Search in sources :

Example 6 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestHiveIntegrationSmokeTest method testSchemaOperations.

@Test
public void testSchemaOperations() {
    Session admin = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("hive", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("admin"))))).build();
    assertUpdate(admin, "CREATE SCHEMA new_schema");
    assertUpdate(admin, "CREATE TABLE new_schema.test (x bigint)");
    assertQueryFails(admin, "DROP SCHEMA new_schema", "Schema not empty: new_schema");
    assertUpdate(admin, "DROP TABLE new_schema.test");
    assertUpdate(admin, "DROP SCHEMA new_schema");
}
Also used : SelectedRole(io.prestosql.spi.security.SelectedRole) Identity(io.prestosql.spi.security.Identity) Session(io.prestosql.Session) ConnectorSession(io.prestosql.spi.connector.ConnectorSession) Test(org.testng.annotations.Test) AbstractTestIntegrationSmokeTest(io.prestosql.tests.AbstractTestIntegrationSmokeTest)

Example 7 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestHiveIntegrationSmokeTest method testCurrentUserInView.

@Test
public void testCurrentUserInView() {
    checkState(getSession().getCatalog().isPresent(), "catalog is not set");
    checkState(getSession().getSchema().isPresent(), "schema is not set");
    String testAccountsUnqualifiedName = "test_accounts";
    String testAccountsViewUnqualifiedName = "test_accounts_view";
    String testAccountsViewFullyQualifiedName = format("%s.%s.%s", getSession().getCatalog().get(), getSession().getSchema().get(), testAccountsViewUnqualifiedName);
    assertUpdate(format("CREATE TABLE %s AS SELECT user_name, account_name" + "  FROM (VALUES ('user1', 'account1'), ('user2', 'account2'))" + "  t (user_name, account_name)", testAccountsUnqualifiedName), 2);
    assertUpdate(format("CREATE VIEW %s AS SELECT account_name FROM test_accounts WHERE user_name = CURRENT_USER", testAccountsViewUnqualifiedName));
    assertUpdate(format("GRANT SELECT ON %s TO user1", testAccountsViewFullyQualifiedName));
    assertUpdate(format("GRANT SELECT ON %s TO user2", testAccountsViewFullyQualifiedName));
    Session user1 = testSessionBuilder().setCatalog(getSession().getCatalog().get()).setSchema(getSession().getSchema().get()).setIdentity(new Identity("user1", getSession().getIdentity().getPrincipal())).build();
    Session user2 = testSessionBuilder().setCatalog(getSession().getCatalog().get()).setSchema(getSession().getSchema().get()).setIdentity(new Identity("user2", getSession().getIdentity().getPrincipal())).build();
    assertQuery(user1, "SELECT account_name FROM test_accounts_view", "VALUES 'account1'");
    assertQuery(user2, "SELECT account_name FROM test_accounts_view", "VALUES 'account2'");
    assertUpdate("DROP VIEW test_accounts_view");
    assertUpdate("DROP TABLE test_accounts");
}
Also used : Identity(io.prestosql.spi.security.Identity) Session(io.prestosql.Session) ConnectorSession(io.prestosql.spi.connector.ConnectorSession) Test(org.testng.annotations.Test) AbstractTestIntegrationSmokeTest(io.prestosql.tests.AbstractTestIntegrationSmokeTest)

Example 8 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestAccessControlManager method testReadOnlySystemAccessControl.

@Test
public void testReadOnlySystemAccessControl() {
    Identity identity = new Identity(USER_NAME, Optional.of(PRINCIPAL));
    QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
    accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
    accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSetCatalogSessionProperty(transactionId, identity, "catalog", "property");
        accessControlManager.checkCanShowSchemas(transactionId, identity, "catalog");
        accessControlManager.checkCanShowTablesMetadata(transactionId, identity, new CatalogSchemaName("catalog", "schema"));
        accessControlManager.checkCanSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column"));
        accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column"));
        Set<String> catalogs = ImmutableSet.of("catalog");
        assertEquals(accessControlManager.filterCatalogs(identity, catalogs), catalogs);
        Set<String> schemas = ImmutableSet.of("schema");
        assertEquals(accessControlManager.filterSchemas(transactionId, identity, "catalog", schemas), schemas);
        Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
        assertEquals(accessControlManager.filterTables(transactionId, identity, "catalog", tableNames), tableNames);
    });
    try {
        transaction(transactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanInsertIntoTable(transactionId, identity, tableName);
        });
        fail();
    } catch (AccessDeniedException expected) {
    }
}
Also used : AccessDeniedException(io.prestosql.spi.security.AccessDeniedException) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogSchemaName(io.prestosql.spi.connector.CatalogSchemaName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) CatalogSchemaTableName(io.prestosql.spi.connector.CatalogSchemaTableName) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 9 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestAccessControlManager method testDenyCatalogAccessControl.

