Search in sources :

Example 1 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestAccessControlManager method testReadOnlySystemAccessControl.

@Test
public void testReadOnlySystemAccessControl() {
    Identity identity = new Identity(USER_NAME, Optional.of(PRINCIPAL));
    QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
    accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
    accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSetCatalogSessionProperty(transactionId, identity, "catalog", "property");
        accessControlManager.checkCanShowSchemas(transactionId, identity, "catalog");
        accessControlManager.checkCanShowTablesMetadata(transactionId, identity, new CatalogSchemaName("catalog", "schema"));
        accessControlManager.checkCanSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column"));
        accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column"));
        Set<String> catalogs = ImmutableSet.of("catalog");
        assertEquals(accessControlManager.filterCatalogs(identity, catalogs), catalogs);
        Set<String> schemas = ImmutableSet.of("schema");
        assertEquals(accessControlManager.filterSchemas(transactionId, identity, "catalog", schemas), schemas);
        Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
        assertEquals(accessControlManager.filterTables(transactionId, identity, "catalog", tableNames), tableNames);
    });
    try {
        transaction(transactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanInsertIntoTable(transactionId, identity, tableName);
        });
        fail();
    } catch (AccessDeniedException expected) {
    }
}
Also used : AccessDeniedException(io.prestosql.spi.security.AccessDeniedException) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogSchemaName(io.prestosql.spi.connector.CatalogSchemaName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) CatalogSchemaTableName(io.prestosql.spi.connector.CatalogSchemaTableName) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 2 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestAccessControlManager method testDenyCatalogAccessControl.

@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from columns \\[column\\] in table or view schema.table")
public void testDenyCatalogAccessControl() {
    CatalogManager catalogManager = new CatalogManager();
    TransactionManager transactionManager = createTestTransactionManager(catalogManager);
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
    accessControlManager.addSystemAccessControlFactory(accessControlFactory);
    accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
    CatalogName catalogName = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog");
    accessControlManager.addCatalogAccessControl(catalogName, new DenyConnectorAccessControl());
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column"));
    });
}
Also used : TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogName.createSystemTablesCatalogName(io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName) CatalogName.createInformationSchemaCatalogName(io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName) CatalogName(io.prestosql.spi.connector.CatalogName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) CatalogManager(io.prestosql.metadata.CatalogManager) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 3 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestAccessControlManager method testColumnMaskOrdering.

@Test
public void testColumnMaskOrdering() {
    CatalogManager catalogManager = new CatalogManager();
    TransactionManager transactionManager = createTestTransactionManager(catalogManager);
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    accessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() {

        @Override
        public String getName() {
            return "test";
        }

        @Override
        public SystemAccessControl create(Map<String, String> config) {
            return new SystemAccessControl() {

                @Override
                public void checkCanSetUser(Optional<Principal> principal, String userName) {
                }

                @Override
                public void checkCanImpersonateUser(Identity identity, String propertyName) {
                }

                @Override
                public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
                }

                @Override
                public Optional<ViewExpression> getColumnMask(Identity identity, CatalogSchemaTableName tableName, String columnName, Type type) {
                    return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "system mask"));
                }
            };
        }
    });
    accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
    CatalogName catalogName = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog");
    accessControlManager.addCatalogAccessControl(catalogName, new ConnectorAccessControl() {

        @Override
        public Optional<ViewExpression> getColumnMask(ConnectorTransactionHandle transactionHandle, Identity identity, SchemaTableName tableName, String columnName, Type type) {
            return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask"));
        }
    });
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        List<ViewExpression> masks = accessControlManager.getColumnMasks(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), "column", BIGINT);
        assertEquals(masks.get(0).getExpression(), "connector mask");
        assertEquals(masks.get(1).getExpression(), "system mask");
    });
}
Also used : Optional(java.util.Optional) ConnectorAccessControl(io.prestosql.spi.connector.ConnectorAccessControl) SystemAccessControl(io.prestosql.spi.security.SystemAccessControl) ConnectorTransactionHandle(io.prestosql.spi.connector.ConnectorTransactionHandle) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) CatalogSchemaTableName(io.prestosql.spi.connector.CatalogSchemaTableName) CatalogManager(io.prestosql.metadata.CatalogManager) CatalogSchemaTableName(io.prestosql.spi.connector.CatalogSchemaTableName) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) ViewExpression(io.prestosql.spi.security.ViewExpression) SystemAccessControlFactory(io.prestosql.spi.security.SystemAccessControlFactory) Type(io.prestosql.spi.type.Type) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogName.createSystemTablesCatalogName(io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName) CatalogName.createInformationSchemaCatalogName(io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName) CatalogName(io.prestosql.spi.connector.CatalogName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) BasicPrincipal(io.prestosql.spi.security.BasicPrincipal) Principal(java.security.Principal) PrestoPrincipal(io.prestosql.spi.security.PrestoPrincipal) Test(org.testng.annotations.Test)

Example 4 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestFileBasedSystemAccessControl method testRefreshing.

@Test
public void testRefreshing() throws Exception {
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    File configFile = newTemporaryFile();
    configFile.deleteOnExit();
    copy(new File(getResourcePath("catalog.json")), configFile);
    accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of(SECURITY_CONFIG_FILE, configFile.getCanonicalPath(), SECURITY_REFRESH_PERIOD, "1ms"));
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
        accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
        accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
    });
    copy(new File(getResourcePath("security-config-file-with-unknown-rules.json")), configFile);
    sleep(2);
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
    })).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    // test if file based cached control was not cached somewhere
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
    })).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    copy(new File(getResourcePath("catalog.json")), configFile);
    sleep(2);
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateView(transactionId, alice, aliceView);
    });
}
Also used : SECURITY_CONFIG_FILE(io.prestosql.plugin.base.security.FileBasedAccessControlConfig.SECURITY_CONFIG_FILE) TransactionManager(io.prestosql.transaction.TransactionManager) InterfaceTestUtils.assertAllMethodsOverridden(io.prestosql.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) AccessDeniedException(io.prestosql.spi.security.AccessDeniedException) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) Assert.assertThrows(org.testng.Assert.assertThrows) Thread.sleep(java.lang.Thread.sleep) TransactionBuilder.transaction(io.prestosql.transaction.TransactionBuilder.transaction) CatalogSchemaName(io.prestosql.spi.connector.CatalogSchemaName) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Set(java.util.Set) Identity(io.prestosql.spi.security.Identity) USER(io.prestosql.spi.security.PrincipalType.USER) File(java.io.File) SystemAccessControl(io.prestosql.spi.security.SystemAccessControl) SECURITY_REFRESH_PERIOD(io.prestosql.plugin.base.security.FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD) Files.copy(com.google.common.io.Files.copy) Optional(java.util.Optional) PrestoPrincipal(io.prestosql.spi.security.PrestoPrincipal) SELECT(io.prestosql.spi.security.Privilege.SELECT) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 5 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestFileBasedSystemAccessControl method testCatalogOperations.

@Test
public void testCatalogOperations() {
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        assertEquals(accessControlManager.filterCatalogs(admin, allCatalogs), allCatalogs);
        Set<String> aliceCatalogs = ImmutableSet.of("open-to-all", "alice-catalog", "all-allowed", "staff-catalog");
        assertEquals(accessControlManager.filterCatalogs(alice, allCatalogs), aliceCatalogs);
        Set<String> bobCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "staff-catalog");
        assertEquals(accessControlManager.filterCatalogs(bob, allCatalogs), bobCatalogs);
        Set<String> nonAsciiUserCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "\u0200\u0200\u0200");
        assertEquals(accessControlManager.filterCatalogs(nonAsciiUser, allCatalogs), nonAsciiUserCatalogs);
        accessControlManager.checkCanCreateCatalog(alice, "alice-catalog");
        accessControlManager.checkCanDropCatalog(alice, "alice-catalog");
        accessControlManager.checkCanUpdateCatalog(alice, "alice-catalog");
        accessControlManager.checkCanAccessCatalog(alice, "alice-catalog");
        accessControlManager.checkCanAccessCatalogs(admin);
    });
    assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateCatalog(bob, "alice-catalog");
    }));
    assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanDropCatalog(bob, "alice-catalog");
    }));
    assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanUpdateCatalog(bob, "alice-catalog");
    }));
    assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanAccessCatalog(bob, "alice-catalog");
    }));
    assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanAccessCatalogs(bob);
    }));
}
Also used : SECURITY_CONFIG_FILE(io.prestosql.plugin.base.security.FileBasedAccessControlConfig.SECURITY_CONFIG_FILE) TransactionManager(io.prestosql.transaction.TransactionManager) InterfaceTestUtils.assertAllMethodsOverridden(io.prestosql.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) AccessDeniedException(io.prestosql.spi.security.AccessDeniedException) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) Assert.assertThrows(org.testng.Assert.assertThrows) Thread.sleep(java.lang.Thread.sleep) TransactionBuilder.transaction(io.prestosql.transaction.TransactionBuilder.transaction) CatalogSchemaName(io.prestosql.spi.connector.CatalogSchemaName) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Set(java.util.Set) Identity(io.prestosql.spi.security.Identity) USER(io.prestosql.spi.security.PrincipalType.USER) File(java.io.File) SystemAccessControl(io.prestosql.spi.security.SystemAccessControl) SECURITY_REFRESH_PERIOD(io.prestosql.plugin.base.security.FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD) Files.copy(com.google.common.io.Files.copy) Optional(java.util.Optional) PrestoPrincipal(io.prestosql.spi.security.PrestoPrincipal) SELECT(io.prestosql.spi.security.Privilege.SELECT) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) Test(org.testng.annotations.Test)

Aggregations

TransactionManager (io.prestosql.transaction.TransactionManager)34 InMemoryTransactionManager.createTestTransactionManager (io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager)30 Test (org.testng.annotations.Test)26 HeuristicIndexerManager (io.prestosql.heuristicindex.HeuristicIndexerManager)19 Session (io.prestosql.Session)17 FileSystemClientManager (io.prestosql.filesystem.FileSystemClientManager)15 HetuMetaStoreManager (io.prestosql.metastore.HetuMetaStoreManager)15 AllowAllAccessControl (io.prestosql.security.AllowAllAccessControl)15 QualifiedObjectName (io.prestosql.spi.connector.QualifiedObjectName)12 Identity (io.prestosql.spi.security.Identity)11 AccessDeniedException (io.prestosql.spi.security.AccessDeniedException)9 Optional (java.util.Optional)9 PrestoPrincipal (io.prestosql.spi.security.PrestoPrincipal)8 SchemaTableName (io.prestosql.spi.connector.SchemaTableName)7 Set (java.util.Set)7 CatalogSchemaName (io.prestosql.spi.connector.CatalogSchemaName)6 StartTransaction (io.prestosql.sql.tree.StartTransaction)6 InMemoryTransactionManager (io.prestosql.transaction.InMemoryTransactionManager)6 ImmutableMap (com.google.common.collect.ImmutableMap)5 ImmutableSet (com.google.common.collect.ImmutableSet)5