Examples with Identity io.trino.spi.security.Identity used on opensource projects

Search in sources :

Example 21 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class FileBasedSystemAccessControl method checkCanCreateViewWithSelectFromColumns.

@Override
public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
    if (!canAccessCatalog(context, table.getCatalogName(), ALL)) {
        denySelectTable(table.toString());
    }
    if (INFORMATION_SCHEMA_NAME.equals(table.getSchemaTableName().getSchemaName())) {
        return;
    }
    Identity identity = context.getIdentity();
    CatalogTableAccessControlRule rule = tableRules.stream().filter(tableRule -> tableRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).findFirst().orElse(null);
    if (rule == null || !rule.canSelectColumns(columns)) {
        denySelectTable(table.toString());
    }
    if (!rule.getPrivileges().contains(GRANT_SELECT)) {
        denyCreateViewWithSelect(table.toString(), context.getIdentity());
    }
}
Also used : Identity(io.trino.spi.security.Identity)

Example 22 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class FileBasedSystemAccessControl method filterColumns.

@Override
public Set<String> filterColumns(SystemSecurityContext context, CatalogSchemaTableName tableName, Set<String> columns) {
    if (!checkAnyTablePermission(context, tableName)) {
        return ImmutableSet.of();
    }
    if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaTableName().getSchemaName())) {
        return columns;
    }
    Identity identity = context.getIdentity();
    CatalogTableAccessControlRule rule = tableRules.stream().filter(tableRule -> tableRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), tableName)).findFirst().orElse(null);
    if (rule == null || rule.getPrivileges().isEmpty()) {
        return ImmutableSet.of();
    }
    // if user has privileges other than select, show all columns
    if (rule.getPrivileges().stream().anyMatch(privilege -> SELECT != privilege && GRANT_SELECT != privilege)) {
        return columns;
    }
    Set<String> restrictedColumns = rule.getRestrictedColumns();
    return columns.stream().filter(column -> !restrictedColumns.contains(column)).collect(toImmutableSet());
}
Also used : AccessDeniedException.denyReadSystemInformationAccess(io.trino.spi.security.AccessDeniedException.denyReadSystemInformationAccess) AccessDeniedException.denyDropTable(io.trino.spi.security.AccessDeniedException.denyDropTable) AccessDeniedException.denyGrantSchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege) AccessDeniedException.denySetMaterializedViewProperties(io.trino.spi.security.AccessDeniedException.denySetMaterializedViewProperties) Suppliers.memoizeWithExpiration(com.google.common.base.Suppliers.memoizeWithExpiration) AccessDeniedException.denyInsertTable(io.trino.spi.security.AccessDeniedException.denyInsertTable) AccessDeniedException.denyShowCreateTable(io.trino.spi.security.AccessDeniedException.denyShowCreateTable) SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) ALL(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.ALL) AccessDeniedException.denySetSystemSessionProperty(io.trino.spi.security.AccessDeniedException.denySetSystemSessionProperty) AccessDeniedException.denyUpdateTableColumns(io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns) Map(java.util.Map) AccessDeniedException.denyCreateTable(io.trino.spi.security.AccessDeniedException.denyCreateTable) AccessDeniedException.denyDeleteTable(io.trino.spi.security.AccessDeniedException.denyDeleteTable) AccessDeniedException.denyRenameSchema(io.trino.spi.security.AccessDeniedException.denyRenameSchema) AccessDeniedException.denyShowColumns(io.trino.spi.security.AccessDeniedException.denyShowColumns) AccessDeniedException.denyRenameMaterializedView(io.trino.spi.security.AccessDeniedException.denyRenameMaterializedView) OWNERSHIP(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.OWNERSHIP) AccessDeniedException.denyDropSchema(io.trino.spi.security.AccessDeniedException.denyDropSchema) Set(java.util.Set) MILLISECONDS(java.util.concurrent.TimeUnit.MILLISECONDS) SchemaTableName(io.trino.spi.connector.SchemaTableName) AccessDeniedException.denyShowCreateSchema(io.trino.spi.security.AccessDeniedException.denyShowCreateSchema) TablePrivilege(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) AccessDeniedException.denyRefreshMaterializedView(io.trino.spi.security.AccessDeniedException.denyRefreshMaterializedView) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) AccessDeniedException.denyCreateRole(io.trino.spi.security.AccessDeniedException.denyCreateRole) Bootstrap(io.airlift.bootstrap.Bootstrap) ConfigBinder.configBinder(io.airlift.configuration.ConfigBinder.configBinder) AccessDeniedException.denyDenySchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyDenySchemaPrivilege) AccessDeniedException.denySetUser(io.trino.spi.security.AccessDeniedException.denySetUser) AccessDeniedException.denyDenyTablePrivilege(io.trino.spi.security.AccessDeniedException.denyDenyTablePrivilege) AccessDeniedException.denyDropColumn(io.trino.spi.security.AccessDeniedException.denyDropColumn) SystemAccessControl(io.trino.spi.security.SystemAccessControl) AccessDeniedException.denySetViewAuthorization(io.trino.spi.security.AccessDeniedException.denySetViewAuthorization) AccessDeniedException.denySetSchemaAuthorization(io.trino.spi.security.AccessDeniedException.denySetSchemaAuthorization) AccessDeniedException.denyDropMaterializedView(io.trino.spi.security.AccessDeniedException.denyDropMaterializedView) Identity(io.trino.spi.security.Identity) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) AccessDeniedException.denyViewQuery(io.trino.spi.security.AccessDeniedException.denyViewQuery) AccessDeniedException.denySelectTable(io.trino.spi.security.AccessDeniedException.denySelectTable) AccessDeniedException.denyCreateView(io.trino.spi.security.AccessDeniedException.denyCreateView) AccessDeniedException.denyCommentTable(io.trino.spi.security.AccessDeniedException.denyCommentTable) READ_ONLY(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.READ_ONLY) UPDATE(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE) AccessDeniedException.denyRenameColumn(io.trino.spi.security.AccessDeniedException.denyRenameColumn) Paths(java.nio.file.Paths) AccessDeniedException.denyCatalogAccess(io.trino.spi.security.AccessDeniedException.denyCatalogAccess) AccessDeniedException.denyRenameView(io.trino.spi.security.AccessDeniedException.denyRenameView) AccessMode(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode) EventListener(io.trino.spi.eventlistener.EventListener) AccessDeniedException.denyAddColumn(io.trino.spi.security.AccessDeniedException.denyAddColumn) AccessDeniedException.denySetCatalogSessionProperty(io.trino.spi.security.AccessDeniedException.denySetCatalogSessionProperty) AccessDeniedException.denySetTableProperties(io.trino.spi.security.AccessDeniedException.denySetTableProperties) Duration(io.airlift.units.Duration) AccessDeniedException.denyRevokeTablePrivilege(io.trino.spi.security.AccessDeniedException.denyRevokeTablePrivilege) INSERT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.INSERT) DELETE(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.DELETE) JsonUtils.parseJson(io.trino.plugin.base.util.JsonUtils.parseJson) AccessDeniedException.denyCreateSchema(io.trino.spi.security.AccessDeniedException.denyCreateSchema) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) CatalogSchemaRoutineName(io.trino.spi.connector.CatalogSchemaRoutineName) AccessDeniedException.denyCreateMaterializedView(io.trino.spi.security.AccessDeniedException.denyCreateMaterializedView) AccessDeniedException.denyDropView(io.trino.spi.security.AccessDeniedException.denyDropView) AccessDeniedException.denyShowSchemas(io.trino.spi.security.AccessDeniedException.denyShowSchemas) ImmutableSet(com.google.common.collect.ImmutableSet) AccessDeniedException.denySetTableAuthorization(io.trino.spi.security.AccessDeniedException.denySetTableAuthorization) Predicate(java.util.function.Predicate) AccessDeniedException.denyTruncateTable(io.trino.spi.security.AccessDeniedException.denyTruncateTable) ViewExpression(io.trino.spi.security.ViewExpression) TrinoException(io.trino.spi.TrinoException) String.format(java.lang.String.format) List(java.util.List) Principal(java.security.Principal) Optional(java.util.Optional) SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) Pattern(java.util.regex.Pattern) SELECT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.SELECT) GRANT_SELECT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.GRANT_SELECT) Logger(io.airlift.log.Logger) AccessDeniedException.denyRevokeSchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyRevokeSchemaPrivilege) AccessDeniedException.denyWriteSystemInformationAccess(io.trino.spi.security.AccessDeniedException.denyWriteSystemInformationAccess) Type(io.trino.spi.type.Type) AccessDeniedException.denyDropRole(io.trino.spi.security.AccessDeniedException.denyDropRole) Function(java.util.function.Function) AccessDeniedException.denyCommentColumn(io.trino.spi.security.AccessDeniedException.denyCommentColumn) AccessDeniedException.denyCreateViewWithSelect(io.trino.spi.security.AccessDeniedException.denyCreateViewWithSelect) CONFIGURATION_INVALID(io.trino.spi.StandardErrorCode.CONFIGURATION_INVALID) ImmutableList(com.google.common.collect.ImmutableList) AccessDeniedException.denyShowTables(io.trino.spi.security.AccessDeniedException.denyShowTables) Objects.requireNonNull(java.util.Objects.requireNonNull) AccessDeniedException.denyRevokeRoles(io.trino.spi.security.AccessDeniedException.denyRevokeRoles) Privilege(io.trino.spi.security.Privilege) AccessDeniedException.denyRenameTable(io.trino.spi.security.AccessDeniedException.denyRenameTable) AccessDeniedException.denyShowRoleAuthorizationDescriptors(io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors) AccessDeniedException.denyImpersonateUser(io.trino.spi.security.AccessDeniedException.denyImpersonateUser) Injector(com.google.inject.Injector) AccessDeniedException.denyGrantRoles(io.trino.spi.security.AccessDeniedException.denyGrantRoles) SECURITY_REFRESH_PERIOD(io.trino.plugin.base.security.FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD) AccessDeniedException.denyGrantTablePrivilege(io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege) Identity(io.trino.spi.security.Identity)

