Search in sources :

Example 6 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanCreateSchema.

@Test
public void testSchemaRulesForCheckCanCreateSchema() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
    accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
    accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
    accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Test(org.testng.annotations.Test)

Example 7 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanSetSchemaAuthorization.

@Test
public void testSchemaRulesForCheckCanSetSchemaAuthorization() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
    accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
    assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 8 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testGrantSchemaPrivilege.

@Test(dataProvider = "privilegeGrantOption")
public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
    assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
    assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.bob", ""));
    assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.staff", ""));
    accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
    assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 9 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaOperations.

@Test
public void testSchemaOperations() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json");
    TrinoPrincipal user = new TrinoPrincipal(PrincipalType.USER, "some_user");
    TrinoPrincipal role = new TrinoPrincipal(PrincipalType.ROLE, "some_user");
    accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
    accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
    accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
    accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
    assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
    assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
    assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
    assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 10 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanDropSchema.

@Test
public void testSchemaRulesForCheckCanDropSchema() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
    accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
    accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
    accessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
    accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
    accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
    accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
    assertAccessDenied(() -> accessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "test")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
    assertAccessDenied(() -> accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test")), DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Test(org.testng.annotations.Test)

Aggregations

CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)26 Test (org.testng.annotations.Test)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)13 TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)11 Session (io.trino.Session)7 MetadataUtil.createCatalogSchemaName (io.trino.metadata.MetadataUtil.createCatalogSchemaName)7 TrinoException (io.trino.spi.TrinoException)5 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5 List (java.util.List)5 Objects.requireNonNull (java.util.Objects.requireNonNull)5 CatalogName (io.trino.connector.CatalogName)4 SchemaTableName (io.trino.spi.connector.SchemaTableName)4 Privilege (io.trino.spi.security.Privilege)4 Set (java.util.Set)4 ImmutableMap (com.google.common.collect.ImmutableMap)3 ListenableFuture (com.google.common.util.concurrent.ListenableFuture)3 Metadata (io.trino.metadata.Metadata)3 Optional (java.util.Optional)3 Inject (javax.inject.Inject)3 VisibleForTesting (com.google.common.annotations.VisibleForTesting)2