identity(io.prestosql.spi.security.Identity) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) ViewExpression(io.prestosql.spi.security.ViewExpression) Session(io.prestosql.Session) Test(org.testng.annotations.Test)

Example 3 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestHiveRoles method testSetRole.

@Test
public void testSetRole() {
    executeFromAdmin("CREATE ROLE set_role_1");
    executeFromAdmin("CREATE ROLE set_role_2");
    executeFromAdmin("CREATE ROLE set_role_3");
    executeFromAdmin("CREATE ROLE set_role_4");
    executeFromAdmin("GRANT set_role_1 TO USER set_user_1");
    executeFromAdmin("GRANT set_role_2 TO ROLE set_role_1");
    executeFromAdmin("GRANT set_role_3 TO ROLE set_role_2");
    Session unsetRole = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty())).build();
    Session setRoleAll = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ALL, Optional.empty())))).build();
    Session setRoleNone = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.NONE, Optional.empty())))).build();
    Session setRole1 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_1"))))).build();
    Session setRole2 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_2"))))).build();
    Session setRole3 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_3"))))).build();
    Session setRole4 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_4"))))).build();
    MaterializedResult actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.applicable_roles");
    MaterializedResult expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType()).row("set_user_1", "USER", "public", "NO").row("set_user_1", "USER", "set_role_1", "NO").row("set_role_1", "ROLE", "set_role_2", "NO").row("set_role_2", "ROLE", "set_role_3", "NO").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRoleAll, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRoleAll, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRoleNone, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRoleNone, createUnboundedVarcharType()).row("public").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRole1, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRole1, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRole2, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRole2, createUnboundedVarcharType()).row("public").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRole3, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRole3, createUnboundedVarcharType()).row("public").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    assertQueryFails(setRole4, "SELECT * FROM hive.information_schema.enabled_roles", ".*?Cannot set role set_role_4");
    executeFromAdmin("DROP ROLE set_role_1");
    executeFromAdmin("DROP ROLE set_role_2");
    executeFromAdmin("DROP ROLE set_role_3");
    executeFromAdmin("DROP ROLE set_role_4");
}
Also used : SelectedRole(io.prestosql.spi.security.SelectedRole) Identity(io.prestosql.spi.security.Identity) MaterializedResult(io.prestosql.testing.MaterializedResult) Session(io.prestosql.Session) Test(org.testng.annotations.Test)

Example 4 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestHttpRequestSessionContext method testSessionContext.

@Test
public void testSessionContext() {
    HttpServletRequest request = new MockHttpServletRequest(ImmutableListMultimap.<String, String>builder().put(PRESTO_USER, "testUser").put(PRESTO_SOURCE, "testSource").put(PRESTO_CATALOG, "testCatalog").put(PRESTO_SCHEMA, "testSchema").put(PRESTO_PATH, "testPath").put(PRESTO_LANGUAGE, "zh-TW").put(PRESTO_TIME_ZONE, "Asia/Taipei").put(PRESTO_CLIENT_INFO, "client-info").put(PRESTO_SESSION, QUERY_MAX_MEMORY + "=1GB").put(PRESTO_SESSION, JOIN_DISTRIBUTION_TYPE + "=partitioned," + HASH_PARTITION_COUNT + " = 43").put(PRESTO_SESSION, "some_session_property=some value with %2C comma").put(PRESTO_PREPARED_STATEMENT, "query1=select * from foo,query2=select * from bar").put(PRESTO_ROLE, "foo_connector=ALL").put(PRESTO_ROLE, "bar_connector=NONE").put(PRESTO_ROLE, "foobar_connector=ROLE{role}").put(PRESTO_EXTRA_CREDENTIAL, "test.token.foo=bar").put(PRESTO_EXTRA_CREDENTIAL, "test.token.abc=xyz").build(), "testRemote");
    HttpRequestSessionContext context = new HttpRequestSessionContext(request, user -> ImmutableSet.of(user));
    assertEquals(context.getSource(), "testSource");
    assertEquals(context.getCatalog(), "testCatalog");
    assertEquals(context.getSchema(), "testSchema");
    assertEquals(context.getPath(), "testPath");
    assertEquals(context.getIdentity(), new Identity("testUser", Optional.empty()));
    assertEquals(context.getClientInfo(), "client-info");
    assertEquals(context.getLanguage(), "zh-TW");
    assertEquals(context.getTimeZoneId(), "Asia/Taipei");
    assertEquals(context.getSystemProperties(), ImmutableMap.of(QUERY_MAX_MEMORY, "1GB", JOIN_DISTRIBUTION_TYPE, "partitioned", HASH_PARTITION_COUNT, "43", "some_session_property", "some value with , comma"));
    assertEquals(context.getPreparedStatements(), ImmutableMap.of("query1", "select * from foo", "query2", "select * from bar"));
    assertEquals(context.getIdentity().getRoles(), ImmutableMap.of("foo_connector", new SelectedRole(SelectedRole.Type.ALL, Optional.empty()), "bar_connector", new SelectedRole(SelectedRole.Type.NONE, Optional.empty()), "foobar_connector", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("role"))));
    assertEquals(context.getIdentity().getExtraCredentials(), ImmutableMap.of("test.token.foo", "bar", "test.token.abc", "xyz"));
    assertEquals(context.getIdentity().getGroups(), ImmutableSet.of("testUser"));
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) SelectedRole(io.prestosql.spi.security.SelectedRole) Identity(io.prestosql.spi.security.Identity) Test(org.testng.annotations.Test)