Example 23 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class FileBasedSystemAccessControl method checkCanSetSystemSessionProperty.

@Override
public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
    Identity identity = context.getIdentity();
    boolean allowed = sessionPropertyRules.stream().map(rule -> rule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), propertyName)).flatMap(Optional::stream).findFirst().orElse(false);
    if (!allowed) {
        denySetSystemSessionProperty(propertyName);
    }
}
Also used : AccessDeniedException.denyReadSystemInformationAccess(io.trino.spi.security.AccessDeniedException.denyReadSystemInformationAccess) AccessDeniedException.denyDropTable(io.trino.spi.security.AccessDeniedException.denyDropTable) AccessDeniedException.denyGrantSchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege) AccessDeniedException.denySetMaterializedViewProperties(io.trino.spi.security.AccessDeniedException.denySetMaterializedViewProperties) Suppliers.memoizeWithExpiration(com.google.common.base.Suppliers.memoizeWithExpiration) AccessDeniedException.denyInsertTable(io.trino.spi.security.AccessDeniedException.denyInsertTable) AccessDeniedException.denyShowCreateTable(io.trino.spi.security.AccessDeniedException.denyShowCreateTable) SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) ALL(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.ALL) AccessDeniedException.denySetSystemSessionProperty(io.trino.spi.security.AccessDeniedException.denySetSystemSessionProperty) AccessDeniedException.denyUpdateTableColumns(io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns) Map(java.util.Map) AccessDeniedException.denyCreateTable(io.trino.spi.security.AccessDeniedException.denyCreateTable) AccessDeniedException.denyDeleteTable(io.trino.spi.security.AccessDeniedException.denyDeleteTable) AccessDeniedException.denyRenameSchema(io.trino.spi.security.AccessDeniedException.denyRenameSchema) AccessDeniedException.denyShowColumns(io.trino.spi.security.AccessDeniedException.denyShowColumns) AccessDeniedException.denyRenameMaterializedView(io.trino.spi.security.AccessDeniedException.denyRenameMaterializedView) OWNERSHIP(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.OWNERSHIP) AccessDeniedException.denyDropSchema(io.trino.spi.security.AccessDeniedException.denyDropSchema) Set(java.util.Set) MILLISECONDS(java.util.concurrent.TimeUnit.MILLISECONDS) SchemaTableName(io.trino.spi.connector.SchemaTableName) AccessDeniedException.denyShowCreateSchema(io.trino.spi.security.AccessDeniedException.denyShowCreateSchema) TablePrivilege(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) AccessDeniedException.denyRefreshMaterializedView(io.trino.spi.security.AccessDeniedException.denyRefreshMaterializedView) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) AccessDeniedException.denyCreateRole(io.trino.spi.security.AccessDeniedException.denyCreateRole) Bootstrap(io.airlift.bootstrap.Bootstrap) ConfigBinder.configBinder(io.airlift.configuration.ConfigBinder.configBinder) AccessDeniedException.denyDenySchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyDenySchemaPrivilege) AccessDeniedException.denySetUser(io.trino.spi.security.AccessDeniedException.denySetUser) AccessDeniedException.denyDenyTablePrivilege(io.trino.spi.security.AccessDeniedException.denyDenyTablePrivilege) AccessDeniedException.denyDropColumn(io.trino.spi.security.AccessDeniedException.denyDropColumn) SystemAccessControl(io.trino.spi.security.SystemAccessControl) AccessDeniedException.denySetViewAuthorization(io.trino.spi.security.AccessDeniedException.denySetViewAuthorization) AccessDeniedException.denySetSchemaAuthorization(io.trino.spi.security.AccessDeniedException.denySetSchemaAuthorization) AccessDeniedException.denyDropMaterializedView(io.trino.spi.security.AccessDeniedException.denyDropMaterializedView) Identity(io.trino.spi.security.Identity) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) AccessDeniedException.denyViewQuery(io.trino.spi.security.AccessDeniedException.denyViewQuery) AccessDeniedException.denySelectTable(io.trino.spi.security.AccessDeniedException.denySelectTable) AccessDeniedException.denyCreateView(io.trino.spi.security.AccessDeniedException.denyCreateView) AccessDeniedException.denyCommentTable(io.trino.spi.security.AccessDeniedException.denyCommentTable) READ_ONLY(