Examples with ConnectorSecurityContext io.trino.spi.connector.ConnectorSecurityContext used on opensource projects

Example 1 with ConnectorSecurityContext

use of io.trino.spi.connector.ConnectorSecurityContext in project trino by trinodb.

the class SqlStandardAccessControl method isDatabaseOwner.

private boolean isDatabaseOwner(ConnectorSecurityContext context, String databaseName) {
    // all users are "owners" of the default database
    if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(databaseName)) {
        return true;
    }
    if (isAdmin(context)) {
        return true;
    }
    Optional<Database> databaseMetadata = metastore.getDatabase(context, databaseName);
    if (databaseMetadata.isEmpty()) {
        return false;
    }
    Database database = databaseMetadata.get();
    // a database can be owned by a user or role
    ConnectorIdentity identity = context.getIdentity();
    if (database.getOwnerName().isPresent()) {
        if (database.getOwnerType().orElse(null) == USER && identity.getUser().equals(database.getOwnerName().get())) {
            return true;
        }
        if (database.getOwnerType().orElse(null) == ROLE && isRoleEnabled(identity, hivePrincipal -> metastore.listRoleGrants(context, hivePrincipal), database.getOwnerName().get())) {
            return true;
        }
    }
    return false;
}

Example 2 with ConnectorSecurityContext

use of io.trino.spi.connector.ConnectorSecurityContext in project trino by trinodb.

the class FileBasedAccessControl method checkCanSelectFromColumns.

@Override
public void checkCanSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames) {
    if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
        return;
    }
    ConnectorIdentity identity = context.getIdentity();
    boolean allowed = tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledSystemRoles(), identity.getGroups(), tableName)).map(rule -> rule.canSelectColumns(columnNames)).findFirst().orElse(false);
    if (!allowed) {
        denySelectTable(tableName.toString());
    }
}

Example 3 with ConnectorSecurityContext

use of io.trino.spi.connector.ConnectorSecurityContext in project trino by trinodb.

the class FileBasedAccessControl method filterColumns.

@Override
public Set<String> filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columns) {
    if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
        return columns;
    }
    ConnectorIdentity identity = context.getIdentity();
    TableAccessControlRule rule = tableRules.stream().filter(tableRule -> tableRule.matches(identity.getUser(), identity.getEnabledSystemRoles(), identity.getGroups(), tableName)).findFirst().orElse(null);
    if (rule == null || rule.getPrivileges().isEmpty()) {
        return ImmutableSet.of();
    }
    // if user has privileges other than select, show all columns
    if (rule.getPrivileges().stream().anyMatch(privilege -> SELECT != privilege)) {
        return columns;
    }
    Set<String> restrictedColumns = rule.getRestrictedColumns();
    return columns.stream().filter(column -> !restrictedColumns.contains(column)).collect(toImmutableSet());
}

Example 4 with ConnectorSecurityContext

use of io.trino.spi.connector.ConnectorSecurityContext in project trino by trinodb.

the class TestAccessControlManager method testColumnMaskOrdering.

@Test
public void testColumnMaskOrdering() {
    try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) {
        TransactionManager transactionManager = queryRunner.getTransactionManager();
        AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
        accessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() {

            @Override
            public String getName() {
                return "test";
            }

            @Override
            public SystemAccessControl create(Map<String, String> config) {
                return new SystemAccessControl() {

                    @Override
                    public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String column, Type type) {
                        return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "system mask"));
                    }

                    @Override
                    public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
                    }
                };
            }
        });
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of());
        accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new ConnectorAccessControl() {

            @Override
            public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) {
                return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask"));
            }

            @Override
            public void checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName) {
            }
        });
        transaction(transactionManager, accessControlManager).execute(transactionId -> {
            List<ViewExpression> masks = accessControlManager.getColumnMasks(context(transactionId), new QualifiedObjectName("catalog", "schema", "table"), "column", BIGINT);
            assertEquals(masks.get(0).getExpression(), "connector mask");
            assertEquals(masks.get(1).getExpression(), "system mask");
        });
    }
}

Example 5 with ConnectorSecurityContext

use of io.trino.spi.connector.ConnectorSecurityContext in project trino by trinodb.

the class SqlStandardAccessControl method listApplicableTablePrivileges.

private Stream<HivePrivilegeInfo> listApplicableTablePrivileges(ConnectorSecurityContext context, String databaseName, String tableName, ConnectorIdentity identity) {
    String user = identity.getUser();
    HivePrincipal userPrincipal = new HivePrincipal(USER, user);
    Stream<HivePrincipal> principals = Stream.concat(Stream.of(userPrincipal), listApplicableRoles(userPrincipal, hivePrincipal -> metastore.listRoleGrants(context, hivePrincipal)).map(role -> new HivePrincipal(ROLE, role.getRoleName())));
    return listTablePrivileges(context, databaseName, tableName, principals);
}