Search in sources :

Example 16 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class GrantRolesTask method execute.

@Override
public ListenableFuture<?> execute(GrantRoles statement, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine, List<Expression> parameters, HeuristicIndexerManager heuristicIndexerManager) {
    Session session = stateMachine.getSession();
    Set<String> roles = statement.getRoles().stream().map(role -> role.getValue().toLowerCase(Locale.ENGLISH)).collect(toImmutableSet());
    Set<PrestoPrincipal> grantees = statement.getGrantees().stream().map(MetadataUtil::createPrincipal).collect(toImmutableSet());
    boolean withAdminOption = statement.isWithAdminOption();
    Optional<PrestoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
    String catalog = createCatalogName(session, statement);
    Set<String> availableRoles = metadata.listRoles(session, catalog);
    Set<String> specifiedRoles = new LinkedHashSet<>();
    specifiedRoles.addAll(roles);
    grantees.stream().filter(principal -> principal.getType() == ROLE).map(PrestoPrincipal::getName).forEach(specifiedRoles::add);
    if (grantor.isPresent() && grantor.get().getType() == ROLE) {
        specifiedRoles.add(grantor.get().getName());
    }
    for (String role : specifiedRoles) {
        if (!availableRoles.contains(role)) {
            throw new SemanticException(MISSING_ROLE, statement, "Role '%s' does not exist", role);
        }
    }
    accessControl.checkCanGrantRoles(session.getRequiredTransactionId(), session.getIdentity(), roles, grantees, withAdminOption, grantor, catalog);
    metadata.grantRoles(session, roles, grantees, withAdminOption, grantor, catalog);
    return immediateFuture(null);
}
Also used : HeuristicIndexerManager(io.prestosql.heuristicindex.HeuristicIndexerManager) GrantRoles(io.prestosql.sql.tree.GrantRoles) Futures.immediateFuture(com.google.common.util.concurrent.Futures.immediateFuture) AccessControl(io.prestosql.security.AccessControl) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) MetadataUtil.createPrincipal(io.prestosql.metadata.MetadataUtil.createPrincipal) TransactionManager(io.prestosql.transaction.TransactionManager) Set(java.util.Set) Metadata(io.prestosql.metadata.Metadata) SemanticException(io.prestosql.sql.analyzer.SemanticException) List(java.util.List) ROLE(io.prestosql.spi.security.PrincipalType.ROLE) MetadataUtil.createCatalogName(io.prestosql.metadata.MetadataUtil.createCatalogName) Locale(java.util.Locale) MetadataUtil(io.prestosql.metadata.MetadataUtil) MISSING_ROLE(io.prestosql.sql.analyzer.SemanticErrorCode.MISSING_ROLE) Session(io.prestosql.Session) Optional(java.util.Optional) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) PrestoPrincipal(io.prestosql.spi.security.PrestoPrincipal) Expression(io.prestosql.sql.tree.Expression) LinkedHashSet(java.util.LinkedHashSet) LinkedHashSet(java.util.LinkedHashSet) PrestoPrincipal(io.prestosql.spi.security.PrestoPrincipal) Session(io.prestosql.Session) SemanticException(io.prestosql.sql.analyzer.SemanticException)

Example 17 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class CallTask method execute.

@Override
public ListenableFuture<?> execute(Call call, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine, List<Expression> parameters, HeuristicIndexerManager heuristicIndexerManager) {
    if (!transactionManager.isAutoCommit(stateMachine.getSession().getRequiredTransactionId())) {
        throw new PrestoException(NOT_SUPPORTED, "Procedures cannot be called within a transaction (use autocommit mode)");
    }
    Session session = stateMachine.getSession();
    QualifiedObjectName procedureName = createQualifiedObjectName(session, call, call.getName());
    CatalogName catalogName = metadata.getCatalogHandle(stateMachine.getSession(), procedureName.getCatalogName()).orElseThrow(() -> new SemanticException(MISSING_CATALOG, call, "Catalog %s does not exist", procedureName.getCatalogName()));
    Procedure procedure = metadata.getProcedureRegistry().resolve(catalogName, toSchemaTableName(procedureName));
    // map declared argument names to positions
    Map<String, Integer> positions = new HashMap<>();
    for (int i = 0; i < procedure.getArguments().size(); i++) {
        positions.put(procedure.getArguments().get(i).getName(), i);
    }
    // per specification, do not allow mixing argument types
    Predicate<CallArgument> hasName = argument -> argument.getName().isPresent();
    boolean anyNamed = call.getArguments().stream().anyMatch(hasName);
    boolean allNamed = call.getArguments().stream().allMatch(hasName);
    if (anyNamed && !allNamed) {
        throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, call, "Named and positional arguments cannot be mixed");
    }
    // get the argument names in call order
    Map<String, CallArgument> names = new LinkedHashMap<>();
    for (int i = 0; i < call.getArguments().size(); i++) {
        CallArgument argument = call.getArguments().get(i);
        if (argument.getName().isPresent()) {
            String name = argument.getName().get();
            if (names.put(name, argument) != null) {
                throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, argument, "Duplicate procedure argument: %s", name);
            }
            if (!positions.containsKey(name)) {
                throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, argument, "Unknown argument name: %s", name);
            }
        } else if (i < procedure.getArguments().size()) {
            names.put(procedure.getArguments().get(i).getName(), argument);
        } else {
            throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, call, "Too many arguments for procedure");
        }
    }
    // verify argument count
    if (names.size() < positions.size()) {
        throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, call, "Too few arguments for procedure");
    }
    // get argument values
    Object[] values = new Object[procedure.getArguments().size()];
    for (Entry<String, CallArgument> entry : names.entrySet()) {
        CallArgument callArgument = entry.getValue();
        int index = positions.get(entry.getKey());
        Argument argument = procedure.getArguments().get(index);
        Expression expression = ExpressionTreeRewriter.rewriteWith(new ParameterRewriter(parameters), callArgument.getValue());
        Type type;
        try {
            type = metadata.getType(argument.getType());
        } catch (TypeNotFoundException e) {
            throw new PrestoException(INVALID_PROCEDURE_DEFINITION, "Unknown procedure argument type: " + argument.getType());
        }
        Object value = evaluateConstantExpression(expression, type, metadata, session, parameters);
        values[index] = toTypeObjectValue(session, type, value);
    }
    // validate arguments
    MethodType methodType = procedure.getMethodHandle().type();
    for (int i = 0; i < procedure.getArguments().size(); i++) {
        if ((values[i] == null) && methodType.parameterType(i).isPrimitive()) {
            String name = procedure.getArguments().get(i).getName();
            throw new PrestoException(INVALID_PROCEDURE_ARGUMENT, "Procedure argument cannot be null: " + name);
        }
    }
    // insert session argument
    List<Object> arguments = new ArrayList<>();
    Iterator<Object> valuesIterator = asList(values).iterator();