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.READ_ONLY) UPDATE(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE) AccessDeniedException.denyRenameColumn(io.trino.spi.security.AccessDeniedException.denyRenameColumn) Paths(java.nio.file.Paths) AccessDeniedException.denyCatalogAccess(io.trino.spi.security.AccessDeniedException.denyCatalogAccess) AccessDeniedException.denyRenameView(io.trino.spi.security.AccessDeniedException.denyRenameView) AccessMode(io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode) EventListener(io.trino.spi.eventlistener.EventListener) AccessDeniedException.denyAddColumn(io.trino.spi.security.AccessDeniedException.denyAddColumn) AccessDeniedException.denySetCatalogSessionProperty(io.trino.spi.security.AccessDeniedException.denySetCatalogSessionProperty) AccessDeniedException.denySetTableProperties(io.trino.spi.security.AccessDeniedException.denySetTableProperties) Duration(io.airlift.units.Duration) AccessDeniedException.denyRevokeTablePrivilege(io.trino.spi.security.AccessDeniedException.denyRevokeTablePrivilege) INSERT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.INSERT) DELETE(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.DELETE) JsonUtils.parseJson(io.trino.plugin.base.util.JsonUtils.parseJson) AccessDeniedException.denyCreateSchema(io.trino.spi.security.AccessDeniedException.denyCreateSchema) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) CatalogSchemaRoutineName(io.trino.spi.connector.CatalogSchemaRoutineName) AccessDeniedException.denyCreateMaterializedView(io.trino.spi.security.AccessDeniedException.denyCreateMaterializedView) AccessDeniedException.denyDropView(io.trino.spi.security.AccessDeniedException.denyDropView) AccessDeniedException.denyShowSchemas(io.trino.spi.security.AccessDeniedException.denyShowSchemas) ImmutableSet(com.google.common.collect.ImmutableSet) AccessDeniedException.denySetTableAuthorization(io.trino.spi.security.AccessDeniedException.denySetTableAuthorization) Predicate(java.util.function.Predicate) AccessDeniedException.denyTruncateTable(io.trino.spi.security.AccessDeniedException.denyTruncateTable) ViewExpression(io.trino.spi.security.ViewExpression) TrinoException(io.trino.spi.TrinoException) String.format(java.lang.String.format) List(java.util.List) Principal(java.security.Principal) Optional(java.util.Optional) SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) Pattern(java.util.regex.Pattern) SELECT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.SELECT) GRANT_SELECT(io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.GRANT_SELECT) Logger(io.airlift.log.Logger) AccessDeniedException.denyRevokeSchemaPrivilege(io.trino.spi.security.AccessDeniedException.denyRevokeSchemaPrivilege) AccessDeniedException.denyWriteSystemInformationAccess(io.trino.spi.security.AccessDeniedException.denyWriteSystemInformationAccess) Type(io.trino.spi.type.Type) AccessDeniedException.denyDropRole(io.trino.spi.security.AccessDeniedException.denyDropRole) Function(java.util.function.Function) AccessDeniedException.denyCommentColumn(io.trino.spi.security.AccessDeniedException.denyCommentColumn) AccessDeniedException.denyCreateViewWithSelect(io.trino.spi.security.AccessDeniedException.denyCreateViewWithSelect) CONFIGURATION_INVALID(io.trino.spi.StandardErrorCode.CONFIGURATION_INVALID) ImmutableList(com.google.common.collect.ImmutableList) AccessDeniedException.denyShowTables(io.trino.spi.security.AccessDeniedException.denyShowTables) Objects.requireNonNull(java.util.Objects.requireNonNull) AccessDeniedException.denyRevokeRoles(io.trino.spi.security.AccessDeniedException.denyRevokeRoles) Privilege(io.trino.spi.security.Privilege) AccessDeniedException.denyRenameTable(io.trino.spi.security.AccessDeniedException.denyRenameTable) AccessDeniedException.denyShowRoleAuthorizationDescriptors(io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors) AccessDeniedException.denyImpersonateUser(io.trino.spi.security.AccessDeniedException.denyImpersonateUser) Injector(com.google.inject.Injector) AccessDeniedException.denyGrantRoles(io.trino.spi.security.AccessDeniedException.denyGrantRoles) SECURITY_REFRESH_PERIOD(io.trino.plugin.base.security.FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD) AccessDeniedException.denyGrantTablePrivilege(io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege) Optional(java.util.Optional) Identity(io.trino.spi.security.Identity)

