use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestAccessControlManager method testReadOnlySystemAccessControl.
@Test
public void testReadOnlySystemAccessControl() {
Identity identity = new Identity(USER_NAME, Optional.of(PRINCIPAL));
QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanSetCatalogSessionProperty(transactionId, identity, "catalog", "property");
accessControlManager.checkCanShowSchemas(transactionId, identity, "catalog");
accessControlManager.checkCanShowTablesMetadata(transactionId, identity, new CatalogSchemaName("catalog", "schema"));
accessControlManager.checkCanSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column"));
accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column"));
Set<String> catalogs = ImmutableSet.of("catalog");
assertEquals(accessControlManager.filterCatalogs(identity, catalogs), catalogs);
Set<String> schemas = ImmutableSet.of("schema");
assertEquals(accessControlManager.filterSchemas(transactionId, identity, "catalog", schemas), schemas);
Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
assertEquals(accessControlManager.filterTables(transactionId, identity, "catalog", tableNames), tableNames);
});
try {
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanInsertIntoTable(transactionId, identity, tableName);
});
fail();
} catch (AccessDeniedException expected) {
}
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestAccessControlManager method testDenyCatalogAccessControl.
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from columns \\[column\\] in table or view schema.table")
public void testDenyCatalogAccessControl() {
CatalogManager catalogManager = new CatalogManager();
TransactionManager transactionManager = createTestTransactionManager(catalogManager);
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
accessControlManager.addSystemAccessControlFactory(accessControlFactory);
accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
CatalogName catalogName = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog");
accessControlManager.addCatalogAccessControl(catalogName, new DenyConnectorAccessControl());
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column"));
});
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestAccessControlManager method testColumnMaskOrdering.
@Test
public void testColumnMaskOrdering() {
CatalogManager catalogManager = new CatalogManager();
TransactionManager transactionManager = createTestTransactionManager(catalogManager);
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
accessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() {
@Override
public String getName() {
return "test";
}
@Override
public SystemAccessControl create(Map<String, String> config) {
return new SystemAccessControl() {
@Override
public void checkCanSetUser(Optional<Principal> principal, String userName) {
}
@Override
public void checkCanImpersonateUser(Identity identity, String propertyName) {
}
@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
}
@Override
public Optional<ViewExpression> getColumnMask(Identity identity, CatalogSchemaTableName tableName, String columnName, Type type) {
return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "system mask"));
}
};
}
});
accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
CatalogName catalogName = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog");
accessControlManager.addCatalogAccessControl(catalogName, new ConnectorAccessControl() {
@Override
public Optional<ViewExpression> getColumnMask(ConnectorTransactionHandle transactionHandle, Identity identity, SchemaTableName tableName, String columnName, Type type) {
return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask"));
}
});
transaction(transactionManager, accessControlManager).execute(transactionId -> {
List<ViewExpression> masks = accessControlManager.getColumnMasks(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), "column", BIGINT);
assertEquals(masks.get(0).getExpression(), "connector mask");
assertEquals(masks.get(1).getExpression(), "system mask");
});
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestFileBasedSystemAccessControl method testRefreshing.
@Test
public void testRefreshing() throws Exception {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
File configFile = newTemporaryFile();
configFile.deleteOnExit();
copy(new File(getResourcePath("catalog.json")), configFile);
accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of(SECURITY_CONFIG_FILE, configFile.getCanonicalPath(), SECURITY_REFRESH_PERIOD, "1ms"));
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
});
copy(new File(getResourcePath("security-config-file-with-unknown-rules.json")), configFile);
sleep(2);
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
})).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
// test if file based cached control was not cached somewhere
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
})).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
copy(new File(getResourcePath("catalog.json")), configFile);
sleep(2);
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
});
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestFileBasedSystemAccessControl method testCatalogOperations.
@Test
public void testCatalogOperations() {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json");
transaction(transactionManager, accessControlManager).execute(transactionId -> {
assertEquals(accessControlManager.filterCatalogs(admin, allCatalogs), allCatalogs);
Set<String> aliceCatalogs = ImmutableSet.of("open-to-all", "alice-catalog", "all-allowed", "staff-catalog");
assertEquals(accessControlManager.filterCatalogs(alice, allCatalogs), aliceCatalogs);
Set<String> bobCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "staff-catalog");
assertEquals(accessControlManager.filterCatalogs(bob, allCatalogs), bobCatalogs);
Set<String> nonAsciiUserCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "\u0200\u0200\u0200");
assertEquals(accessControlManager.filterCatalogs(nonAsciiUser, allCatalogs), nonAsciiUserCatalogs);
accessControlManager.checkCanCreateCatalog(alice, "alice-catalog");
accessControlManager.checkCanDropCatalog(alice, "alice-catalog");
accessControlManager.checkCanUpdateCatalog(alice, "alice-catalog");
accessControlManager.checkCanAccessCatalog(alice, "alice-catalog");
accessControlManager.checkCanAccessCatalogs(admin);
});
assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateCatalog(bob, "alice-catalog");
}));
assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanDropCatalog(bob, "alice-catalog");
}));
assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanUpdateCatalog(bob, "alice-catalog");
}));
assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanAccessCatalog(bob, "alice-catalog");
}));
assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanAccessCatalogs(bob);
}));
}
Aggregations