Search in sources :

Example 1 with AccessDeniedException

use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.

the class PasswordAuthenticator method authenticate.

@Override
public Identity authenticate(ContainerRequestContext request) throws AuthenticationException {
    BasicAuthCredentials basicAuthCredentials = extractBasicAuthCredentials(request).orElseThrow(() -> needAuthentication(null));
    String user = basicAuthCredentials.getUser();
    String password = basicAuthCredentials.getPassword().orElseThrow(() -> new AuthenticationException("Malformed credentials: password is empty"));
    AuthenticationException exception = null;
    for (io.trino.spi.security.PasswordAuthenticator authenticator : authenticatorManager.getAuthenticators()) {
        try {
            Principal principal = authenticator.createAuthenticatedPrincipal(user, password);
            String authenticatedUser = userMapping.mapUser(principal.toString());
            // rewrite the original "unmapped" user header to the mapped user (see method Javadoc for more details)
            rewriteUserHeaderToMappedUser(basicAuthCredentials, request.getHeaders(), authenticatedUser);
            return Identity.forUser(authenticatedUser).withPrincipal(principal).build();
        } catch (UserMappingException | AccessDeniedException e) {
            if (exception == null) {
                exception = needAuthentication(e.getMessage());
            } else {
                exception.addSuppressed(needAuthentication(e.getMessage()));
            }
        } catch (RuntimeException e) {
            throw new RuntimeException("Authentication error", e);
        }
    }
    verify(exception != null, "exception not set");
    throw exception;
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) BasicAuthCredentials.extractBasicAuthCredentials(io.trino.server.security.BasicAuthCredentials.extractBasicAuthCredentials) Principal(java.security.Principal)

Example 2 with AccessDeniedException

use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.

the class WorkerResource method getThreads.

@ResourceSecurity(WEB_UI)
@GET
@Path("{nodeId}/task/{taskId}")
public Response getThreads(@PathParam("taskId") TaskId task, @PathParam("nodeId") String nodeId, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders) {
    QueryId queryId = task.getQueryId();
    Optional<QueryInfo> queryInfo = dispatchManager.getFullQueryInfo(queryId);
    if (queryInfo.isPresent()) {
        try {
            checkCanViewQueryOwnedBy(sessionContextFactory.extractAuthorizedIdentity(servletRequest, httpHeaders, alternateHeaderName), queryInfo.get().getSession().toIdentity(), accessControl);
            return proxyJsonResponse(nodeId, "v1/task/" + task);
        } catch (AccessDeniedException e) {
            throw new ForbiddenException();
        }
    }
    return Response.status(Status.GONE).build();
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) ForbiddenException(javax.ws.rs.ForbiddenException) QueryId(io.trino.spi.QueryId) QueryInfo(io.trino.execution.QueryInfo) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET) ResourceSecurity(io.trino.server.security.ResourceSecurity)

Example 3 with AccessDeniedException

use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.

the class QueryResource method getQueryInfo.

@ResourceSecurity(AUTHENTICATED_USER)
@GET
@Path("{queryId}")
public Response getQueryInfo(@PathParam("queryId") QueryId queryId, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders) {
    requireNonNull(queryId, "queryId is null");
    Optional<QueryInfo> queryInfo = dispatchManager.getFullQueryInfo(queryId);
    if (queryInfo.isEmpty()) {
        return Response.status(Status.GONE).build();
    }
    try {
        checkCanViewQueryOwnedBy(sessionContextFactory.extractAuthorizedIdentity(servletRequest, httpHeaders, alternateHeaderName), queryInfo.get().getSession().toIdentity(), accessControl);
        return Response.ok(queryInfo.get()).build();
    } catch (AccessDeniedException e) {
        throw new ForbiddenException();
    }
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) ForbiddenException(javax.ws.rs.ForbiddenException) QueryInfo(io.trino.execution.QueryInfo) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET) ResourceSecurity(io.trino.server.security.ResourceSecurity)

Example 4 with AccessDeniedException

use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.

the class QueryStateInfoResource method getQueryStateInfo.