Example 24 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testQueryDocsExample.

@Test
public void testQueryDocsExample() {
    String rulesFile = new File("../../docs/src/main/sphinx/security/query-access.json").getAbsolutePath();
    SystemAccessControl accessControlManager = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
    accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
    accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any);
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice);
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave);
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave"));
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave);
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Identity(io.trino.spi.security.Identity) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 25 with Identity

use of io.trino.spi.security.Identity in project trino by trinodb.

the class MetadataManager method getView.

@Override
public Optional<ViewDefinition> getView(Session session, QualifiedObjectName viewName) {
    Optional<ConnectorViewDefinition> connectorView = getViewInternal(session, viewName);
    if (connectorView.isEmpty() || connectorView.get().isRunAsInvoker() || isCatalogManagedSecurity(session, viewName.getCatalogName())) {
        return connectorView.map(view -> new ViewDefinition(viewName, view));
    }
    Identity runAsIdentity = systemSecurityMetadata.getViewRunAsIdentity(session, viewName.asCatalogSchemaTableName()).or(() -> connectorView.get().getOwner().map(Identity::ofUser)).orElseThrow(() -> new TrinoException(NOT_SUPPORTED, "Catalog does not support run-as DEFINER views: " + viewName));
    return Optional.of(new ViewDefinition(viewName, connectorView.get(), runAsIdentity));
}
Also used : ConnectorMaterializedViewDefinition(io.trino.spi.connector.ConnectorMaterializedViewDefinition) ConnectorViewDefinition(io.trino.spi.connector.ConnectorViewDefinition) TrinoException(io.trino.spi.TrinoException) Identity(io.trino.spi.security.Identity) ConnectorViewDefinition(io.trino.spi.connector.ConnectorViewDefinition)

Aggregations

Identity (io.trino.spi.security.Identity)28 Objects.requireNonNull (java.util.Objects.requireNonNull)13 ImmutableSet (com.google.common.collect.ImmutableSet)12 List (java.util.List)12 Map (java.util.Map)12 Optional (java.util.Optional)12 SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)10 Principal (java.security.Principal)10 Set (java.util.Set)10 ImmutableList (com.google.common.collect.ImmutableList)9 String.format (java.lang.String.format)9 TrinoException (io.trino.spi.TrinoException)8 SystemAccessControl (io.trino.spi.security.SystemAccessControl)8 Paths (java.nio.file.Paths)8 AccessDeniedException.denyImpersonateUser (io.trino.spi.security.AccessDeniedException.denyImpersonateUser)7 AccessDeniedException.denyReadSystemInformationAccess (io.trino.spi.security.AccessDeniedException.denyReadSystemInformationAccess)7 Pattern (java.util.regex.Pattern)7 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 Suppliers.memoizeWithExpiration (com.google.common.base.Suppliers.memoizeWithExpiration)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial