Search in sources :

Example 1 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class MetadataManager method getMaterializedView.

@Override
public Optional<MaterializedViewDefinition> getMaterializedView(Session session, QualifiedObjectName viewName) {
    Optional<ConnectorMaterializedViewDefinition> connectorView = getMaterializedViewInternal(session, viewName);
    if (connectorView.isEmpty() || isCatalogManagedSecurity(session, viewName.getCatalogName())) {
        return connectorView.map(view -> {
            String runAsUser = view.getOwner().orElseThrow(() -> new TrinoException(INVALID_VIEW, "Owner not set for a run-as invoker view: " + viewName));
            return new MaterializedViewDefinition(view, Identity.ofUser(runAsUser));
        });
    }
    Identity runAsIdentity = systemSecurityMetadata.getViewRunAsIdentity(session, viewName.asCatalogSchemaTableName()).or(() -> connectorView.get().getOwner().map(Identity::ofUser)).orElseThrow(() -> new TrinoException(NOT_SUPPORTED, "Materialized view does not have an owner: " + viewName));
    return Optional.of(new MaterializedViewDefinition(connectorView.get(), runAsIdentity));
}
Also used : ConnectorMaterializedViewDefinition(io.trino.spi.connector.ConnectorMaterializedViewDefinition) ConnectorMaterializedViewDefinition(io.trino.spi.connector.ConnectorMaterializedViewDefinition) TrinoException(io.trino.spi.TrinoException) Identity(io.trino.spi.security.Identity)

Example 2 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class OAuth2Authenticator method createIdentity.

@Override
protected Optional<Identity> createIdentity(String token) throws UserMappingException {
    try {
        Optional<Map<String, Object>> claims = service.convertTokenToClaims(token);
        if (claims.isEmpty()) {
            return Optional.empty();
        }
        String principal = (String) claims.get().get(principalField);
        Identity.Builder builder = Identity.forUser(userMapping.mapUser(principal));
        builder.withPrincipal(new BasicPrincipal(principal));
        groupsField.flatMap(field -> Optional.ofNullable((List<String>) claims.get().get(field))).ifPresent(groups -> builder.withGroups(ImmutableSet.copyOf(groups)));
        return Optional.of(builder.build());
    } catch (ChallengeFailedException e) {
        return Optional.empty();
    }
}
Also used : ImmutableSet(com.google.common.collect.ImmutableSet) UserMapping(io.trino.server.security.UserMapping) UUID(java.util.UUID) UserMapping.createUserMapping(io.trino.server.security.UserMapping.createUserMapping) BasicPrincipal(io.trino.spi.security.BasicPrincipal) String.format(java.lang.String.format) ContainerRequestContext(javax.ws.rs.container.ContainerRequestContext) Inject(javax.inject.Inject) OAuth2TokenExchangeResource.getInitiateUri(io.trino.server.security.oauth2.OAuth2TokenExchangeResource.getInitiateUri) List(java.util.List) AbstractBearerAuthenticator(io.trino.server.security.AbstractBearerAuthenticator) Identity(io.trino.spi.security.Identity) Map(java.util.Map) Objects.requireNonNull(java.util.Objects.requireNonNull) AuthenticationException(io.trino.server.security.AuthenticationException) Optional(java.util.Optional) OAuth2TokenExchangeResource.getTokenUri(io.trino.server.security.oauth2.OAuth2TokenExchangeResource.getTokenUri) URI(java.net.URI) UserMappingException(io.trino.server.security.UserMappingException) BasicPrincipal(io.trino.spi.security.BasicPrincipal) Identity(io.trino.spi.security.Identity) Map(java.util.Map)

Example 3 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class FormWebUiAuthenticationFilter method handleProtocolLoginRequest.

private static void handleProtocolLoginRequest(Authenticator authenticator, ContainerRequestContext request) {
    Identity authenticatedIdentity;
    try {
        authenticatedIdentity = authenticator.authenticate(request);
    } catch (AuthenticationException e) {
        // authentication failed
        sendWwwAuthenticate(request, firstNonNull(e.getMessage(), "Unauthorized"), e.getAuthenticateHeader().map(ImmutableSet::of).orElse(ImmutableSet.of()));
        return;
    }
    if (redirectFormLoginToUi(request)) {
        return;
    }
    setAuthenticatedIdentity(request, authenticatedIdentity);
}
Also used : AuthenticationException(io.trino.server.security.AuthenticationException) ServletSecurityUtils.setAuthenticatedIdentity(io.trino.server.ServletSecurityUtils.setAuthenticatedIdentity) Identity(io.trino.spi.security.Identity)

Example 4 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class QuerySessionSupplier method createSession.

