use of io.trino.spi.security.Privilege in project trino by trinodb.
the class FileBasedAccessControl method filterColumns.
@Override
public Set<String> filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columns) {
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return columns;
}
ConnectorIdentity identity = context.getIdentity();
TableAccessControlRule rule = tableRules.stream().filter(tableRule -> tableRule.matches(identity.getUser(), identity.getEnabledSystemRoles(), identity.getGroups(), tableName)).findFirst().orElse(null);
if (rule == null || rule.getPrivileges().isEmpty()) {
return ImmutableSet.of();
}
// if user has privileges other than select, show all columns
if (rule.getPrivileges().stream().anyMatch(privilege -> SELECT != privilege)) {
return columns;
}
Set<String> restrictedColumns = rule.getRestrictedColumns();
return columns.stream().filter(column -> !restrictedColumns.contains(column)).collect(toImmutableSet());
}
use of io.trino.spi.security.Privilege in project trino by trinodb.
the class GrantTask method executeGrantOnTable.
private void executeGrantOnTable(Session session, Grant statement) {
QualifiedObjectName tableName = createQualifiedObjectName(session, statement, statement.getName());
Optional<TableHandle> tableHandle = metadata.getTableHandle(session, tableName);
if (tableHandle.isEmpty()) {
throw semanticException(TABLE_NOT_FOUND, statement, "Table '%s' does not exist", tableName);
}
Set<Privilege> privileges = parseStatementPrivileges(statement);
for (Privilege privilege : privileges) {
accessControl.checkCanGrantTablePrivilege(session.toSecurityContext(), privilege, tableName, createPrincipal(statement.getGrantee()), statement.isWithGrantOption());
}
metadata.grantTablePrivileges(session, tableName, privileges, createPrincipal(statement.getGrantee()), statement.isWithGrantOption());
}
use of io.trino.spi.security.Privilege in project trino by trinodb.
the class FileBasedSystemAccessControl method filterColumns.
@Override
public Set<String> filterColumns(SystemSecurityContext context, CatalogSchemaTableName tableName, Set<String> columns) {
if (!checkAnyTablePermission(context, tableName)) {
return ImmutableSet.of();
}
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaTableName().getSchemaName())) {
return columns;
}
Identity identity = context.getIdentity();
CatalogTableAccessControlRule rule = tableRules.stream().filter(tableRule -> tableRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), tableName)).findFirst().orElse(null);
if (rule == null || rule.getPrivileges().isEmpty()) {
return ImmutableSet.of();
}
// if user has privileges other than select, show all columns
if (rule.getPrivileges().stream().anyMatch(privilege -> SELECT != privilege && GRANT_SELECT != privilege)) {
return columns;
}
Set<String> restrictedColumns = rule.getRestrictedColumns();
return columns.stream().filter(column -> !restrictedColumns.contains(column)).collect(toImmutableSet());
}
use of io.trino.spi.security.Privilege in project trino by trinodb.
the class SqlStandardAccessControlMetadata method revokeTablePrivileges.
@Override
public void revokeTablePrivileges(ConnectorSession session, SchemaTableName schemaTableName, Set<Privilege> privileges, HivePrincipal grantee, boolean grantOption) {
String schemaName = schemaTableName.getSchemaName();
String tableName = schemaTableName.getTableName();
// Hive does not support the CREATE privilege, so ignore. Normally we would throw
// an error for this, but when the Trino engine sees ALL_PRIVILEGES, it sends the
// enumerated list of privileges instead of an Optional.empty
privileges = privileges.stream().filter(not(Privilege.CREATE::equals)).collect(toImmutableSet());
metastore.revokeTablePrivileges(schemaName, tableName, grantee, new HivePrincipal(USER, session.getUser()), privileges.stream().map(HivePrivilegeInfo::toHivePrivilege).collect(toSet()), grantOption);
}
use of io.trino.spi.security.Privilege in project trino by trinodb.
the class SqlStandardAccessControlMetadata method grantTablePrivileges.
@Override
public void grantTablePrivileges(ConnectorSession session, SchemaTableName schemaTableName, Set<Privilege> privileges, HivePrincipal grantee, boolean grantOption) {
String schemaName = schemaTableName.getSchemaName();
String tableName = schemaTableName.getTableName();
// Hive does not support the CREATE privilege, so ignore. Normally we would throw
// an error for this, but when the Trino engine sees ALL_PRIVILEGES, it sends the
// enumerated list of privileges instead of an Optional.empty
privileges = privileges.stream().filter(not(Privilege.CREATE::equals)).collect(toImmutableSet());
metastore.grantTablePrivileges(schemaName, tableName, grantee, new HivePrincipal(USER, session.getUser()), privileges.stream().map(HivePrivilegeInfo::toHivePrivilege).collect(toSet()), grantOption);
}
Aggregations