    for (Class<?> type : methodType.parameterList()) {
        if (ConnectorSession.class.isAssignableFrom(type)) {
            arguments.add(session.toConnectorSession(catalogName));
        } else {
            arguments.add(valuesIterator.next());
        }
    }
    try {
        procedure.getMethodHandle().invokeWithArguments(arguments);
    } catch (Throwable t) {
        if (t instanceof InterruptedException) {
            Thread.currentThread().interrupt();
        }
        throwIfInstanceOf(t, PrestoException.class);
        throw new PrestoException(PROCEDURE_CALL_FAILED, t);
    }
    return immediateFuture(null);
}
Also used : INVALID_PROCEDURE_DEFINITION(io.prestosql.spi.StandardErrorCode.INVALID_PROCEDURE_DEFINITION) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) Argument(io.prestosql.spi.procedure.Procedure.Argument) TransactionManager(io.prestosql.transaction.TransactionManager) HashMap(java.util.HashMap) TypeNotFoundException(io.prestosql.spi.type.TypeNotFoundException) CallArgument(io.prestosql.sql.tree.CallArgument) ExpressionTreeRewriter(io.prestosql.sql.tree.ExpressionTreeRewriter) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) ArrayList(java.util.ArrayList) LinkedHashMap(java.util.LinkedHashMap) SemanticException(io.prestosql.sql.analyzer.SemanticException) PROCEDURE_CALL_FAILED(io.prestosql.spi.StandardErrorCode.PROCEDURE_CALL_FAILED) Procedure(io.prestosql.spi.procedure.Procedure) ExpressionInterpreter.evaluateConstantExpression(io.prestosql.sql.planner.ExpressionInterpreter.evaluateConstantExpression) ConnectorSession(io.prestosql.spi.connector.ConnectorSession) INVALID_PROCEDURE_ARGUMENTS(io.prestosql.sql.analyzer.SemanticErrorCode.INVALID_PROCEDURE_ARGUMENTS) Arrays.asList(java.util.Arrays.asList) Map(java.util.Map) Session(io.prestosql.Session) INVALID_PROCEDURE_ARGUMENT(io.prestosql.spi.StandardErrorCode.INVALID_PROCEDURE_ARGUMENT) Type(io.prestosql.spi.type.Type) ParameterRewriter(io.prestosql.sql.planner.ParameterRewriter) HeuristicIndexerManager(io.prestosql.heuristicindex.HeuristicIndexerManager) PrestoException(io.prestosql.spi.PrestoException) Futures.immediateFuture(com.google.common.util.concurrent.Futures.immediateFuture) AccessControl(io.prestosql.security.AccessControl) Iterator(java.util.Iterator) BlockBuilder(io.prestosql.spi.block.BlockBuilder) Predicate(java.util.function.Predicate) CatalogName(io.prestosql.spi.connector.CatalogName) Throwables.throwIfInstanceOf(com.google.common.base.Throwables.throwIfInstanceOf) Metadata(io.prestosql.metadata.Metadata) MetadataUtil.toSchemaTableName(io.prestosql.metadata.MetadataUtil.toSchemaTableName) List(java.util.List) MethodType(java.lang.invoke.MethodType) Call(io.prestosql.sql.tree.Call) Entry(java.util.Map.Entry) NOT_SUPPORTED(io.prestosql.spi.StandardErrorCode.NOT_SUPPORTED) MetadataUtil.createQualifiedObjectName(io.prestosql.metadata.MetadataUtil.createQualifiedObjectName) Expression(io.prestosql.sql.tree.Expression) TypeUtils.writeNativeValue(io.prestosql.spi.type.TypeUtils.writeNativeValue) MISSING_CATALOG(io.prestosql.sql.analyzer.SemanticErrorCode.MISSING_CATALOG) CallArgument(io.prestosql.sql.tree.CallArgument) Argument(io.prestosql.spi.procedure.Procedure.Argument) CallArgument(io.prestosql.sql.tree.CallArgument) ParameterRewriter(io.prestosql.sql.planner.ParameterRewriter) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) ArrayList(java.util.ArrayList) PrestoException(io.prestosql.spi.PrestoException) LinkedHashMap(java.util.LinkedHashMap) Procedure(io.prestosql.spi.procedure.Procedure) SemanticException(io.prestosql.sql.analyzer.SemanticException) MethodType(java.lang.invoke.MethodType) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) MetadataUtil.createQualifiedObjectName(io.prestosql.metadata.MetadataUtil.createQualifiedObjectName) Type(io.prestosql.spi.type.Type) MethodType(java.lang.invoke.MethodType) ExpressionInterpreter.evaluateConstantExpression(io.prestosql.sql.planner.ExpressionInterpreter.evaluateConstantExpression) Expression(io.prestosql.sql.tree.Expression) TypeNotFoundException(io.prestosql.spi.type.TypeNotFoundException) CatalogName(io.prestosql.spi.connector.CatalogName) ConnectorSession(io.prestosql.spi.connector.ConnectorSession) Session(io.prestosql.Session)

