Examples with CatalogSchemaName io.trino.spi.connector.CatalogSchemaName used on opensource projects
Example 11 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanShowColumnsWithNoAccess.
@Test
public void testTableRulesForCheckCanShowColumnsWithNoAccess() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
assertAccessDenied(() -> accessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable")), SHOW_COLUMNS_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("some-catalog", "bobschema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 12 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanShowTables.
@Test
public void testSchemaRulesForCheckCanShowTables() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("specific-catalog", "specific-schema"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "bob-schema"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "any"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "alice-schema"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "any"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("secret", "secret"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("hidden", "any"));
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("open-to-all", "any"));
assertAccessDenied(() -> accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("unknown", "any"));
accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("specific-catalog", "specific-schema"));
accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("alice-catalog", "alice-schema"));
assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("bob-catalog", "bob-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("secret", "secret")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("hidden", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("open-to-all", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("unknown", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
accessControl.checkCanShowTables(BOB, new CatalogSchemaName("specific-catalog", "specific-schema"));
accessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "bob-schema"));
accessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "bob-schema"));
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "alice-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("secret", "secret")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("hidden", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("open-to-all", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("unknown", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("specific-catalog", "specific-schema"));
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "bob-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "alice-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("secret", "secret")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("hidden", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("open-to-all", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("unknown", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
Test(org.testng.annotations.Test)
Example 13 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class UseTask method execute.
@Override
public ListenableFuture<Void> execute(Use statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
String catalog = statement.getCatalog().map(identifier -> identifier.getValue().toLowerCase(ENGLISH)).orElseGet(() -> session.getCatalog().orElseThrow(() -> semanticException(MISSING_CATALOG_NAME, statement, "Catalog must be specified when session catalog is not set")));
if (metadata.getCatalogHandle(session, catalog).isEmpty()) {
throw new TrinoException(NOT_FOUND, "Catalog does not exist: " + catalog);
}
String schema = statement.getSchema().getValue().toLowerCase(ENGLISH);
CatalogSchemaName name = new CatalogSchemaName(catalog, schema);
if (!metadata.schemaExists(session, name)) {
throw new TrinoException(NOT_FOUND, "Schema does not exist: " + name);
}
if (statement.getCatalog().isPresent()) {
stateMachine.setSetCatalog(catalog);
}
stateMachine.setSetSchema(schema);
return immediateVoidFuture();
}
Also used :
NOT_FOUND(io.trino.spi.StandardErrorCode.NOT_FOUND)
Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture)
ListenableFuture(com.google.common.util.concurrent.ListenableFuture)
TrinoException(io.trino.spi.TrinoException)
MISSING_CATALOG_NAME(io.trino.spi.StandardErrorCode.MISSING_CATALOG_NAME)
Use(io.trino.sql.tree.Use)
Inject(javax.inject.Inject)
List(java.util.List)
Objects.requireNonNull(java.util.Objects.requireNonNull)
WarningCollector(io.trino.execution.warnings.WarningCollector)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
Metadata(io.trino.metadata.Metadata)
Expression(io.trino.sql.tree.Expression)
SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException)
ENGLISH(java.util.Locale.ENGLISH)
Session(io.trino.Session)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoException(io.trino.spi.TrinoException)
Session(io.trino.Session)
Example 14 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestAccessControlManager method testReadOnlySystemAccessControl.
