Search in sources :

Example 11 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanShowColumnsWithNoAccess.

@Test
public void testTableRulesForCheckCanShowColumnsWithNoAccess() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
    assertAccessDenied(() -> accessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable")), SHOW_COLUMNS_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("some-catalog", "bobschema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 12 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanShowTables.

@Test
public void testSchemaRulesForCheckCanShowTables() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("specific-catalog", "specific-schema"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "bob-schema"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "any"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "alice-schema"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "any"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("secret", "secret"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("hidden", "any"));
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("open-to-all", "any"));
    assertAccessDenied(() -> accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("unknown", "any"));
    accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("specific-catalog", "specific-schema"));
    accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("alice-catalog", "alice-schema"));
    assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("bob-catalog", "bob-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("secret", "secret")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("hidden", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("open-to-all", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(ALICE, new CatalogSchemaName("unknown", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanShowTables(BOB, new CatalogSchemaName("specific-catalog", "specific-schema"));
    accessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "bob-schema"));
    accessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "bob-schema"));
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "alice-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("secret", "secret")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("hidden", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("open-to-all", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("unknown", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("specific-catalog", "specific-schema"));
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "bob-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "alice-schema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("secret", "secret")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("hidden", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("open-to-all", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("blocked-catalog", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("unknown", "any")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Test(org.testng.annotations.Test)

Example 13 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class UseTask method execute.

@Override
public ListenableFuture<Void> execute(Use statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    String catalog = statement.getCatalog().map(identifier -> identifier.getValue().toLowerCase(ENGLISH)).orElseGet(() -> session.getCatalog().orElseThrow(() -> semanticException(MISSING_CATALOG_NAME, statement, "Catalog must be specified when session catalog is not set")));
    if (metadata.getCatalogHandle(session, catalog).isEmpty()) {
        throw new TrinoException(NOT_FOUND, "Catalog does not exist: " + catalog);
    }
    String schema = statement.getSchema().getValue().toLowerCase(ENGLISH);
    CatalogSchemaName name = new CatalogSchemaName(catalog, schema);
    if (!metadata.schemaExists(session, name)) {
        throw new TrinoException(NOT_FOUND, "Schema does not exist: " + name);
    }
    if (statement.getCatalog().isPresent()) {
        stateMachine.setSetCatalog(catalog);
    }
    stateMachine.setSetSchema(schema);
    return immediateVoidFuture();
}
Also used : NOT_FOUND(io.trino.spi.StandardErrorCode.NOT_FOUND) Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) TrinoException(io.trino.spi.TrinoException) MISSING_CATALOG_NAME(io.trino.spi.StandardErrorCode.MISSING_CATALOG_NAME) Use(io.trino.sql.tree.Use) Inject(javax.inject.Inject) List(java.util.List) Objects.requireNonNull(java.util.Objects.requireNonNull) WarningCollector(io.trino.execution.warnings.WarningCollector) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Metadata(io.trino.metadata.Metadata) Expression(io.trino.sql.tree.Expression) SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException) ENGLISH(java.util.Locale.ENGLISH) Session(io.trino.Session) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoException(io.trino.spi.TrinoException) Session(io.trino.Session)

Example 14 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestAccessControlManager method testReadOnlySystemAccessControl.

