use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class GrantRolesTask method execute.
@Override
public ListenableFuture<?> execute(GrantRoles statement, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine, List<Expression> parameters, HeuristicIndexerManager heuristicIndexerManager) {
Session session = stateMachine.getSession();
Set<String> roles = statement.getRoles().stream().map(role -> role.getValue().toLowerCase(Locale.ENGLISH)).collect(toImmutableSet());
Set<PrestoPrincipal> grantees = statement.getGrantees().stream().map(MetadataUtil::createPrincipal).collect(toImmutableSet());
boolean withAdminOption = statement.isWithAdminOption();
Optional<PrestoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
String catalog = createCatalogName(session, statement);
Set<String> availableRoles = metadata.listRoles(session, catalog);
Set<String> specifiedRoles = new LinkedHashSet<>();
specifiedRoles.addAll(roles);
grantees.stream().filter(principal -> principal.getType() == ROLE).map(PrestoPrincipal::getName).forEach(specifiedRoles::add);
if (grantor.isPresent() && grantor.get().getType() == ROLE) {
specifiedRoles.add(grantor.get().getName());
}
for (String role : specifiedRoles) {
if (!availableRoles.contains(role)) {
throw new SemanticException(MISSING_ROLE, statement, "Role '%s' does not exist", role);
}
}
accessControl.checkCanGrantRoles(session.getRequiredTransactionId(), session.getIdentity(), roles, grantees, withAdminOption, grantor, catalog);
metadata.grantRoles(session, roles, grantees, withAdminOption, grantor, catalog);
return immediateFuture(null);
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class CallTask method execute.
@Override
public ListenableFuture<?> execute(Call call, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine, List<Expression> parameters, HeuristicIndexerManager heuristicIndexerManager) {
if (!transactionManager.isAutoCommit(stateMachine.getSession().getRequiredTransactionId())) {
throw new PrestoException(NOT_SUPPORTED, "Procedures cannot be called within a transaction (use autocommit mode)");
}
Session session = stateMachine.getSession();
QualifiedObjectName procedureName = createQualifiedObjectName(session, call, call.getName());
CatalogName catalogName = metadata.getCatalogHandle(stateMachine.getSession(), procedureName.getCatalogName()).orElseThrow(() -> new SemanticException(MISSING_CATALOG, call, "Catalog %s does not exist", procedureName.getCatalogName()));
Procedure procedure = metadata.getProcedureRegistry().resolve(catalogName, toSchemaTableName(procedureName));
// map declared argument names to positions
Map<String, Integer> positions = new HashMap<>();
for (int i = 0; i < procedure.getArguments().size(); i++) {
positions.put(procedure.getArguments().get(i).getName(), i);
}
// per specification, do not allow mixing argument types
Predicate<CallArgument> hasName = argument -> argument.getName().isPresent();
boolean anyNamed = call.getArguments().stream().anyMatch(hasName);
boolean allNamed = call.getArguments().stream().allMatch(hasName);
if (anyNamed && !allNamed) {
throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, call, "Named and positional arguments cannot be mixed");
}
// get the argument names in call order
Map<String, CallArgument> names = new LinkedHashMap<>();
for (int i = 0; i < call.getArguments().size(); i++) {
CallArgument argument = call.getArguments().get(i);
if (argument.getName().isPresent()) {
String name = argument.getName().get();
if (names.put(name, argument) != null) {
throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, argument, "Duplicate procedure argument: %s", name);
}
if (!positions.containsKey(name)) {
throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, argument, "Unknown argument name: %s", name);
}
} else if (i < procedure.getArguments().size()) {
names.put(procedure.getArguments().get(i).getName(), argument);
} else {
throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, call, "Too many arguments for procedure");
}
}
// verify argument count
if (names.size() < positions.size()) {
throw new SemanticException(INVALID_PROCEDURE_ARGUMENTS, call, "Too few arguments for procedure");
}
// get argument values
Object[] values = new Object[procedure.getArguments().size()];
for (Entry<String, CallArgument> entry : names.entrySet()) {
CallArgument callArgument = entry.getValue();
int index = positions.get(entry.getKey());
Argument argument = procedure.getArguments().get(index);
Expression expression = ExpressionTreeRewriter.rewriteWith(new ParameterRewriter(parameters), callArgument.getValue());
