use of io.trino.spi.connector.ConnectorAccessControl in project trino by trinodb.
the class InternalHiveConnectorFactory method createConnector.
public static Connector createConnector(String catalogName, Map<String, String> config, ConnectorContext context, Module module, Optional<HiveMetastore> metastore, Optional<CachingDirectoryLister> cachingDirectoryLister) {
requireNonNull(config, "config is null");
ClassLoader classLoader = InternalHiveConnectorFactory.class.getClassLoader();
try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) {
Bootstrap app = new Bootstrap(new CatalogNameModule(catalogName), new EventModule(), new MBeanModule(), new ConnectorObjectNameGeneratorModule(catalogName, "io.trino.plugin.hive", "trino.plugin.hive"), new JsonModule(), new TypeDeserializerModule(context.getTypeManager()), new HiveModule(), new CachingDirectoryListerModule(cachingDirectoryLister), new HiveHdfsModule(), new HiveS3Module(), new HiveGcsModule(), new HiveAzureModule(), conditionalModule(RubixEnabledConfig.class, RubixEnabledConfig::isCacheEnabled, new RubixModule()), new HiveMetastoreModule(metastore), new HiveSecurityModule(), new HdfsAuthenticationModule(), new HiveProcedureModule(), new MBeanServerModule(), binder -> {
binder.bind(NodeVersion.class).toInstance(new NodeVersion(context.getNodeManager().getCurrentNode().getVersion()));
binder.bind(NodeManager.class).toInstance(context.getNodeManager());
binder.bind(VersionEmbedder.class).toInstance(context.getVersionEmbedder());
binder.bind(MetadataProvider.class).toInstance(context.getMetadataProvider());
binder.bind(PageIndexerFactory.class).toInstance(context.getPageIndexerFactory());
binder.bind(PageSorter.class).toInstance(context.getPageSorter());
}, binder -> newSetBinder(binder, EventListener.class), binder -> bindSessionPropertiesProvider(binder, HiveSessionProperties.class), module);
Injector injector = app.doNotInitializeLogging().setRequiredConfigurationProperties(config).initialize();
LifeCycleManager lifeCycleManager = injector.getInstance(LifeCycleManager.class);
HiveTransactionManager transactionManager = injector.getInstance(HiveTransactionManager.class);
ConnectorSplitManager splitManager = injector.getInstance(ConnectorSplitManager.class);
ConnectorPageSourceProvider connectorPageSource = injector.getInstance(ConnectorPageSourceProvider.class);
ConnectorPageSinkProvider pageSinkProvider = injector.getInstance(ConnectorPageSinkProvider.class);
ConnectorNodePartitioningProvider connectorDistributionProvider = injector.getInstance(ConnectorNodePartitioningProvider.class);
Set<SessionPropertiesProvider> sessionPropertiesProviders = injector.getInstance(Key.get(new TypeLiteral<Set<SessionPropertiesProvider>>() {
}));
HiveTableProperties hiveTableProperties = injector.getInstance(HiveTableProperties.class);
HiveAnalyzeProperties hiveAnalyzeProperties = injector.getInstance(HiveAnalyzeProperties.class);
HiveMaterializedViewPropertiesProvider hiveMaterializedViewPropertiesProvider = injector.getInstance(HiveMaterializedViewPropertiesProvider.class);
Set<Procedure> procedures = injector.getInstance(Key.get(new TypeLiteral<Set<Procedure>>() {
}));
Set<TableProcedureMetadata> tableProcedures = injector.getInstance(Key.get(new TypeLiteral<Set<TableProcedureMetadata>>() {
}));
Set<EventListener> eventListeners = injector.getInstance(Key.get(new TypeLiteral<Set<EventListener>>() {
})).stream().map(listener -> new ClassLoaderSafeEventListener(listener, classLoader)).collect(toImmutableSet());
Set<SystemTableProvider> systemTableProviders = injector.getInstance(Key.get(new TypeLiteral<Set<SystemTableProvider>>() {
}));
Optional<ConnectorAccessControl> hiveAccessControl = injector.getInstance(Key.get(new TypeLiteral<Optional<ConnectorAccessControl>>() {
})).map(accessControl -> new SystemTableAwareAccessControl(accessControl, systemTableProviders)).map(accessControl -> new ClassLoaderSafeConnectorAccessControl(accessControl, classLoader));
return new HiveConnector(lifeCycleManager, transactionManager, new ClassLoaderSafeConnectorSplitManager(splitManager, classLoader), new ClassLoaderSafeConnectorPageSourceProvider(connectorPageSource, classLoader), new ClassLoaderSafeConnectorPageSinkProvider(pageSinkProvider, classLoader), new ClassLoaderSafeNodePartitioningProvider(connectorDistributionProvider, classLoader), procedures, tableProcedures, eventListeners, sessionPropertiesProviders, HiveSchemaProperties.SCHEMA_PROPERTIES, hiveTableProperties.getTableProperties(), hiveAnalyzeProperties.getAnalyzeProperties(), hiveMaterializedViewPropertiesProvider.getMaterializedViewProperties(), hiveAccessControl, injector.getInstance(HiveConfig.class).isSingleStatementWritesOnly(), classLoader);
}
}
use of io.trino.spi.connector.ConnectorAccessControl in project trino by trinodb.
the class SyncPartitionMetadataProcedure method doSyncPartitionMetadata.