@Test
public void testReadOnlySystemAccessControl() {
Identity identity = Identity.forUser(USER_NAME).withPrincipal(PRINCIPAL).build();
QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
transaction(transactionManager, accessControlManager).execute(transactionId -> {
SecurityContext context = new SecurityContext(transactionId, identity, queryId);
accessControlManager.checkCanSetCatalogSessionProperty(context, "catalog", "property");
accessControlManager.checkCanShowSchemas(context, "catalog");
accessControlManager.checkCanShowTables(context, new CatalogSchemaName("catalog", "schema"));
accessControlManager.checkCanSelectFromColumns(context, tableName, ImmutableSet.of("column"));
accessControlManager.checkCanCreateViewWithSelectFromColumns(context, tableName, ImmutableSet.of("column"));
accessControlManager.checkCanGrantExecuteFunctionPrivilege(context, "function", Identity.ofUser("bob"), false);
accessControlManager.checkCanGrantExecuteFunctionPrivilege(context, "function", Identity.ofUser("bob"), true);
Set<String> catalogs = ImmutableSet.of("catalog");
assertEquals(accessControlManager.filterCatalogs(context, catalogs), catalogs);
Set<String> schemas = ImmutableSet.of("schema");
assertEquals(accessControlManager.filterSchemas(context, "catalog", schemas), schemas);
Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
assertEquals(accessControlManager.filterTables(context, "catalog", tableNames), tableNames);
});
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanInsertIntoTable(new SecurityContext(transactionId, identity, queryId), tableName);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot insert into table catalog.schema.table");
}
Also used :
QueryId(io.trino.spi.QueryId)
TransactionBuilder.transaction(io.trino.transaction.TransactionBuilder.transaction)
TransactionManager(io.trino.transaction.TransactionManager)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
Test(org.testng.annotations.Test)
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
CatalogName(io.trino.connector.CatalogName)
MockConnectorFactory(io.trino.connector.MockConnectorFactory)
Map(java.util.Map)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TEST_SESSION(io.trino.SessionTestUtils.TEST_SESSION)
Path(java.nio.file.Path)
WRITE(java.nio.file.StandardOpenOption.WRITE)
ImmutableSet(com.google.common.collect.ImmutableSet)
ImmutableMap(com.google.common.collect.ImmutableMap)
ViewExpression(io.trino.spi.security.ViewExpression)
ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl)
Set(java.util.Set)
TrinoException(io.trino.spi.TrinoException)
SchemaTableName(io.trino.spi.connector.SchemaTableName)
BasicPrincipal(io.trino.spi.security.BasicPrincipal)
TestingEventListenerManager.emptyEventListenerManager(io.trino.testing.TestingEventListenerManager.emptyEventListenerManager)
List(java.util.List)
Principal(java.security.Principal)
BIGINT(io.trino.spi.type.BigintType.BIGINT)
ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Optional(java.util.Optional)
SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
TestingEventListenerManager(io.trino.testing.TestingEventListenerManager)
TRUNCATE_EXISTING(java.nio.file.StandardOpenOption.TRUNCATE_EXISTING)
Type(io.trino.spi.type.Type)
Assert.assertEquals(org.testng.Assert.assertEquals)
AllowAllAccessControl(io.trino.plugin.base.security.AllowAllAccessControl)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)
ImmutableList(com.google.common.collect.ImmutableList)
Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy)
Identity(io.trino.spi.security.Identity)
LocalQueryRunner(io.trino.testing.LocalQueryRunner)
Objects.requireNonNull(java.util.Objects.requireNonNull)
ConnectorSecurityContext(io.trino.spi.connector.ConnectorSecurityContext)
Files(java.nio.file.Files)
AccessDeniedException.denySelectTable(io.trino.spi.security.AccessDeniedException.denySelectTable)
IOException(java.io.IOException)
Files.createTempFile(java.nio.file.Files.createTempFile)
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl)
EventListenerManager(io.trino.eventlistener.EventListenerManager)
CatalogManager(io.trino.metadata.CatalogManager)
CREATE(java.nio.file.StandardOpenOption.CREATE)
TransactionId(io.trino.transaction.TransactionId)
EventListener(io.trino.spi.eventlistener.EventListener)
AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
TransactionManager(io.trino.transaction.TransactionManager)
InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
ConnectorSecurityContext(io.trino.spi.connector.ConnectorSecurityContext)
Identity(io.trino.spi.security.Identity)
SchemaTableName(io.trino.spi.connector.SchemaTableName)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
Test(org.testng.annotations.Test)
Example 15 with CatalogSchemaName
use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanRenameSchema.
@Test
public void testSchemaRulesForCheckCanRenameSchema() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), "new_schema");
accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), "new_schema");
accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "staff");
accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), "authenticated");
accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), "bob");
assertAccessDenied(() -> accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "test"), "bob"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "test"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), "authenticated");
assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
Test(org.testng.annotations.Test)
Aggregations
CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)26
Test (org.testng.annotations.Test)15
SystemAccessControl (io.trino.spi.security.SystemAccessControl)13
TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)11
Session (io.trino.Session)7
MetadataUtil.createCatalogSchemaName (io.trino.metadata.MetadataUtil.createCatalogSchemaName)7
TrinoException (io.trino.spi.TrinoException)5
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5
List (java.util.List)5
Objects.requireNonNull (java.util.Objects.requireNonNull)5
CatalogName (io.trino.connector.CatalogName)4
SchemaTableName (io.trino.spi.connector.SchemaTableName)4
Privilege (io.trino.spi.security.Privilege)4
Set (java.util.Set)4
ImmutableMap (com.google.common.collect.ImmutableMap)3
ListenableFuture (com.google.common.util.concurrent.ListenableFuture)3
Metadata (io.trino.metadata.Metadata)3
Optional (java.util.Optional)3
Inject (javax.inject.Inject)3
VisibleForTesting (com.google.common.annotations.VisibleForTesting)2