Type type;
try {
type = metadata.getType(argument.getType());
} catch (TypeNotFoundException e) {
throw new PrestoException(INVALID_PROCEDURE_DEFINITION, "Unknown procedure argument type: " + argument.getType());
}
Object value = evaluateConstantExpression(expression, type, metadata, session, parameters);
values[index] = toTypeObjectValue(session, type, value);
}
// validate arguments
MethodType methodType = procedure.getMethodHandle().type();
for (int i = 0; i < procedure.getArguments().size(); i++) {
if ((values[i] == null) && methodType.parameterType(i).isPrimitive()) {
String name = procedure.getArguments().get(i).getName();
throw new PrestoException(INVALID_PROCEDURE_ARGUMENT, "Procedure argument cannot be null: " + name);
}
}
// insert session argument
List<Object> arguments = new ArrayList<>();
Iterator<Object> valuesIterator = asList(values).iterator();
for (Class<?> type : methodType.parameterList()) {
if (ConnectorSession.class.isAssignableFrom(type)) {
arguments.add(session.toConnectorSession(catalogName));
} else {
arguments.add(valuesIterator.next());
}
}
try {
procedure.getMethodHandle().invokeWithArguments(arguments);
} catch (Throwable t) {
if (t instanceof InterruptedException) {
Thread.currentThread().interrupt();
}
throwIfInstanceOf(t, PrestoException.class);
throw new PrestoException(PROCEDURE_CALL_FAILED, t);
}
return immediateFuture(null);
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestAccessControlManager method testNoCatalogAccessControl.
@Test
public void testNoCatalogAccessControl() {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
accessControlManager.addSystemAccessControlFactory(accessControlFactory);
accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column"));
});
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestAccessControlManager method testDenySystemAccessControl.
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from table secured_catalog.schema.table")
public void testDenySystemAccessControl() {
CatalogManager catalogManager = new CatalogManager();
TransactionManager transactionManager = createTestTransactionManager(catalogManager);
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
accessControlManager.addSystemAccessControlFactory(accessControlFactory);
accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
registerBogusConnector(catalogManager, transactionManager, accessControlManager, "connector");
accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new DenyConnectorAccessControl());
transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("secured_catalog", "schema", "table"), ImmutableSet.of("column"));
});
}
use of io.prestosql.transaction.TransactionManager in project hetu-core by openlookeng.
the class TestFileBasedSystemAccessControl method testCanImpersonateUserOperations.
@Test
public void testCanImpersonateUserOperations() {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_impersonation.json");
accessControlManager.checkCanImpersonateUser(new Identity("alice", Optional.empty()), "bob");
accessControlManager.checkCanImpersonateUser(new Identity("alice", Optional.empty()), "charlie");
try {
accessControlManager.checkCanImpersonateUser(new Identity("alice", Optional.empty()), "admin");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanImpersonateUser(new Identity("admin", Optional.empty()), "alice");
accessControlManager.checkCanImpersonateUser(new Identity("admin", Optional.empty()), "bob");
accessControlManager.checkCanImpersonateUser(new Identity("admin", Optional.empty()), "anything");
accessControlManager.checkCanImpersonateUser(new Identity("admin-other", Optional.empty()), "anything");
try {
accessControlManager.checkCanImpersonateUser(new Identity("admin-test", Optional.empty()), "alice");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
try {
accessControlManager.checkCanImpersonateUser(new Identity("invalid", Optional.empty()), "alice");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
accessControlManager.checkCanImpersonateUser(new Identity("anything", Optional.empty()), "test");
try {
accessControlManager.checkCanImpersonateUser(new Identity("invalid-other", Optional.empty()), "test");
throw new AssertionError("expected AccessDeniedException");
} catch (AccessDeniedException expected) {
}
accessControlManager = newAccessControlManager(transactionManager, "catalog_principal.json");
accessControlManager.checkCanImpersonateUser(new Identity("anything", Optional.empty()), "anythingElse");
}
Aggregations