use of io.prestosql.spi.security.RoleGrant in project hetu-core by openlookeng.
the class SqlStandardAccessControl method hasAdminOptionForRoles.
private boolean hasAdminOptionForRoles(ConnectorTransactionHandle transaction, ConnectorIdentity identity, Set<String> roles) {
if (isAdmin(transaction, identity)) {
return true;
}
SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction));
Set<String> rolesWithGrantOption = listApplicableRoles(new HivePrincipal(USER, identity.getUser()), metastore::listRoleGrants).filter(RoleGrant::isGrantable).map(RoleGrant::getRoleName).collect(toSet());
return rolesWithGrantOption.containsAll(roles);
}
use of io.prestosql.spi.security.RoleGrant in project hetu-core by openlookeng.
the class FileHiveMetastore method removeNonExistingRoles.
private static Set<RoleGrant> removeNonExistingRoles(Set<RoleGrant> grants, Set<String> existingRoles) {
ImmutableSet.Builder<RoleGrant> result = ImmutableSet.builder();
for (RoleGrant grant : grants) {
if (!existingRoles.contains(grant.getRoleName())) {
continue;
}
HivePrincipal grantee = HivePrincipal.from(grant.getGrantee());
if (grantee.getType() == ROLE && !existingRoles.contains(grantee.getName())) {
continue;
}
result.add(grant);
}
return result.build();
}
use of io.prestosql.spi.security.RoleGrant in project hetu-core by openlookeng.
the class FileHiveMetastore method grantRoles.
@Override
public synchronized void grantRoles(Set<String> roles, Set<HivePrincipal> grantees, boolean withAdminOption, HivePrincipal grantor) {
Set<String> existingRoles = listRoles();
Set<RoleGrant> existingGrants = listRoleGrantsSanitized();
Set<RoleGrant> modifiedGrants = new HashSet<>(existingGrants);
for (HivePrincipal grantee : grantees) {
for (String role : roles) {
checkArgument(existingRoles.contains(role), "Role does not exist: %s", role);
if (grantee.getType() == ROLE) {
checkArgument(existingRoles.contains(grantee.getName()), "Role does not exist: %s", grantee.getName());
}
RoleGrant grantWithAdminOption = new RoleGrant(grantee.toPrestoPrincipal(), role, true);
RoleGrant grantWithoutAdminOption = new RoleGrant(grantee.toPrestoPrincipal(), role, false);
if (withAdminOption) {
modifiedGrants.remove(grantWithoutAdminOption);
modifiedGrants.add(grantWithAdminOption);
} else {
modifiedGrants.remove(grantWithAdminOption);
modifiedGrants.add(grantWithoutAdminOption);
}
}
}
modifiedGrants = removeDuplicatedEntries(modifiedGrants);
if (!existingGrants.equals(modifiedGrants)) {
writeRoleGrantsFile(modifiedGrants);
}
}
use of io.prestosql.spi.security.RoleGrant in project hetu-core by openlookeng.
the class FileHiveMetastore method listRoleGrants.
@Override
public synchronized Set<RoleGrant> listRoleGrants(HivePrincipal principal) {
ImmutableSet.Builder<RoleGrant> result = ImmutableSet.builder();
if (principal.getType() == USER) {
result.add(new RoleGrant(principal.toPrestoPrincipal(), PUBLIC_ROLE_NAME, false));
if (ADMIN_USERS.contains(principal.getName())) {
result.add(new RoleGrant(principal.toPrestoPrincipal(), ADMIN_ROLE_NAME, true));
}
}
result.addAll(listRoleGrantsSanitized().stream().filter(grant -> HivePrincipal.from(grant.getGrantee()).equals(principal)).collect(toSet()));
return result.build();
}
use of io.prestosql.spi.security.RoleGrant in project hetu-core by openlookeng.
the class InformationSchemaPageSourceProvider method buildApplicableRoles.
private InternalTable buildApplicableRoles(Session session, String catalog) {
InternalTable.Builder table = InternalTable.builder(informationSchemaTableColumns(TABLE_APPLICABLE_ROLES));
for (RoleGrant grant : metadata.listApplicableRoles(session, new PrestoPrincipal(USER, session.getUser()), catalog)) {
PrestoPrincipal grantee = grant.getGrantee();
table.add(grantee.getName(), grantee.getType().toString(), grant.getRoleName(), grant.isGrantable() ? "YES" : "NO");
}
return table.build();
}
Aggregations