Example 18 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestAccessControlManager method testNoCatalogAccessControl.

@Test
public void testNoCatalogAccessControl() {
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
    accessControlManager.addSystemAccessControlFactory(accessControlFactory);
    accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column"));
    });
}
Also used : TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 19 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestAccessControlManager method testDenySystemAccessControl.

@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from table secured_catalog.schema.table")
public void testDenySystemAccessControl() {
    CatalogManager catalogManager = new CatalogManager();
    TransactionManager transactionManager = createTestTransactionManager(catalogManager);
    AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
    TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
    accessControlManager.addSystemAccessControlFactory(accessControlFactory);
    accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
    registerBogusConnector(catalogManager, transactionManager, accessControlManager, "connector");
    accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new DenyConnectorAccessControl());
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("secured_catalog", "schema", "table"), ImmutableSet.of("column"));
    });
}
Also used : TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogName.createSystemTablesCatalogName(io.prestosql.spi.connector.CatalogName.createSystemTablesCatalogName) CatalogName.createInformationSchemaCatalogName(io.prestosql.spi.connector.CatalogName.createInformationSchemaCatalogName) CatalogName(io.prestosql.spi.connector.CatalogName) ConnectorIdentity(io.prestosql.spi.security.ConnectorIdentity) Identity(io.prestosql.spi.security.Identity) CatalogManager(io.prestosql.metadata.CatalogManager) QualifiedObjectName(io.prestosql.spi.connector.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 20 with TransactionManager

use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.

the class TestFileBasedSystemAccessControl method testCanImpersonateUserOperations.

@Test
public void testCanImpersonateUserOperations() {
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_impersonation.json");
    accessControlManager.checkCanImpersonateUser(new Identity("alice", Optional.empty()), "bob");
    accessControlManager.checkCanImpersonateUser(new Identity("alice", Optional.empty()), "charlie");
    try {
        accessControlManager.checkCanImpersonateUser(new Identity("alice", Optional.empty()), "admin");
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    accessControlManager.checkCanImpersonateUser(new Identity("admin", Optional.empty()), "alice");
    accessControlManager.checkCanImpersonateUser(new Identity("admin", Optional.empty()), "bob");
    accessControlManager.checkCanImpersonateUser(new Identity("admin", Optional.empty()), "anything");
    accessControlManager.checkCanImpersonateUser(new Identity("admin-other", Optional.empty()), "anything");
    try {
        accessControlManager.checkCanImpersonateUser(new Identity("admin-test", Optional.empty()), "alice");
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    try {
        accessControlManager.checkCanImpersonateUser(new Identity("invalid", Optional.empty()), "alice");
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    accessControlManager.checkCanImpersonateUser(new Identity("anything", Optional.empty()), "test");
    try {
        accessControlManager.checkCanImpersonateUser(new Identity("invalid-other", Optional.empty()), "test");
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    accessControlManager = newAccessControlManager(transactionManager, "catalog_principal.json");
    accessControlManager.checkCanImpersonateUser(new Identity("anything", Optional.empty()), "anythingElse");
}
Also used : AccessDeniedException(io.prestosql.spi.security.AccessDeniedException) TransactionManager(io.prestosql.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager) Identity(io.prestosql.spi.security.Identity) Test(org.testng.annotations.Test)

Aggregations

TransactionManager (io.prestosql.transaction.TransactionManager)34 InMemoryTransactionManager.createTestTransactionManager (io.prestosql.transaction.InMemoryTransactionManager.createTestTransactionManager)30 Test (org.testng.annotations.Test)26 HeuristicIndexerManager (io.prestosql.heuristicindex.HeuristicIndexerManager)19 Session (io.prestosql.Session)17 FileSystemClientManager (io.prestosql.filesystem.FileSystemClientManager)15 HetuMetaStoreManager (io.prestosql.metastore.HetuMetaStoreManager)15 AllowAllAccessControl (io.prestosql.security.AllowAllAccessControl)15 QualifiedObjectName (io.prestosql.spi.connector.QualifiedObjectName)12 Identity (io.prestosql.spi.security.Identity)11 AccessDeniedException (io.prestosql.spi.security.AccessDeniedException)9 Optional (java.util.Optional)9 PrestoPrincipal (io.prestosql.spi.security.PrestoPrincipal)8 SchemaTableName (io.prestosql.spi.connector.SchemaTableName)7 Set (java.util.Set)7 CatalogSchemaName (io.prestosql.spi.connector.CatalogSchemaName)6 StartTransaction (io.prestosql.sql.tree.StartTransaction)6 InMemoryTransactionManager (io.prestosql.transaction.InMemoryTransactionManager)6 ImmutableMap (com.google.common.collect.ImmutableMap)5 ImmutableSet (com.google.common.collect.ImmutableSet)5