Example 5 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class AutoVacuumScanner method startVacuum.

private void startVacuum(Catalog catalog, String vacuumTable, boolean isFull) {
    String catalogNameVacuumTable = catalog.getCatalogName() + "." + vacuumTable;
    if (vacuumInProgressMap.containsKey(catalogNameVacuumTable)) {
        log.debug("return Present in vacuumInProgressMap %s ", catalogNameVacuumTable);
        return;
    }
    long attempts = 0;
    QueryId queryId = dispatchManager.createQueryId();
    String slug = "x" + randomUUID().toString().toLowerCase(ENGLISH).replace("-", "");
    String vacuumQuery;
    if (isFull) {
        vacuumQuery = "vacuum table " + catalogNameVacuumTable + "  full";
    } else {
        vacuumQuery = "vacuum table " + catalogNameVacuumTable;
    }
    Session.SessionBuilder sessionBuilder = Session.builder(sessionPropertyManager).setQueryId(queryId).setIdentity(new Identity("openLooKeng", Optional.empty())).setSource("auto-vacuum");
    Session session = sessionBuilder.build();
    AutoVacuumSessionContext sessionContext = new AutoVacuumSessionContext(session);
    vacuumInProgressMap.put(catalogNameVacuumTable, System.currentTimeMillis());
    log.debug("Query.create queryId %s  catalogNameVacuumTable: %s ", queryId.toString(), catalogNameVacuumTable);
    ListenableFuture<?> lf = waitForDispatched(queryId, slug, sessionContext, vacuumQuery);
    Futures.addCallback(lf, new FutureCallback<Object>() {

        @Override
        public void onSuccess(@Nullable Object result) {
            try {
                DispatchQuery dispatchQuery = dispatchManager.getQuery(queryId);
                dispatchQuery.addStateChangeListener((state) -> {
                    Query query = getQuery(queryId, slug);
                    if ((null != query) && (!dispatchManager.getQueryInfo(queryId).getState().isDone())) {
                        query.waitForResults(attempts, Duration.valueOf("1s"), DataSize.valueOf("1MB"));
                    }
                    if (state.isDone()) {
                        log.debug("STATUS  %s QueryID %s Query %s", state.name(), queryId.toString(), vacuumQuery);
                        vacuumInProgressMap.remove(catalogNameVacuumTable);
                    }
                });
            } catch (Throwable e) {
                vacuumInProgressMap.remove(catalogNameVacuumTable);
                log.error("Filed to execute vacuum for table %s QueryID %s", catalogNameVacuumTable, queryId.toString(), e.getMessage());
            }
        }