@Override
public Session createSession(QueryId queryId, SessionContext context) {
    Identity identity = context.getIdentity();
    accessControl.checkCanSetUser(identity.getPrincipal(), identity.getUser());
    // authenticated identity is not present for HTTP or if authentication is not setup
    if (context.getAuthenticatedIdentity().isPresent()) {
        Identity authenticatedIdentity = context.getAuthenticatedIdentity().get();
        // only check impersonation if authenticated user is not the same as the explicitly set user
        if (!authenticatedIdentity.getUser().equals(identity.getUser())) {
            // add enabled roles for authenticated identity, so impersonation permissions can be assigned to roles
            authenticatedIdentity = addEnabledRoles(authenticatedIdentity, context.getSelectedRole(), metadata);
            accessControl.checkCanImpersonateUser(authenticatedIdentity, identity.getUser());
        }
    }
    // add the enabled roles
    identity = addEnabledRoles(identity, context.getSelectedRole(), metadata);
    SessionBuilder sessionBuilder = Session.builder(sessionPropertyManager).setQueryId(queryId).setIdentity(identity).setPath(context.getPath().or(() -> defaultPath).map(SqlPath::new)).setSource(context.getSource()).setRemoteUserAddress(context.getRemoteUserAddress()).setUserAgent(context.getUserAgent()).setClientInfo(context.getClientInfo()).setClientTags(context.getClientTags()).setClientCapabilities(context.getClientCapabilities()).setTraceToken(context.getTraceToken()).setResourceEstimates(context.getResourceEstimates()).setProtocolHeaders(context.getProtocolHeaders());
    if (context.getCatalog().isPresent()) {
        sessionBuilder.setCatalog(context.getCatalog());
        sessionBuilder.setSchema(context.getSchema());
    } else {
        defaultCatalog.ifPresent(sessionBuilder::setCatalog);
        defaultSchema.ifPresent(sessionBuilder::setSchema);
    }
    if (forcedSessionTimeZone.isPresent()) {
        sessionBuilder.setTimeZoneKey(forcedSessionTimeZone.get());
    } else {
        String sessionTimeZoneId = context.getSystemProperties().get(TIME_ZONE_ID);
        if (sessionTimeZoneId != null) {
            sessionBuilder.setTimeZoneKey(getTimeZoneKey(sessionTimeZoneId));
        } else {
            sessionBuilder.setTimeZoneKey(context.getTimeZoneId().map(TimeZoneKey::getTimeZoneKey));
        }
    }
    context.getLanguage().ifPresent(s -> sessionBuilder.setLocale(Locale.forLanguageTag(s)));
    for (Entry<String, String> entry : context.getSystemProperties().entrySet()) {
        sessionBuilder.setSystemProperty(entry.getKey(), entry.getValue());
    }
    for (Entry<String, Map<String, String>> catalogProperties : context.getCatalogSessionProperties().entrySet()) {
        String catalog = catalogProperties.getKey();
        for (Entry<String, String> entry : catalogProperties.getValue().entrySet()) {
            sessionBuilder.setCatalogSessionProperty(catalog, entry.getKey(), entry.getValue());
        }
    }
    for (Entry<String, String> preparedStatement : context.getPreparedStatements().entrySet()) {
        sessionBuilder.addPreparedStatement(preparedStatement.getKey(), preparedStatement.getValue());
    }
    if (context.supportClientTransaction()) {
        sessionBuilder.setClientTransactionSupport();
    }
    return sessionBuilder.build();
}
Also used : SqlPath(io.trino.sql.SqlPath) SessionBuilder(io.trino.Session.SessionBuilder) Identity(io.trino.spi.security.Identity) Map(java.util.Map)

Example 5 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class FileBasedSystemAccessControl method getColumnMask.