@ResourceSecurity(AUTHENTICATED_USER)
@GET
@Path("{queryId}")
@Produces(MediaType.APPLICATION_JSON)
public QueryStateInfo getQueryStateInfo(@PathParam("queryId") String queryId, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders) throws WebApplicationException {
    try {
        BasicQueryInfo queryInfo = dispatchManager.getQueryInfo(new QueryId(queryId));
        checkCanViewQueryOwnedBy(sessionContextFactory.extractAuthorizedIdentity(servletRequest, httpHeaders, alternateHeaderName), queryInfo.getSession().toIdentity(), accessControl);
        return getQueryStateInfo(queryInfo);
    } catch (AccessDeniedException e) {
        throw new ForbiddenException();
    } catch (NoSuchElementException e) {
        throw new WebApplicationException(NOT_FOUND);
    }
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) ForbiddenException(javax.ws.rs.ForbiddenException) WebApplicationException(javax.ws.rs.WebApplicationException) QueryId(io.trino.spi.QueryId) NoSuchElementException(java.util.NoSuchElementException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ResourceSecurity(io.trino.server.security.ResourceSecurity)

Example 5 with AccessDeniedException

use of io.trino.spi.security.AccessDeniedException in project trino by trinodb.

the class CreateTableTask method internalExecute.