        @Override
        public void onFailure(Throwable t) {
            vacuumInProgressMap.remove(catalogNameVacuumTable);
            log.error("Query %s request to start vacuum scan failed at queryId[%s]: %s ", vacuumQuery, queryId, t.getMessage());
        }
    }, directExecutor());
}
Also used : ConnectorMetadata(io.prestosql.spi.connector.ConnectorMetadata) DispatchQuery(io.prestosql.dispatcher.DispatchQuery) Inject(com.google.inject.Inject) DataCenterStatementResource(io.prestosql.datacenter.DataCenterStatementResource) Duration(io.airlift.units.Duration) QueryManager(io.prestosql.execution.QueryManager) PreDestroy(javax.annotation.PreDestroy) Future(java.util.concurrent.Future) BoundedExecutor(io.airlift.concurrent.BoundedExecutor) Map(java.util.Map) SimpleLocalMemoryContext(io.prestosql.memory.context.SimpleLocalMemoryContext) ENGLISH(java.util.Locale.ENGLISH) PrestoException(io.prestosql.spi.PrestoException) Query(io.prestosql.server.protocol.Query) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Identity(io.prestosql.spi.security.Identity) ThreadSafe(javax.annotation.concurrent.ThreadSafe) MILLISECONDS(java.util.concurrent.TimeUnit.MILLISECONDS) Executors(java.util.concurrent.Executors) String.format(java.lang.String.format) Preconditions.checkState(com.google.common.base.Preconditions.checkState) MoreExecutors.directExecutor(com.google.common.util.concurrent.MoreExecutors.directExecutor) DataSize(io.airlift.units.DataSize) List(java.util.List) SessionPropertyManager(io.prestosql.metadata.SessionPropertyManager) PostConstruct(javax.annotation.PostConstruct) Optional(java.util.Optional) StandardErrorCode(io.prestosql.spi.StandardErrorCode) ConnectorVacuumTableInfo(io.prestosql.spi.connector.ConnectorVacuumTableInfo) AggregatedMemoryContext.newSimpleAggregatedMemoryContext(io.prestosql.memory.context.AggregatedMemoryContext.newSimpleAggregatedMemoryContext) Connector(io.prestosql.spi.connector.Connector) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) Logger(io.airlift.log.Logger) BlockEncodingSerde(io.prestosql.spi.block.BlockEncodingSerde) AtomicReference(java.util.concurrent.atomic.AtomicReference) ExchangeClient(io.prestosql.operator.ExchangeClient) Objects.requireNonNull(java.util.Objects.requireNonNull) Session(io.prestosql.Session) ScheduledExecutorService(java.util.concurrent.ScheduledExecutorService) QueryId(io.prestosql.spi.QueryId) NoSuchElementException(java.util.NoSuchElementException) DispatchManager(io.prestosql.dispatcher.DispatchManager) Nullable(javax.annotation.Nullable) ForStatementResource(io.prestosql.server.ForStatementResource) FutureCallback(com.google.common.util.concurrent.FutureCallback) Futures(com.google.common.util.concurrent.Futures) UUID.randomUUID(java.util.UUID.randomUUID) Catalog(io.prestosql.metadata.Catalog) ExchangeClientSupplier(io.prestosql.operator.ExchangeClientSupplier) CatalogManager(io.prestosql.metadata.CatalogManager) DispatchQuery(io.prestosql.dispatcher.DispatchQuery) Query(io.prestosql.server.protocol.Query) DispatchQuery(io.prestosql.dispatcher.DispatchQuery) QueryId(io.prestosql.spi.QueryId) Identity(io.prestosql.spi.security.Identity) Session(io.prestosql.Session)

Aggregations

Identity (io.prestosql.spi.security.Identity)20 Test (org.testng.annotations.Test)15 Session (io.prestosql.Session)10 QualifiedObjectName (io.prestosql.spi.connector.QualifiedObjectName)7 ConnectorIdentity (io.prestosql.spi.security.ConnectorIdentity)6 InMemoryTransactionManager.createTestTransactionManager (io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager)6 TransactionManager (io.prestosql.transaction.TransactionManager)6 CatalogManager (io.prestosql.metadata.CatalogManager)4 CatalogName (io.prestosql.spi.connector.CatalogName)4 CatalogName.createInformationSchemaCatalogName (io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName)4 CatalogName.createSystemTablesCatalogName (io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName)4 ConnectorSession (io.prestosql.spi.connector.ConnectorSession)4 SelectedRole (io.prestosql.spi.security.SelectedRole)4 SessionPropertyManager (io.prestosql.metadata.SessionPropertyManager)3 ViewExpression (io.prestosql.spi.security.ViewExpression)3 AbstractTestIntegrationSmokeTest (io.prestosql.tests.AbstractTestIntegrationSmokeTest)3 QueryId (io.prestosql.spi.QueryId)2 CatalogSchemaTableName (io.prestosql.spi.connector.CatalogSchemaTableName)2 SchemaTableName (io.prestosql.spi.connector.SchemaTableName)2 SqlPath (io.prestosql.sql.SqlPath)2