Examples with CatalogSchemaName io.trino.spi.connector.CatalogSchemaName used on opensource projects
Example 6 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanCreateSchema.
@Test
public void testSchemaRulesForCheckCanCreateSchema() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
assertAccessDenied(() -> accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
Test(org.testng.annotations.Test)
Example 7 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanSetSchemaAuthorization.
@Test
public void testSchemaRulesForCheckCanSetSchemaAuthorization() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Test(org.testng.annotations.Test)
Example 8 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testGrantSchemaPrivilege.
@Test(dataProvider = "privilegeGrantOption")
public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.bob", ""));
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.staff", ""));
accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Test(org.testng.annotations.Test)
Example 9 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaOperations.
@Test
public void testSchemaOperations() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json");
TrinoPrincipal user = new TrinoPrincipal(PrincipalType.USER, "some_user");
TrinoPrincipal role = new TrinoPrincipal(PrincipalType.ROLE, "some_user");
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
}
Also used :
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Test(org.testng.annotations.Test)
Example 10 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanDropSchema.
@Test
public void testSchemaRulesForCheckCanDropSchema() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
assertAccessDenied(() -> accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "test")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
assertAccessDenied(() -> accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
Test(org.testng.annotations.Test)
Aggregations
CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)26
Test (org.testng.annotations.Test)15
SystemAccessControl (io.trino.spi.security.SystemAccessControl)13
TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)11
Session (io.trino.Session)7
MetadataUtil.createCatalogSchemaName (io.trino.metadata.MetadataUtil.createCatalogSchemaName)7
TrinoException (io.trino.spi.TrinoException)5
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5
List (java.util.List)5
Objects.requireNonNull (java.util.Objects.requireNonNull)5
CatalogName (io.trino.connector.CatalogName)4
SchemaTableName (io.trino.spi.connector.SchemaTableName)4
Privilege (io.trino.spi.security.Privilege)4
Set (java.util.Set)4
ImmutableMap (com.google.common.collect.ImmutableMap)3
ListenableFuture (com.google.common.util.concurrent.ListenableFuture)3
Metadata (io.trino.metadata.Metadata)3
Optional (java.util.Optional)3
Inject (javax.inject.Inject)3
VisibleForTesting (com.google.common.annotations.VisibleForTesting)2
