use of io.prestosql.spi.security.Identity in project boostkit-bigdata by kunpengcompute.
the class TestHiveRoles method testSetRole.
@Test
public void testSetRole() {
executeFromAdmin("CREATE ROLE set_role_1");
executeFromAdmin("CREATE ROLE set_role_2");
executeFromAdmin("CREATE ROLE set_role_3");
executeFromAdmin("CREATE ROLE set_role_4");
executeFromAdmin("GRANT set_role_1 TO USER set_user_1");
executeFromAdmin("GRANT set_role_2 TO ROLE set_role_1");
executeFromAdmin("GRANT set_role_3 TO ROLE set_role_2");
Session unsetRole = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty())).build();
Session setRoleAll = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ALL, Optional.empty())))).build();
Session setRoleNone = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.NONE, Optional.empty())))).build();
Session setRole1 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_1"))))).build();
Session setRole2 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_2"))))).build();
Session setRole3 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_3"))))).build();
Session setRole4 = Session.builder(getQueryRunner().getDefaultSession()).setIdentity(new Identity("set_user_1", Optional.empty(), ImmutableMap.of("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_4"))))).build();
MaterializedResult actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.applicable_roles");
MaterializedResult expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType()).row("set_user_1", "USER", "public", "NO").row("set_user_1", "USER", "set_role_1", "NO").row("set_role_1", "ROLE", "set_role_2", "NO").row("set_role_2", "ROLE", "set_role_3", "NO").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRoleAll, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRoleAll, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRoleNone, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRoleNone, createUnboundedVarcharType()).row("public").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRole1, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRole1, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRole2, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRole2, createUnboundedVarcharType()).row("public").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRole3, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRole3, createUnboundedVarcharType()).row("public").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
assertQueryFails(setRole4, "SELECT * FROM hive.information_schema.enabled_roles", ".*?Cannot set role set_role_4");
executeFromAdmin("DROP ROLE set_role_1");
executeFromAdmin("DROP ROLE set_role_2");
executeFromAdmin("DROP ROLE set_role_3");
executeFromAdmin("DROP ROLE set_role_4");
}
use of io.prestosql.spi.security.Identity in project boostkit-bigdata by kunpengcompute.
the class TestHiveIntegrationSmokeTest method testCurrentUserInView.
@Test
public void testCurrentUserInView() {
checkState(getSession().getCatalog().isPresent(), "catalog is not set");
checkState(getSession().getSchema().isPresent(), "schema is not set");
String testAccountsUnqualifiedName = "test_accounts";
String testAccountsViewUnqualifiedName = "test_accounts_view";
String testAccountsViewFullyQualifiedName = format("%s.%s.%s", getSession().getCatalog().get(), getSession().getSchema().get(), testAccountsViewUnqualifiedName);
assertUpdate(format("CREATE TABLE %s AS SELECT user_name, account_name" + " FROM (VALUES ('user1', 'account1'), ('user2', 'account2'))" + " t (user_name, account_name)", testAccountsUnqualifiedName), 2);
assertUpdate(format("CREATE VIEW %s AS SELECT account_name FROM test_accounts WHERE user_name = CURRENT_USER", testAccountsViewUnqualifiedName));
assertUpdate(format("GRANT SELECT ON %s TO user1", testAccountsViewFullyQualifiedName));
assertUpdate(format("GRANT SELECT ON %s TO user2", testAccountsViewFullyQualifiedName));
Session user1 = testSessionBuilder().setCatalog(getSession().getCatalog().get()).setSchema(getSession().getSchema().get()).setIdentity(new Identity("user1", getSession().getIdentity().getPrincipal())).build();
Session user2 = testSessionBuilder().setCatalog(getSession().getCatalog().get()).setSchema(getSession().getSchema().get()).setIdentity(new Identity("user2", getSession().getIdentity().getPrincipal())).build();
assertQuery(user1, "SELECT account_name FROM test_accounts_view", "VALUES 'account1'");
assertQuery(user2, "SELECT account_name FROM test_accounts_view", "VALUES 'account2'");
assertUpdate("DROP VIEW test_accounts_view");
assertUpdate("DROP TABLE test_accounts");
}
use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.
the class AccessControlUtil method checkCanImpersonateUser.
public static void checkCanImpersonateUser(AccessControl accessControl, SessionContext sessionContext) {
Identity identity = sessionContext.getIdentity();
// authenticated identity is not present for HTTP or authentication is not setup
sessionContext.getAuthenticatedIdentity().ifPresent(authenticatedIdentity -> {
// only check impersonation is authenticated user is not the same as the explicitly set user
if (!authenticatedIdentity.getUser().equals(identity.getUser())) {
accessControl.checkCanImpersonateUser(authenticatedIdentity, identity.getUser());
}
});
}
use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.
the class TestHiveIntegrationSmokeTest method testShowColumnMetadata.