@VisibleForTesting
ListenableFuture<Void> internalExecute(CreateTable statement, Session session, List<Expression> parameters, Consumer<Output> outputConsumer) {
    checkArgument(!statement.getElements().isEmpty(), "no columns for table");
    Map<NodeRef<Parameter>, Expression> parameterLookup = parameterExtractor(statement, parameters);
    QualifiedObjectName tableName = createQualifiedObjectName(session, statement, statement.getName());
    Optional<TableHandle> tableHandle = plannerContext.getMetadata().getTableHandle(session, tableName);
    if (tableHandle.isPresent()) {
        if (!statement.isNotExists()) {
            throw semanticException(TABLE_ALREADY_EXISTS, statement, "Table '%s' already exists", tableName);
        }
        return immediateVoidFuture();
    }
    CatalogName catalogName = getRequiredCatalogHandle(plannerContext.getMetadata(), session, statement, tableName.getCatalogName());
    LinkedHashMap<String, ColumnMetadata> columns = new LinkedHashMap<>();
    Map<String, Object> inheritedProperties = ImmutableMap.of();
    boolean includingProperties = false;
    for (TableElement element : statement.getElements()) {
        if (element instanceof ColumnDefinition) {
            ColumnDefinition column = (ColumnDefinition) element;
            String name = column.getName().getValue().toLowerCase(Locale.ENGLISH);
            Type type;
            try {
                type = plannerContext.getTypeManager().getType(toTypeSignature(column.getType()));
            } catch (TypeNotFoundException e) {
                throw semanticException(TYPE_NOT_FOUND, element, "Unknown type '%s' for column '%s'", column.getType(), column.getName());
            }
            if (type.equals(UNKNOWN)) {
                throw semanticException(COLUMN_TYPE_UNKNOWN, element, "Unknown type '%s' for column '%s'", column.getType(), column.getName());
            }
            if (columns.containsKey(name)) {
                throw semanticException(DUPLICATE_COLUMN_NAME, column, "Column name '%s' specified more than once", column.getName());
            }
            if (!column.isNullable() && !plannerContext.getMetadata().getConnectorCapabilities(session, catalogName).contains(NOT_NULL_COLUMN_CONSTRAINT)) {
                throw semanticException(NOT_SUPPORTED, column, "Catalog '%s' does not support non-null column for column name '%s'", catalogName.getCatalogName(), column.getName());
            }
            Map<String, Object> columnProperties = columnPropertyManager.getProperties(catalogName, column.getProperties(), session, plannerContext, accessControl, parameterLookup, true);
            columns.put(name, ColumnMetadata.builder().setName(name).setType(type).setNullable(column.isNullable()).setComment(column.getComment()).setProperties(columnProperties).build());
        } else if (element instanceof LikeClause) {
            LikeClause likeClause = (LikeClause) element;
            QualifiedObjectName originalLikeTableName = createQualifiedObjectName(session, statement, likeClause.getTableName());
            if (plannerContext.getMetadata().getCatalogHandle(session, originalLikeTableName.getCatalogName()).isEmpty()) {
                throw semanticException(CATALOG_NOT_FOUND, statement, "LIKE table catalog '%s' does not exist", originalLikeTableName.getCatalogName());
            }
            RedirectionAwareTableHandle redirection = plannerContext.getMetadata().getRedirectionAwareTableHandle(session, originalLikeTableName);
            TableHandle likeTable = redirection.getTableHandle().orElseThrow(() -> semanticException(TABLE_NOT_FOUND, statement, "LIKE table '%s' does not exist", originalLikeTableName));
            QualifiedObjectName likeTableName = redirection.getRedirectedTableName().orElse(originalLikeTableName);
            if (!tableName.getCatalogName().equals(likeTableName.getCatalogName())) {
                String message = "CREATE TABLE LIKE across catalogs is not supported";
                if (!originalLikeTableName.equals(likeTableName)) {
                    message += format(". LIKE table '%s' redirected to '%s'.", originalLikeTableName, likeTableName);
                }
                throw semanticException(NOT_SUPPORTED, statement, message);
            }
            TableMetadata likeTableMetadata = plannerContext.getMetadata().getTableMetadata(session, likeTable);
            Optional<LikeClause.PropertiesOption> propertiesOption = likeClause.getPropertiesOption();
