use of io.trino.spi.security.Identity in project trino by trinodb.
the class MetadataManager method getMaterializedView.
@Override
public Optional<MaterializedViewDefinition> getMaterializedView(Session session, QualifiedObjectName viewName) {
Optional<ConnectorMaterializedViewDefinition> connectorView = getMaterializedViewInternal(session, viewName);
if (connectorView.isEmpty() || isCatalogManagedSecurity(session, viewName.getCatalogName())) {
return connectorView.map(view -> {
String runAsUser = view.getOwner().orElseThrow(() -> new TrinoException(INVALID_VIEW, "Owner not set for a run-as invoker view: " + viewName));
return new MaterializedViewDefinition(view, Identity.ofUser(runAsUser));
});
}
Identity runAsIdentity = systemSecurityMetadata.getViewRunAsIdentity(session, viewName.asCatalogSchemaTableName()).or(() -> connectorView.get().getOwner().map(Identity::ofUser)).orElseThrow(() -> new TrinoException(NOT_SUPPORTED, "Materialized view does not have an owner: " + viewName));
return Optional.of(new MaterializedViewDefinition(connectorView.get(), runAsIdentity));
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class OAuth2Authenticator method createIdentity.
@Override
protected Optional<Identity> createIdentity(String token) throws UserMappingException {
try {
Optional<Map<String, Object>> claims = service.convertTokenToClaims(token);
if (claims.isEmpty()) {
return Optional.empty();
}
String principal = (String) claims.get().get(principalField);
Identity.Builder builder = Identity.forUser(userMapping.mapUser(principal));
builder.withPrincipal(new BasicPrincipal(principal));
groupsField.flatMap(field -> Optional.ofNullable((List<String>) claims.get().get(field))).ifPresent(groups -> builder.withGroups(ImmutableSet.copyOf(groups)));
return Optional.of(builder.build());
} catch (ChallengeFailedException e) {
return Optional.empty();
}
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class FormWebUiAuthenticationFilter method handleProtocolLoginRequest.
private static void handleProtocolLoginRequest(Authenticator authenticator, ContainerRequestContext request) {
Identity authenticatedIdentity;
try {
authenticatedIdentity = authenticator.authenticate(request);
} catch (AuthenticationException e) {
// authentication failed
sendWwwAuthenticate(request, firstNonNull(e.getMessage(), "Unauthorized"), e.getAuthenticateHeader().map(ImmutableSet::of).orElse(ImmutableSet.of()));
return;
}
if (redirectFormLoginToUi(request)) {
return;
}
setAuthenticatedIdentity(request, authenticatedIdentity);
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class QuerySessionSupplier method createSession.
@Override
public Session createSession(QueryId queryId, SessionContext context) {
Identity identity = context.getIdentity();
accessControl.checkCanSetUser(identity.getPrincipal(), identity.getUser());
// authenticated identity is not present for HTTP or if authentication is not setup
if (context.getAuthenticatedIdentity().isPresent()) {
Identity authenticatedIdentity = context.getAuthenticatedIdentity().get();
// only check impersonation if authenticated user is not the same as the explicitly set user
if (!authenticatedIdentity.getUser().equals(identity.getUser())) {
// add enabled roles for authenticated identity, so impersonation permissions can be assigned to roles
authenticatedIdentity = addEnabledRoles(authenticatedIdentity, context.getSelectedRole(), metadata);
accessControl.checkCanImpersonateUser(authenticatedIdentity, identity.getUser());
}
}
// add the enabled roles
identity = addEnabledRoles(identity, context.getSelectedRole(), metadata);
SessionBuilder sessionBuilder = Session.builder(sessionPropertyManager).setQueryId(queryId).setIdentity(identity).setPath(context.getPath().or(() -> defaultPath).map(SqlPath::new)).setSource(context.getSource()).setRemoteUserAddress(context.getRemoteUserAddress()).setUserAgent(context.getUserAgent()).setClientInfo(context.getClientInfo()).setClientTags(context.getClientTags()).setClientCapabilities(context.getClientCapabilities()).setTraceToken(context.getTraceToken()).setResourceEstimates(context.getResourceEstimates()).setProtocolHeaders(context.getProtocolHeaders());
if (context.getCatalog().isPresent()) {
sessionBuilder.setCatalog(context.getCatalog());
sessionBuilder.setSchema(context.getSchema());
} else {
defaultCatalog.ifPresent(sessionBuilder::setCatalog);
defaultSchema.ifPresent(sessionBuilder::setSchema);
}
if (forcedSessionTimeZone.isPresent()) {
sessionBuilder.setTimeZoneKey(forcedSessionTimeZone.get());
} else {
String sessionTimeZoneId = context.getSystemProperties().get(TIME_ZONE_ID);
if (sessionTimeZoneId != null) {
sessionBuilder.setTimeZoneKey(getTimeZoneKey(sessionTimeZoneId));
} else {
sessionBuilder.setTimeZoneKey(context.getTimeZoneId().map(TimeZoneKey::getTimeZoneKey));
}
}
context.getLanguage().ifPresent(s -> sessionBuilder.setLocale(Locale.forLanguageTag(s)));
for (Entry<String, String> entry : context.getSystemProperties().entrySet()) {
sessionBuilder.setSystemProperty(entry.getKey(), entry.getValue());
}
for (Entry<String, Map<String, String>> catalogProperties : context.getCatalogSessionProperties().entrySet()) {
String catalog = catalogProperties.getKey();
for (Entry<String, String> entry : catalogProperties.getValue().entrySet()) {
sessionBuilder.setCatalogSessionProperty(catalog, entry.getKey(), entry.getValue());
}
}
for (Entry<String, String> preparedStatement : context.getPreparedStatements().entrySet()) {
sessionBuilder.addPreparedStatement(preparedStatement.getKey(), preparedStatement.getValue());
}
if (context.supportClientTransaction()) {
sessionBuilder.setClientTransactionSupport();
}
return sessionBuilder.build();
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class FileBasedSystemAccessControl method getColumnMask.
@Override
public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName table, String columnName, Type type) {
SchemaTableName tableName = table.getSchemaTableName();
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return Optional.empty();
}
Identity identity = context.getIdentity();
return tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.getColumnMask(identity.getUser(), table.getCatalogName(), table.getSchemaTableName().getSchemaName(), columnName)).findFirst().flatMap(Function.identity());
}
Aggregations