@Override
public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName table, String columnName, Type type) {
    SchemaTableName tableName = table.getSchemaTableName();
    if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
        return Optional.empty();
    }
    Identity identity = context.getIdentity();
    return tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.getColumnMask(identity.getUser(), table.getCatalogName(), table.getSchemaTableName().getSchemaName(), columnName)).findFirst().flatMap(Function.identity());
}
Also used : AccessDeniedException.denyReadSystemInformationAccess(io.trino.spi.security.AccessDeniedException.denyReadSystemInformationAccess) AccessDeniedException.denyDropTable(io.trino.spi.security.AccessDeniedException.denyDropTable) AccessDeniedException.denyGrantSchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege) AccessDeniedException.denySetMaterializedViewProperties(io.trino.spi.security.AccessDeniedException.denySetMaterializedViewProperties) Suppliers.memoizeWithExpiration(com.google.common.base.Suppliers.memoizeWithExpiration) AccessDeniedException.denyInsertTable(io.trino.spi.security.AccessDeniedException.denyInsertTable) AccessDeniedException.denyShowCreateTable(io.trino.spi.security.AccessDeniedException.denyShowCreateTable) SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) ALL(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.ALL) AccessDeniedException.denySetSystemSessionProperty(io.trino.spi.security.AccessDeniedException.denySetSystemSessionProperty) AccessDeniedException.denyUpdateTableColumns(io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns) Map(java.util.Map) AccessDeniedException.denyCreateTable(io.trino.spi.security.AccessDeniedException.denyCreateTable) AccessDeniedException.denyDeleteTable(io.trino.spi.security.AccessDeniedException.denyDeleteTable) AccessDeniedException.denyRenameSchema(io.trino.spi.security.AccessDeniedException.denyRenameSchema) AccessDeniedException.denyShowColumns(io.trino.spi.security.AccessDeniedException.denyShowColumns) AccessDeniedException.denyRenameMaterializedView(io.trino.spi.security.AccessDeniedException.denyRenameMaterializedView) OWNERSHIP(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.OWNERSHIP) AccessDeniedException.denyDropSchema(io.trino.spi.security.AccessDeniedException.denyDropSchema) Set(java.util.Set) MILLISECONDS(java.util.concurrent.TimeUnit.MILLISECONDS) SchemaTableName(io.trino.spi.connector.SchemaTableName) AccessDeniedException.denyShowCreateSchema(io.trino.spi.security.AccessDeniedException.denyShowCreateSchema) TablePrivilege(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) AccessDeniedException.denyRefreshMaterializedView(io.trino.spi.security.AccessDeniedException.denyRefreshMaterializedView) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) AccessDeniedException.denyCreateRole(io.trino.spi.security.AccessDeniedException.denyCreateRole) Bootstrap(io.airlift.bootstrap.Bootstrap) ConfigBinder.configBinder(io.airlift.configuration.ConfigBinder.configBinder) AccessDeniedException.denyDenySchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyDenySchemaPrivilege) AccessDeniedException.denySetUser(io.trino.spi.security.AccessDeniedException.denySetUser) AccessDeniedException.denyDenyTablePrivilege(io.trino.spi.security.AccessDeniedException.denyDenyTablePrivilege) AccessDeniedException.denyDropColumn(io.trino.spi.security.AccessDeniedException.denyDropColumn) SystemAccessControl(io.trino.spi.security.SystemAccessControl) AccessDeniedException.denySetViewAuthorization(io.trino.spi.security.AccessDeniedException.denySetViewAuthorization) AccessDeniedException.denySetSchemaAuthorization(io.trino.spi.security.AccessDeniedException.denySetSchemaAuthorization) AccessDeniedException.denyDropMaterializedView(io.trino.spi.security.AccessDeniedException.denyDropMaterializedView) Identity(io.trino.spi.security.Identity) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) AccessDeniedException.denyViewQuery(io.trino.spi.security.AccessDeniedException.denyViewQuery) AccessDeniedException.denySelectTable(io.trino.spi.security.AccessDeniedException.denySelectTable) AccessDeniedException.denyCreateView(io.trino.spi.security.AccessDeniedException.denyCreateView) AccessDeniedException.denyCommentTable(io.trino.spi.security.AccessDeniedException.denyCommentTable) READ_ONLY(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.READ_ONLY) UPDATE(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE) AccessDeniedException.denyRenameColumn(io.trino.spi.security.AccessDeniedException.denyRenameColumn) Paths(java.nio.file.Paths) AccessDeniedException.denyCatalogAccess(io.trino.spi.security.AccessDeniedException.denyCatalogAccess) AccessDeniedException.denyRenameView(io.trino.spi.security.AccessDeniedException.denyRenameView) AccessMode(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode) EventListener(io.trino.spi.eventlistener.EventListener) AccessDeniedException.denyAddColumn(io.trino.spi.security.AccessDeniedException.denyAddColumn) AccessDeniedException.denySetCatalogSessionProperty(io.trino.spi.security.AccessDeniedException.denySetCatalogSessionProperty) AccessDeniedException.denySetTableProperties(io.trino.spi.security.AccessDeniedException.denySetTableProperties) Duration(io.airlift.units.Duration) AccessDeniedException.denyRevokeTablePrivilege(io.trino.spi.security.AccessDeniedException.denyRevokeTablePrivilege) INSERT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.INSERT) DELETE(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.DELETE) JsonUtils.parseJson(io.trino.plugin.base.util.JsonUtils.parseJson) AccessDeniedException.denyCreateSchema(io.trino.spi.security.AccessDeniedException.denyCreateSchema) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) CatalogSchemaRoutineName(io.trino.spi.connector.CatalogSchemaRoutineName) AccessDeniedException.denyCreateMaterializedView(io.trino.spi.security.AccessDeniedException.denyCreateMaterializedView) AccessDeniedException.denyDropView(io.trino.spi.security.AccessDeniedException.denyDropView) AccessDeniedException.denyShowSchemas(io.trino.spi.security.AccessDeniedException.denyShowSchemas) ImmutableSet(com.google.common.collect.ImmutableSet) AccessDeniedException.denySetTableAuthorization(io.trino.spi.security.AccessDeniedException.denySetTableAuthorization) Predicate(java.util.function.Predicate) AccessDeniedException.denyTruncateTable(io.trino.spi.security.AccessDeniedException.denyTruncateTable) ViewExpression(io.trino.spi.security.ViewExpression) TrinoException(io.trino.spi.TrinoException) String.format(java.lang.String.format) List(java.util.List) Principal(java.security.Principal) Optional(java.util.Optional) SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) Pattern(java.util.regex.Pattern) SELECT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.SELECT) GRANT_SELECT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.GRANT_SELECT) Logger(io.airlift.log.Logger) AccessDeniedException.denyRevokeSchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyRevokeSchemaPrivilege) AccessDeniedException.denyWriteSystemInformationAccess(io.trino.spi.security.AccessDeniedException.denyWriteSystemInformationAccess) Type(io.trino.spi.type.Type) AccessDeniedException.denyDropRole(io.trino.spi.security.AccessDeniedException.denyDropRole) Function(java.util.function.Function) AccessDeniedException.denyCommentColumn(io.trino.spi.security.AccessDeniedException.denyCommentColumn) AccessDeniedException.denyCreateViewWithSelect(io.trino.spi.security.AccessDeniedException.denyCreateViewWithSelect) CONFIGURATION_INVALID(io.trino.spi.StandardErrorCode.CONFIGURATION_INVALID) ImmutableList(com.google.common.collect.ImmutableList) AccessDeniedException.denyShowTables(io.trino.spi.security.AccessDeniedException.denyShowTables) Objects.requireNonNull(java.util.Objects.requireNonNull) AccessDeniedException.denyRevokeRoles(io.trino.spi.security.AccessDeniedException.denyRevokeRoles) Privilege(io.trino.spi.security.Privilege) AccessDeniedException.denyRenameTable(io.trino.spi.security.AccessDeniedException.denyRenameTable) AccessDeniedException.denyShowRoleAuthorizationDescriptors(io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors) AccessDeniedException.denyImpersonateUser(io.trino.spi.security.AccessDeniedException.denyImpersonateUser) Injector(com.google.inject.Injector) AccessDeniedException.denyGrantRoles(io.trino.spi.security.AccessDeniedException.denyGrantRoles) SECURITY_REFRESH_PERIOD(io.trino.plugin.base.security.FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD) AccessDeniedException.denyGrantTablePrivilege(io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege) Identity(io.trino.spi.security.Identity) SchemaTableName(io.trino.spi.connector.SchemaTableName) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)

Aggregations

Identity (io.trino.spi.security.Identity)28 Objects.requireNonNull (java.util.Objects.requireNonNull)13 ImmutableSet (com.google.common.collect.ImmutableSet)12 List (java.util.List)12 Map (java.util.Map)12 Optional (java.util.Optional)12 SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)10 Principal (java.security.Principal)10 Set (java.util.Set)10 ImmutableList (com.google.common.collect.ImmutableList)9 String.format (java.lang.String.format)9 TrinoException (io.trino.spi.TrinoException)8 SystemAccessControl (io.trino.spi.security.SystemAccessControl)8 Paths (java.nio.file.Paths)8 AccessDeniedException.denyImpersonateUser (io.trino.spi.security.AccessDeniedException.denyImpersonateUser)7 AccessDeniedException.denyReadSystemInformationAccess (io.trino.spi.security.AccessDeniedException.denyReadSystemInformationAccess)7 Pattern (java.util.regex.Pattern)7 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 Suppliers.memoizeWithExpiration (com.google.common.base.Suppliers.memoizeWithExpiration)5