            if (propertiesOption.isPresent() && propertiesOption.get() == LikeClause.PropertiesOption.INCLUDING) {
                if (includingProperties) {
                    throw semanticException(NOT_SUPPORTED, statement, "Only one LIKE clause can specify INCLUDING PROPERTIES");
                }
                includingProperties = true;
                inheritedProperties = likeTableMetadata.getMetadata().getProperties();
            }
            try {
                accessControl.checkCanSelectFromColumns(session.toSecurityContext(), likeTableName, likeTableMetadata.getColumns().stream().map(ColumnMetadata::getName).collect(toImmutableSet()));
            } catch (AccessDeniedException e) {
                throw new AccessDeniedException("Cannot reference columns of table " + likeTableName);
            }
            if (propertiesOption.orElse(EXCLUDING) == INCLUDING) {
                try {
                    accessControl.checkCanShowCreateTable(session.toSecurityContext(), likeTableName);
                } catch (AccessDeniedException e) {
                    throw new AccessDeniedException("Cannot reference properties of table " + likeTableName);
                }
            }
            likeTableMetadata.getColumns().stream().filter(column -> !column.isHidden()).forEach(column -> {
                if (columns.containsKey(column.getName().toLowerCase(Locale.ENGLISH))) {
                    throw semanticException(DUPLICATE_COLUMN_NAME, element, "Column name '%s' specified more than once", column.getName());
                }
                columns.put(column.getName().toLowerCase(Locale.ENGLISH), column);
            });
        } else {
            throw new TrinoException(GENERIC_INTERNAL_ERROR, "Invalid TableElement: " + element.getClass().getName());
        }
    }
    Map<String, Object> properties = tablePropertyManager.getProperties(catalogName, statement.getProperties(), session, plannerContext, accessControl, parameterLookup, true);
    accessControl.checkCanCreateTable(session.toSecurityContext(), tableName, properties);
    Set<String> specifiedPropertyKeys = statement.getProperties().stream().map(property -> property.getName().getValue()).collect(toImmutableSet());
    Map<String, Object> finalProperties = combineProperties(specifiedPropertyKeys, properties, inheritedProperties);
    ConnectorTableMetadata tableMetadata = new ConnectorTableMetadata(tableName.asSchemaTableName(), ImmutableList.copyOf(columns.values()), finalProperties, statement.getComment());
    try {
        plannerContext.getMetadata().createTable(session, tableName.getCatalogName(), tableMetadata, statement.isNotExists());
    } catch (TrinoException e) {
        // connectors are not required to handle the ignoreExisting flag
        if (!e.getErrorCode().equals(ALREADY_EXISTS.toErrorCode()) || !statement.isNotExists()) {
            throw e;
        }
    }
    outputConsumer.accept(new Output(tableName.getCatalogName(), tableName.getSchemaName(), tableName.getObjectName(), Optional.of(tableMetadata.getColumns().stream().map(column -> new OutputColumn(new Column(column.getName(), column.getType().toString()), ImmutableSet.of())).collect(toImmutableList()))));
    return immediateVoidFuture();
}
Also used : LikeClause(io.trino.sql.tree.LikeClause) TYPE_NOT_FOUND(io.trino.spi.StandardErrorCode.TYPE_NOT_FOUND) TypeNotFoundException(io.trino.spi.type.TypeNotFoundException) OutputColumn(io.trino.sql.analyzer.OutputColumn) UNKNOWN(io.trino.type.UnknownType.UNKNOWN) ParameterUtils.parameterExtractor(io.trino.sql.ParameterUtils.parameterExtractor) COLUMN_TYPE_UNKNOWN(io.trino.spi.StandardErrorCode.COLUMN_TYPE_UNKNOWN) NOT_SUPPORTED(io.trino.spi.StandardErrorCode.NOT_SUPPORTED) CatalogName(io.trino.connector.CatalogName) Preconditions.checkArgument(com.google.common.base.Preconditions.checkArgument) TABLE_ALREADY_EXISTS(io.trino.spi.StandardErrorCode.TABLE_ALREADY_EXISTS) Locale(java.util.Locale) TABLE_NOT_FOUND(io.trino.spi.StandardErrorCode.TABLE_NOT_FOUND) Map(java.util.Map) ALREADY_EXISTS(io.trino.spi.StandardErrorCode.ALREADY_EXISTS) SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException) TableElement(io.trino.sql.tree.TableElement) Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) INCLUDING(io.trino.sql.tree.LikeClause.PropertiesOption.INCLUDING) ImmutableList.toImmutableList(com.google.common.collect.ImmutableList.toImmutableList) TypeSignatureTranslator.toTypeSignature(io.trino.sql.analyzer.TypeSignatureTranslator.toTypeSignature) Set(java.util.Set) TrinoException(io.trino.spi.TrinoException) String.format(java.lang.String.format) DUPLICATE_COLUMN_NAME(io.trino.spi.StandardErrorCode.DUPLICATE_COLUMN_NAME) TableMetadata(io.trino.metadata.TableMetadata) List(java.util.List) CreateTable(io.trino.sql.tree.CreateTable) AccessControl(io.trino.security.AccessControl) Parameter(io.trino.sql.tree.Parameter) RedirectionAwareTableHandle(io.trino.metadata.RedirectionAwareTableHandle) Optional(java.util.Optional) Expression(io.trino.sql.tree.Expression) ColumnPropertyManager(io.trino.metadata.ColumnPropertyManager) Session(io.trino.Session) PlannerContext(io.trino.sql.PlannerContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) ColumnMetadata(io.trino.spi.connector.ColumnMetadata) Type(io.trino.spi.type.Type) ConnectorTableMetadata(io.trino.spi.connector.ConnectorTableMetadata) HashMap(java.util.HashMap) Inject(javax.inject.Inject) LinkedHashMap(java.util.LinkedHashMap) EXCLUDING(io.trino.sql.tree.LikeClause.PropertiesOption.EXCLUDING) ImmutableList(com.google.common.collect.ImmutableList) MetadataUtil.createQualifiedObjectName(io.trino.metadata.MetadataUtil.createQualifiedObjectName) NodeRef(io.trino.sql.tree.NodeRef) Objects.requireNonNull(java.util.Objects.requireNonNull) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) NOT_NULL_COLUMN_CONSTRAINT(io.trino.spi.connector.ConnectorCapabilities.NOT_NULL_COLUMN_CONSTRAINT) CATALOG_NOT_FOUND(io.trino.spi.StandardErrorCode.CATALOG_NOT_FOUND) MetadataUtil.getRequiredCatalogHandle(io.trino.metadata.MetadataUtil.getRequiredCatalogHandle) GENERIC_INTERNAL_ERROR(io.trino.spi.StandardErrorCode.GENERIC_INTERNAL_ERROR) Consumer(java.util.function.Consumer) LikeClause(io.trino.sql.tree.LikeClause) TableHandle(io.trino.metadata.TableHandle) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) TablePropertyManager(io.trino.metadata.TablePropertyManager) WarningCollector(io.trino.execution.warnings.WarningCollector) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Output(io.trino.sql.analyzer.Output) ColumnDefinition(io.trino.sql.tree.ColumnDefinition) ColumnMetadata(io.trino.spi.connector.ColumnMetadata) AccessDeniedException(io.trino.spi.security.AccessDeniedException) TableElement(io.trino.sql.tree.TableElement) LinkedHashMap(java.util.LinkedHashMap) NodeRef(io.trino.sql.tree.NodeRef) OutputColumn(io.trino.sql.analyzer.OutputColumn) Output(io.trino.sql.analyzer.Output) ConnectorTableMetadata(io.trino.spi.connector.ConnectorTableMetadata) TableMetadata(io.trino.metadata.TableMetadata) ConnectorTableMetadata(io.trino.spi.connector.ConnectorTableMetadata) Optional(java.util.Optional) MetadataUtil.createQualifiedObjectName(io.trino.metadata.MetadataUtil.createQualifiedObjectName) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) ColumnDefinition(io.trino.sql.tree.ColumnDefinition) Type(io.trino.spi.type.Type) Expression(io.trino.sql.tree.Expression) TypeNotFoundException(io.trino.spi.type.TypeNotFoundException) OutputColumn(io.trino.sql.analyzer.OutputColumn) TrinoException(io.trino.spi.TrinoException) RedirectionAwareTableHandle(io.trino.metadata.RedirectionAwareTableHandle) TableHandle(io.trino.metadata.TableHandle) CatalogName(io.trino.connector.CatalogName) RedirectionAwareTableHandle(io.trino.metadata.RedirectionAwareTableHandle) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

AccessDeniedException (io.trino.spi.security.AccessDeniedException)19 ForbiddenException (javax.ws.rs.ForbiddenException)7 ResourceSecurity (io.trino.server.security.ResourceSecurity)5 Path (javax.ws.rs.Path)5 QueryInfo (io.trino.execution.QueryInfo)3 NoSuchElementException (java.util.NoSuchElementException)3 GET (javax.ws.rs.GET)3 Test (org.testng.annotations.Test)3 ImmutableList (com.google.common.collect.ImmutableList)2 ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2 ImmutableMap (com.google.common.collect.ImmutableMap)2 BasicQueryInfo (io.trino.server.BasicQueryInfo)2 QueryId (io.trino.spi.QueryId)2 InMemoryTransactionManager.createTestTransactionManager (io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)2 TransactionManager (io.trino.transaction.TransactionManager)2 Principal (java.security.Principal)2 List (java.util.List)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 Preconditions.checkArgument (com.google.common.base.Preconditions.checkArgument)1 Verify.verify (com.google.common.base.Verify.verify)1