@Test
public void testShowColumnMetadata() {
String tableName = "test_show_column_table";
@Language("SQL") String createTable = "CREATE TABLE " + tableName + " (a bigint, b varchar, c double)";
Session testSession = testSessionBuilder().setIdentity(new Identity("test_access_owner", Optional.empty())).setCatalog(getSession().getCatalog().get()).setSchema(getSession().getSchema().get()).build();
assertUpdate(createTable);
// verify showing columns over a table requires SELECT privileges for the table
assertAccessAllowed("SHOW COLUMNS FROM " + tableName);
assertAccessDenied(testSession, "SHOW COLUMNS FROM " + tableName, "Cannot show columns of table .*." + tableName + ".*", privilege(tableName, SELECT_COLUMN));
@Language("SQL") String getColumnsSql = "" + "SELECT lower(column_name) " + "FROM information_schema.columns " + "WHERE table_name = '" + tableName + "'";
assertEquals(computeActual(getColumnsSql).getOnlyColumnAsSet(), ImmutableSet.of("a", "b", "c"));
// verify with no SELECT privileges on table, querying information_schema will return empty columns
executeExclusively(() -> {
try {
getQueryRunner().getAccessControl().deny(privilege(tableName, SELECT_COLUMN));
assertQueryReturnsEmptyResult(testSession, getColumnsSql);
} finally {
getQueryRunner().getAccessControl().reset();
}
});
assertUpdate("DROP TABLE " + tableName);
}
use of io.prestosql.spi.security.Identity in project hetu-core by openlookeng.
the class Session method beginTransactionId.
public Session beginTransactionId(TransactionId transactionId, TransactionManager transactionManager, AccessControl accessControl) {
requireNonNull(transactionId, "transactionId is null");
checkArgument(!this.transactionId.isPresent(), "Session already has an active transaction");
requireNonNull(transactionManager, "transactionManager is null");
requireNonNull(accessControl, "accessControl is null");
for (Entry<String, String> property : systemProperties.entrySet()) {
// verify permissions
accessControl.checkCanSetSystemSessionProperty(identity, property.getKey());
// validate session property value
sessionPropertyManager.validateSystemSessionProperty(property.getKey(), property.getValue());
}
// Now that there is a transaction, the catalog name can be resolved to a connector, and the catalog properties can be validated
ImmutableMap.Builder<CatalogName, Map<String, String>> connProperties = ImmutableMap.builder();
for (Entry<String, Map<String, String>> catalogEntry : unprocessedCatalogProperties.entrySet()) {
String catalogName = catalogEntry.getKey();
Map<String, String> catalogProperties = catalogEntry.getValue();
if (catalogProperties.isEmpty()) {
continue;
}
CatalogName tmpCatalog = transactionManager.getOptionalCatalogMetadata(transactionId, catalogName).orElseThrow(() -> new PrestoException(NOT_FOUND, "Session property catalog does not exist: " + catalogName)).getCatalogName();
for (Entry<String, String> property : catalogProperties.entrySet()) {
// verify permissions
accessControl.checkCanSetCatalogSessionProperty(transactionId, identity, catalogName, property.getKey());
// validate session property value
sessionPropertyManager.validateCatalogSessionProperty(tmpCatalog, catalogName, property.getKey(), property.getValue());
}
connProperties.put(tmpCatalog, catalogProperties);
}
ImmutableMap.Builder<String, SelectedRole> roles = ImmutableMap.builder();
for (Entry<String, SelectedRole> entry : identity.getRoles().entrySet()) {
String catalogName = entry.getKey();
SelectedRole role = entry.getValue();
CatalogName tmpCatalog = transactionManager.getOptionalCatalogMetadata(transactionId, catalogName).orElseThrow(() -> new PrestoException(NOT_FOUND, "Catalog does not exist: " + catalogName)).getCatalogName();
if (role.getType() == SelectedRole.Type.ROLE) {
accessControl.checkCanSetRole(transactionId, identity, role.getRole().get(), catalogName);
}
roles.put(tmpCatalog.getCatalogName(), role);
String informationSchemaCatalogName = createInformationSchemaCatalogName(tmpCatalog).getCatalogName();
if (transactionManager.getCatalogNames(transactionId).containsKey(informationSchemaCatalogName)) {
roles.put(informationSchemaCatalogName, role);
}
String systemTablesCatalogName = createSystemTablesCatalogName(tmpCatalog).getCatalogName();
if (transactionManager.getCatalogNames(transactionId).containsKey(systemTablesCatalogName)) {
roles.put(systemTablesCatalogName, role);
}
}
return new Session(queryId, Optional.of(transactionId), clientTransactionSupport, new Identity(identity.getUser(), identity.getGroups(), identity.getPrincipal(), roles.build(), identity.getExtraCredentials()), source, catalog, schema, path, traceToken, timeZoneKey, locale, remoteUserAddress, userAgent, clientInfo, clientTags, clientCapabilities, resourceEstimates, startTime, systemProperties, connProperties.build(), ImmutableMap.of(), sessionPropertyManager, preparedStatements, pageMetadataEnabled);
}
Aggregations