@Test
public void testReadOnlySystemAccessControl() {
    Identity identity = Identity.forUser(USER_NAME).withPrincipal(PRINCIPAL).build();
    QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
    accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
    accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
    accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        SecurityContext context = new SecurityContext(transactionId, identity, queryId);
        accessControlManager.checkCanSetCatalogSessionProperty(context, "catalog", "property");
        accessControlManager.checkCanShowSchemas(context, "catalog");
        accessControlManager.checkCanShowTables(context, new CatalogSchemaName("catalog", "schema"));
        accessControlManager.checkCanSelectFromColumns(context, tableName, ImmutableSet.of("column"));
        accessControlManager.checkCanCreateViewWithSelectFromColumns(context, tableName, ImmutableSet.of("column"));
        accessControlManager.checkCanGrantExecuteFunctionPrivilege(context, "function", Identity.ofUser("bob"), false);
        accessControlManager.checkCanGrantExecuteFunctionPrivilege(context, "function", Identity.ofUser("bob"), true);
        Set<String> catalogs = ImmutableSet.of("catalog");
        assertEquals(accessControlManager.filterCatalogs(context, catalogs), catalogs);
        Set<String> schemas = ImmutableSet.of("schema");
        assertEquals(accessControlManager.filterSchemas(context, "catalog", schemas), schemas);
        Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
        assertEquals(accessControlManager.filterTables(context, "catalog", tableNames), tableNames);
    });
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanInsertIntoTable(new SecurityContext(transactionId, identity, queryId), tableName);
    })).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot insert into table catalog.schema.table");
}
Also used : QueryId(io.trino.spi.QueryId) TransactionBuilder.transaction(io.trino.transaction.TransactionBuilder.transaction) TransactionManager(io.trino.transaction.TransactionManager) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) Test(org.testng.annotations.Test) SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) CatalogName(io.trino.connector.CatalogName) MockConnectorFactory(io.trino.connector.MockConnectorFactory) Map(java.util.Map) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TEST_SESSION(io.trino.SessionTestUtils.TEST_SESSION) Path(java.nio.file.Path) WRITE(java.nio.file.StandardOpenOption.WRITE) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) ViewExpression(io.trino.spi.security.ViewExpression) ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) Set(java.util.Set) TrinoException(io.trino.spi.TrinoException) SchemaTableName(io.trino.spi.connector.SchemaTableName) BasicPrincipal(io.trino.spi.security.BasicPrincipal) TestingEventListenerManager.emptyEventListenerManager(io.trino.testing.TestingEventListenerManager.emptyEventListenerManager) List(java.util.List) Principal(java.security.Principal) BIGINT(io.trino.spi.type.BigintType.BIGINT) ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Optional(java.util.Optional) SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) AccessDeniedException(io.trino.spi.security.AccessDeniedException) TestingEventListenerManager(io.trino.testing.TestingEventListenerManager) TRUNCATE_EXISTING(java.nio.file.StandardOpenOption.TRUNCATE_EXISTING) Type(io.trino.spi.type.Type) Assert.assertEquals(org.testng.Assert.assertEquals) AllowAllAccessControl(io.trino.plugin.base.security.AllowAllAccessControl) SystemAccessControl(io.trino.spi.security.SystemAccessControl) InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager) ImmutableList(com.google.common.collect.ImmutableList) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) Identity(io.trino.spi.security.Identity) LocalQueryRunner(io.trino.testing.LocalQueryRunner) Objects.requireNonNull(java.util.Objects.requireNonNull) ConnectorSecurityContext(io.trino.spi.connector.ConnectorSecurityContext) Files(java.nio.file.Files) AccessDeniedException.denySelectTable(io.trino.spi.security.AccessDeniedException.denySelectTable) IOException(java.io.IOException) Files.createTempFile(java.nio.file.Files.createTempFile) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) EventListenerManager(io.trino.eventlistener.EventListenerManager) CatalogManager(io.trino.metadata.CatalogManager) CREATE(java.nio.file.StandardOpenOption.CREATE) TransactionId(io.trino.transaction.TransactionId) EventListener(io.trino.spi.eventlistener.EventListener) AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl) AccessDeniedException(io.trino.spi.security.AccessDeniedException) TransactionManager(io.trino.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) ConnectorSecurityContext(io.trino.spi.connector.ConnectorSecurityContext) Identity(io.trino.spi.security.Identity) SchemaTableName(io.trino.spi.connector.SchemaTableName) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) Test(org.testng.annotations.Test)

Example 15 with CatalogSchemaName

use of io.trino.spi.connector.CatalogSchemaName in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanRenameSchema.

@Test
public void testSchemaRulesForCheckCanRenameSchema() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), "new_schema");
    accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "staff");
    accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), "authenticated");
    accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), "bob");
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "test"), "bob"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "test"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), "authenticated");
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Test(org.testng.annotations.Test)

Aggregations

CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)26 Test (org.testng.annotations.Test)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)13 TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)11 Session (io.trino.Session)7 MetadataUtil.createCatalogSchemaName (io.trino.metadata.MetadataUtil.createCatalogSchemaName)7 TrinoException (io.trino.spi.TrinoException)5 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5 List (java.util.List)5 Objects.requireNonNull (java.util.Objects.requireNonNull)5 CatalogName (io.trino.connector.CatalogName)4 SchemaTableName (io.trino.spi.connector.SchemaTableName)4 Privilege (io.trino.spi.security.Privilege)4 Set (java.util.Set)4 ImmutableMap (com.google.common.collect.ImmutableMap)3 ListenableFuture (com.google.common.util.concurrent.ListenableFuture)3 Metadata (io.trino.metadata.Metadata)3 Optional (java.util.Optional)3 Inject (javax.inject.Inject)3 VisibleForTesting (com.google.common.annotations.VisibleForTesting)2