@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from columns \\[column\\] in table or view schema.table")
public void testDenyCatalogAccessControl() {
    CatalogManager catalogManager = new CatalogManager();
    TransactionManager transactionManager = createTestTransactionManager(catalogManager);
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
    accessControlManager.addSystemAccessControlFactory(accessControlFactory);
    accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
    CatalogName catalogName = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog");
    accessControlManager.addCatalogAccessControl(catalogName, new DenyConnectorAccessControl());
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column"));
    });
}
Also used : TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogName.createSystemTablesCatalogName(io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName) CatalogName.createInformationSchemaCatalogName(io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName) CatalogName(io.prestosql.spi.connector.CatalogName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) CatalogManager(io.prestosql.metadata.CatalogManager) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 10 with Identity

use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.

the class TestAccessControlManager method testColumnMaskOrdering.

@Test
public void testColumnMaskOrdering() {
    CatalogManager catalogManager = new CatalogManager();
    TransactionManager transactionManager = createTestTransactionManager(catalogManager);
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    accessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() {

        @Override
        public String getName() {
            return "test";
        }

        @Override
        public SystemAccessControl create(Map<String, String> config) {
            return new SystemAccessControl() {

                @Override
                public void checkCanSetUser(Optional<Principal> principal, String userName) {
                }

                @Override
                public void checkCanImpersonateUser(Identity identity, String propertyName) {
                }

                @Override
                public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
                }

                @Override
                public Optional<ViewExpression> getColumnMask(Identity identity, CatalogSchemaTableName tableName, String columnName, Type type) {
                    return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "system mask"));
                }
            };
        }
    });
    accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
    CatalogName catalogName = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog");
    accessControlManager.addCatalogAccessControl(catalogName, new ConnectorAccessControl() {

        @Override
        public Optional<ViewExpression> getColumnMask(ConnectorTransactionHandle transactionHandle, Identity identity, SchemaTableName tableName, String columnName, Type type) {
            return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask"));
        }
    });
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        List<ViewExpression> masks = accessControlManager.getColumnMasks(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), "column", BIGINT);
        assertEquals(masks.get(0).getExpression(), "connector mask");
        assertEquals(masks.get(1).getExpression(), "system mask");
    });
}
Also used : Optional(java.util.Optional) ConnectorAccessControl(io.prestosql.spi.connector.ConnectorAccessControl) SystemAccessControl(io.prestosql.spi.security.SystemAccessControl) ConnectorTransactionHandle(io.prestosql.spi.connector.ConnectorTransactionHandle) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) CatalogSchemaTableName(io.prestosql.spi.connector.CatalogSchemaTableName) CatalogManager(io.prestosql.metadata.CatalogManager) CatalogSchemaTableName(io.prestosql.spi.connector.CatalogSchemaTableName) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) ViewExpression(io.prestosql.spi.security.ViewExpression) SystemAccessControlFactory(io.prestosql.spi.security.SystemAccessControlFactory) Type(io.prestosql.spi.type.Type) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogName.createSystemTablesCatalogName(io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName) CatalogName.createInformationSchemaCatalogName(io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName) CatalogName(io.prestosql.spi.connector.CatalogName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) BasicPrincipal(io.prestosql.spi.security.BasicPrincipal) Principal(java.security.Principal) PrestoPrincipal(io.prestosql.spi.security.PrestoPrincipal) Test(org.testng.annotations.Test)

Aggregations

Identity (io.prestosql.spi.security.Identity)24 Test (org.testng.annotations.Test)19 Session (io.prestosql.Session)14 ConnectorSession (io.prestosql.spi.connector.ConnectorSession)7 QualifiedObjectName (io.prestosql.spi.connector.QualifiedObjectName)7 ConnectorIdentity (io.prestosql.spi.security.ConnectorIdentity)6 SelectedRole (io.prestosql.spi.security.SelectedRole)6 AbstractTestIntegrationSmokeTest (io.prestosql.tests.AbstractTestIntegrationSmokeTest)6 InMemoryTransactionManager.createTestTransactionManager (io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager)6 TransactionManager (io.prestosql.transaction.TransactionManager)6 CatalogManager (io.prestosql.metadata.CatalogManager)4 CatalogName (io.prestosql.spi.connector.CatalogName)4 CatalogName.createInformationSchemaCatalogName (io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName)4 CatalogName.createSystemTablesCatalogName (io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName)4 SessionPropertyManager (io.prestosql.metadata.SessionPropertyManager)3 ViewExpression (io.prestosql.spi.security.ViewExpression)3 QueryId (io.prestosql.spi.QueryId)2 CatalogSchemaTableName (io.prestosql.spi.connector.CatalogSchemaTableName)2 SchemaTableName (io.prestosql.spi.connector.SchemaTableName)2 SqlPath (io.prestosql.sql.SqlPath)2