Example 36 with QualifiedObjectName
use of io.trino.metadata.QualifiedObjectName in project trino by trinodb.
the class TestColumnMask method testLimitedScope.
@Test
public void testLimitedScope() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "customer"), "custkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "orderkey"));
assertThatThrownBy(() -> assertions.query("SELECT (SELECT min(custkey) FROM customer WHERE customer.custkey = orders.custkey) FROM orders")).hasMessage("line 1:34: Invalid column mask for 'local.tiny.customer.custkey': Column 'orderkey' cannot be resolved");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 37 with QualifiedObjectName
use of io.trino.metadata.QualifiedObjectName in project trino by trinodb.
the class TestColumnMask method testColumnMaskWithHiddenColumns.
@Test
public void testColumnMaskWithHiddenColumns() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(MOCK_CATALOG, "tiny", "nation_with_hidden_column"), "name", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "'POLAND'"));
assertions.query("SELECT * FROM mock.tiny.nation_with_hidden_column WHERE nationkey = 1").assertThat().skippingTypesCheck().matches("VALUES (BIGINT '1', 'POLAND', BIGINT '1', 'al foxes promise slyly according to the regular accounts. bold requests alon')");
assertions.query("SELECT DISTINCT name FROM mock.tiny.nation_with_hidden_column WHERE nationkey = 1").assertThat().skippingTypesCheck().matches("VALUES 'POLAND'");
assertThatThrownBy(() -> assertions.query("INSERT INTO mock.tiny.nation_with_hidden_column SELECT * FROM mock.tiny.nation_with_hidden_column")).hasMessage("Insert into table with column masks is not supported");
assertThatThrownBy(() -> assertions.query("DELETE FROM mock.tiny.nation_with_hidden_column")).hasMessage("line 1:1: Delete from table with column mask");
assertThatThrownBy(() -> assertions.query("UPDATE mock.tiny.nation_with_hidden_column SET name = 'X'")).hasMessage("line 1:1: Updating a table with column masks is not supported");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 38 with QualifiedObjectName
use of io.trino.metadata.QualifiedObjectName in project trino by trinodb.
the class TestColumnMask method testView.
@Test
public void testView() {
// mask on the underlying table for view owner when running query as different user
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.empty(), Optional.empty(), "reverse(name)"));
assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(RUN_AS_USER).build()).build(), "SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
// mask on the underlying table for view owner when running as themselves
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(VIEW_OWNER).build()).build(), "SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
// mask on the underlying table for user running the query (different from view owner) should not be applied
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(RUN_AS_USER).build()).build(), "SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ARGENTINA' AS VARCHAR(25))");
// mask on the view
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(MOCK_CATALOG, "default", "nation_view"), "name", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
assertThat(assertions.query("SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 39 with QualifiedObjectName
use of io.trino.metadata.QualifiedObjectName in project trino by trinodb.
the class TestColumnMask method testRecursion.
@Test
public void testRecursion() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM orders)"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessageMatching(".*\\QColumn mask for 'local.tiny.orders.orderkey' is recursive\\E.*");
// different reference style to same table
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM local.tiny.orders)"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessageMatching(".*\\QColumn mask for 'local.tiny.orders.orderkey' is recursive\\E.*");
// mutual recursion
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM orders)"));
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM orders)"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessageMatching(".*\\QColumn mask for 'local.tiny.orders.orderkey' is recursive\\E.*");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 40 with QualifiedObjectName
use of io.trino.metadata.QualifiedObjectName in project trino by trinodb.
the class TestColumnMask method testUpdateWithColumnMasking.
@Test
public void testUpdateWithColumnMasking() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "clerk", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "clerk"));
assertThatThrownBy(() -> assertions.query("UPDATE orders SET clerk = 'X'")).hasMessage("line 1:1: Updating a table with column masks is not supported");
assertThatThrownBy(() -> assertions.query("UPDATE orders SET orderkey = -orderkey")).hasMessage("line 1:1: Updating a table with column masks is not supported");
assertThatThrownBy(() -> assertions.query("UPDATE orders SET clerk = 'X', orderkey = -orderkey")).hasMessage("line 1:1: Updating a table with column masks is not supported");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Aggregations
QualifiedObjectName (io.trino.metadata.QualifiedObjectName)142
ViewExpression (io.trino.spi.security.ViewExpression)51
Test (org.testng.annotations.Test)51
Test (org.junit.jupiter.api.Test)41
Session (io.trino.Session)40
TableHandle (io.trino.metadata.TableHandle)33
MetadataUtil.createQualifiedObjectName (io.trino.metadata.MetadataUtil.createQualifiedObjectName)24
Optional (java.util.Optional)20
Metadata (io.trino.metadata.Metadata)17
Map (java.util.Map)17
Objects.requireNonNull (java.util.Objects.requireNonNull)16
ImmutableList (com.google.common.collect.ImmutableList)15
List (java.util.List)15
ImmutableMap (com.google.common.collect.ImmutableMap)14
TrinoException (io.trino.spi.TrinoException)14
ImmutableSet (com.google.common.collect.ImmutableSet)13
ColumnHandle (io.trino.spi.connector.ColumnHandle)13
Type (io.trino.spi.type.Type)11
Set (java.util.Set)11
CatalogName (io.trino.connector.CatalogName)10
