use of io.trino.spi.security.Identity in project trino by trinodb.
the class TestWebUi method testCustomPrincipalField.
@Test
public void testCustomPrincipalField() throws Exception {
String accessToken = createTokenBuilder().setSubject("unknown").addClaims(ImmutableMap.of("preferred_username", "test-user@email.com")).compact();
TestingHttpServer jwkServer = createTestingJwkServer();
jwkServer.start();
try (TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", jwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.principal-field", "preferred_username").put("http-server.authentication.oauth2.user-mapping.pattern", "(.*)@.*").buildOrThrow()).setAdditionalModule(binder -> {
newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(new OAuth2ClientStub(accessToken));
jaxrsBinder(binder).bind(AuthenticatedIdentityCapturingFilter.class);
}).build()) {
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
assertAuth2Authentication(httpServerInfo, accessToken);
Identity identity = server.getInstance(Key.get(AuthenticatedIdentityCapturingFilter.class)).getAuthenticatedIdentity();
assertThat(identity.getUser()).isEqualTo("test-user");
assertThat(identity.getPrincipal()).isEqualTo(Optional.of(new BasicPrincipal("test-user@email.com")));
} finally {
jwkServer.stop();
}
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class TestSessionFunctions method testCurrentGroups.
@Test
public void testCurrentGroups() {
Identity identityWithoutGroups = Identity.ofUser("test_current_user");
Session session;
session = testSessionBuilder().setIdentity(identityWithoutGroups).build();
try (QueryAssertions queryAssertions = new QueryAssertions(session)) {
assertThat(queryAssertions.query("SELECT current_groups()")).matches("SELECT CAST(ARRAY[] AS ARRAY(VARCHAR))");
}
Set<String> groups = ImmutableSet.of("group_a", "group_b");
Identity identityWithGroups = new Identity.Builder("test_current_user").withGroups(groups).build();
session = testSessionBuilder().setIdentity(identityWithGroups).build();
try (QueryAssertions queryAssertions = new QueryAssertions(session)) {
assertThat(queryAssertions.query("SELECT array_sort(current_groups())")).matches(format("SELECT CAST(ARRAY[%s] AS ARRAY(VARCHAR))", groups.stream().map(e -> format("'%s'", e)).collect(joining(","))));
}
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testQuery.
@Test
public void testQuery() {
SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("query.json");
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any);
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice);
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave"));
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave);
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(nonAsciiUser, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any);
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class TestResourceSecurity method testPasswordAuthenticatorUserMapping.
@Test
public void testPasswordAuthenticatorUserMapping() throws Exception {
try (TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setAdditionalModule(binder -> jaxrsBinder(binder).bind(TestResource.class)).build()) {
server.getInstance(Key.get(PasswordAuthenticatorManager.class)).setAuthenticators(TestResourceSecurity::authenticate);
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
// Test sets basic auth user and X-Trino-User, and the authenticator is performing user mapping.
// Normally this would result in an impersonation check to the X-Trino-User, but the password
// authenticator has a hack to clear X-Trino-User in this case.
Request request = new Request.Builder().url(getLocation(httpServerInfo.getHttpsUri(), "/protocol/identity")).addHeader("Authorization", Credentials.basic(TEST_USER_LOGIN, TEST_PASSWORD)).addHeader("X-Trino-User", TEST_USER_LOGIN).build();
try (Response response = client.newCall(request).execute()) {
assertEquals(response.code(), SC_OK);
assertEquals(response.header("user"), TEST_USER);
assertEquals(response.header("principal"), TEST_USER_LOGIN);
}
}
}
use of io.trino.spi.security.Identity in project trino by trinodb.
the class TestAccessControlManager method testReadOnlySystemAccessControl.
@Test
public void testReadOnlySystemAccessControl() {
Identity identity = Identity.forUser(USER_NAME).withPrincipal(PRINCIPAL).build();
QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
transaction(transactionManager, accessControlManager).execute(transactionId -> {
SecurityContext context = new SecurityContext(transactionId, identity, queryId);
accessControlManager.checkCanSetCatalogSessionProperty(context, "catalog", "property");
accessControlManager.checkCanShowSchemas(context, "catalog");
accessControlManager.checkCanShowTables(context, new CatalogSchemaName("catalog", "schema"));
accessControlManager.checkCanSelectFromColumns(context, tableName, ImmutableSet.of("column"));
accessControlManager.checkCanCreateViewWithSelectFromColumns(context, tableName, ImmutableSet.of("column"));
accessControlManager.checkCanGrantExecuteFunctionPrivilege(context, "function", Identity.ofUser("bob"), false);
accessControlManager.checkCanGrantExecuteFunctionPrivilege(context, "function", Identity.ofUser("bob"), true);
Set<String> catalogs = ImmutableSet.of("catalog");
assertEquals(accessControlManager.filterCatalogs(context, catalogs), catalogs);
Set<String> schemas = ImmutableSet.of("schema");
assertEquals(accessControlManager.filterSchemas(context, "catalog", schemas), schemas);
Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table"));
assertEquals(accessControlManager.filterTables(context, "catalog", tableNames), tableNames);
});
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanInsertIntoTable(new SecurityContext(transactionId, identity, queryId), tableName);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot insert into table catalog.schema.table");
}
Aggregations