private void doSyncPartitionMetadata(ConnectorSession session, ConnectorAccessControl accessControl, String schemaName, String tableName, String mode, boolean caseSensitive) {
SyncMode syncMode = toSyncMode(mode);
HdfsContext hdfsContext = new HdfsContext(session);
SemiTransactionalHiveMetastore metastore = hiveMetadataFactory.create(session.getIdentity(), true).getMetastore();
SchemaTableName schemaTableName = new SchemaTableName(schemaName, tableName);
Table table = metastore.getTable(schemaName, tableName).orElseThrow(() -> new TableNotFoundException(schemaTableName));
if (table.getPartitionColumns().isEmpty()) {
throw new TrinoException(INVALID_PROCEDURE_ARGUMENT, "Table is not partitioned: " + schemaTableName);
}
if (syncMode == SyncMode.ADD || syncMode == SyncMode.FULL) {
accessControl.checkCanInsertIntoTable(null, new SchemaTableName(schemaName, tableName));
}
if (syncMode == SyncMode.DROP || syncMode == SyncMode.FULL) {
accessControl.checkCanDeleteFromTable(null, new SchemaTableName(schemaName, tableName));
}
Path tableLocation = new Path(table.getStorage().getLocation());
Set<String> partitionsToAdd;
Set<String> partitionsToDrop;
try {
FileSystem fileSystem = hdfsEnvironment.getFileSystem(hdfsContext, tableLocation);
List<String> partitionsInMetastore = metastore.getPartitionNames(schemaName, tableName).orElseThrow(() -> new TableNotFoundException(schemaTableName));
List<String> partitionsInFileSystem = listDirectory(fileSystem, fileSystem.getFileStatus(tableLocation), table.getPartitionColumns(), table.getPartitionColumns().size(), caseSensitive).stream().map(fileStatus -> fileStatus.getPath().toUri()).map(uri -> tableLocation.toUri().relativize(uri).getPath()).collect(toImmutableList());
// partitions in file system but not in metastore
partitionsToAdd = difference(partitionsInFileSystem, partitionsInMetastore);
// partitions in metastore but not in file system
partitionsToDrop = difference(partitionsInMetastore, partitionsInFileSystem);
} catch (IOException e) {
throw new TrinoException(HIVE_FILESYSTEM_ERROR, e);
}
syncPartitions(partitionsToAdd, partitionsToDrop, syncMode, metastore, session, table);
}
use of io.trino.spi.connector.ConnectorAccessControl in project trino by trinodb.
the class TestFileBasedAccessControl method testNoTableRules.
@Test
public void testNoTableRules() {
ConnectorAccessControl accessControl = createAccessControl("no-access.json");
assertDenied(() -> accessControl.checkCanShowColumns(BOB, new SchemaTableName("bobschema", "bobtable")));
assertDenied(() -> accessControl.checkCanShowTables(BOB, "bobschema"));
assertEquals(accessControl.filterColumns(BOB, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of("a")), ImmutableSet.of());
Set<SchemaTableName> tables = ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
assertEquals(accessControl.filterTables(ALICE, tables), ImmutableSet.of());
assertEquals(accessControl.filterTables(BOB, tables), ImmutableSet.of());
}
use of io.trino.spi.connector.ConnectorAccessControl in project trino by trinodb.
the class TestFileBasedAccessControl method testEmptyFile.
@Test
public void testEmptyFile() {
ConnectorAccessControl accessControl = createAccessControl("empty.json");
accessControl.checkCanCreateSchema(UNKNOWN, "unknown");
accessControl.checkCanDropSchema(UNKNOWN, "unknown");
accessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown");
accessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanShowCreateSchema(UNKNOWN, "unknown");
accessControl.checkCanSelectFromColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"), ImmutableSet.of());
accessControl.checkCanShowColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanInsertIntoTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanDeleteFromTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanCreateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), Map.of());
accessControl.checkCanDropTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanTruncateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanRenameTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), new SchemaTableName("unknown", "new_unknown"));
accessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "anything");
Set<SchemaTableName> tables = ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
assertEquals(accessControl.filterTables(UNKNOWN, tables), tables);
// permissions management APIs are hard coded to deny
TrinoPrincipal someUser = new TrinoPrincipal(PrincipalType.USER, "some_user");
assertDenied(() -> accessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false));
assertDenied(() -> accessControl.checkCanDenyTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser));
assertDenied(() -> accessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false));
assertDenied(() -> accessControl.checkCanCreateRole(ADMIN, "role", Optional.empty()));
assertDenied(() -> accessControl.checkCanDropRole(ADMIN, "role"));
assertDenied(() -> accessControl.checkCanGrantRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(someUser), false, Optional.empty()));
assertDenied(() -> accessControl.checkCanRevokeRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(someUser), false, Optional.empty()));
assertDenied(() -> accessControl.checkCanSetRole(ADMIN, "role"));
// showing roles and permissions is hard coded to allow
accessControl.checkCanShowRoleAuthorizationDescriptors(UNKNOWN);
accessControl.checkCanShowRoles(UNKNOWN);
accessControl.checkCanShowCurrentRoles(UNKNOWN);
accessControl.checkCanShowRoleGrants(UNKNOWN);
}
use of io.trino.spi.connector.ConnectorAccessControl in project trino by trinodb.
the class TestFileBasedAccessControl method testFilterSchemas.
@Test
public void testFilterSchemas() {
ConnectorAccessControl accessControl = createAccessControl("visibility.json");
ImmutableSet<String> allSchemas = ImmutableSet.of("specific-schema", "alice-schema", "bob-schema", "unknown");
assertEquals(accessControl.filterSchemas(ADMIN, allSchemas), allSchemas);
assertEquals(accessControl.filterSchemas(ALICE, allSchemas), ImmutableSet.of("specific-schema", "alice-schema"));
assertEquals(accessControl.filterSchemas(BOB, allSchemas), ImmutableSet.of("specific-schema", "bob-schema"));
assertEquals(accessControl.filterSchemas(CHARLIE, allSchemas), ImmutableSet.of("specific-schema"));
}
Aggregations