use of io.trino.spi.security.Identity in project trino by trinodb.
the class FileBasedSystemAccessControl method checkCanSelectFromColumns.
@Override
public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
if (!canAccessCatalog(context, table.getCatalogName(), READ_ONLY)) {
denySelectTable(table.toString());
}
if (INFORMATION_SCHEMA_NAME.equals(table.getSchemaTableName().getSchemaName())) {
return;
}
Identity identity = context.getIdentity();
boolean allowed = tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.canSelectColumns(columns)).findFirst().orElse(false);
if (!allowed) {
denySelectTable(table.toString());
}
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class FileBasedSystemAccessControl method checkCanImpersonateUser.
@Override
public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
Identity identity = context.getIdentity();
if (impersonationRules.isEmpty()) {
// handled there; otherwise, impersonation must be manually configured
if (principalUserMatchRules.isEmpty()) {
denyImpersonateUser(identity.getUser(), userName);
}
return;
}
for (ImpersonationRule rule : impersonationRules.get()) {
Optional<Boolean> allowed = rule.match(identity.getUser(), identity.getEnabledRoles(), userName);
if (allowed.isPresent()) {
if (allowed.get()) {
return;
}
denyImpersonateUser(identity.getUser(), userName);
}
}
denyImpersonateUser(identity.getUser(), userName);
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class FileBasedSystemAccessControl method getRowFilter.
@Override
public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName table) {
SchemaTableName tableName = table.getSchemaTableName();
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return Optional.empty();
}
Identity identity = context.getIdentity();
return tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.getFilter(identity.getUser(), table.getCatalogName(), tableName.getSchemaName())).findFirst().flatMap(Function.identity());
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class QueuedStatementResource method registerQuery.
private Query registerQuery(String statement, HttpServletRequest servletRequest, HttpHeaders httpHeaders) {
Optional<String> remoteAddress = Optional.ofNullable(servletRequest.getRemoteAddr());
Optional<Identity> identity = Optional.ofNullable((Identity) servletRequest.getAttribute(AUTHENTICATED_IDENTITY));
MultivaluedMap<String, String> headers = httpHeaders.getRequestHeaders();
SessionContext sessionContext = sessionContextFactory.createSessionContext(headers, alternateHeaderName, remoteAddress, identity);
Query query = new Query(statement, sessionContext, dispatchManager, queryInfoUrlFactory);
queryManager.registerQuery(query);
// let authentication filter know that identity lifecycle has been handed off
servletRequest.setAttribute(AUTHENTICATED_IDENTITY, null);
return query;
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class TestResourceSecurity method testOAuth2Groups.
@Test(dataProvider = "groups")
public void testOAuth2Groups(Optional<Set<String>> groups) throws Exception {
try (TokenServer tokenServer = new TokenServer(Optional.empty());
TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(SECURE_PROPERTIES).put("web-ui.enabled", "true").put("http-server.authentication.type", "oauth2").putAll(getOAuth2Properties(tokenServer)).put("http-server.authentication.oauth2.groups-field", GROUPS_CLAIM).buildOrThrow()).setAdditionalModule(oauth2Module(tokenServer)).build()) {
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
String accessToken = tokenServer.issueAccessToken(groups);
OkHttpClient clientWithOAuthToken = client.newBuilder().authenticator((route, response) -> response.request().newBuilder().header(AUTHORIZATION, "Bearer " + accessToken).build()).build();
assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), clientWithOAuthToken);
try (Response response = clientWithOAuthToken.newCall(new Request.Builder().url(getLocation(httpServerInfo.getHttpsUri(), "/protocol/identity")).build()).execute()) {
assertEquals(response.code(), SC_OK);
assertEquals(response.header("user"), TEST_USER);
assertEquals(response.header("principal"), TEST_USER);
assertEquals(response.header("groups"), groups.map(TestResource::toHeader).orElse(""));
}
OkHttpClient clientWithOAuthCookie = client.newBuilder().cookieJar(new CookieJar() {
@Override
public void saveFromResponse(HttpUrl url, List<Cookie> cookies) {
}
@Override
public List<Cookie> loadForRequest(HttpUrl url) {
return ImmutableList.of(new Cookie.Builder().domain(httpServerInfo.getHttpsUri().getHost()).path(UI_LOCATION).name(OAUTH2_COOKIE).value(accessToken).httpOnly().secure().build());
}
}).build();
try (Response response = clientWithOAuthCookie.newCall(new Request.Builder().url(getLocation(httpServerInfo.getHttpsUri(), "/ui/api/identity")).build()).execute()) {
assertEquals(response.code(), SC_OK);
assertEquals(response.header("user"), TEST_USER);
assertEquals(response.header("principal"), TEST_USER);
assertEquals(response.header("groups"), groups.map(TestResource::toHeader).orElse(""));
}
}
}
Aggregations