Search in sources :

Example 1 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class FileHiveMetastore method grantRoles.

@Override
public synchronized void grantRoles(Set<String> roles, Set<HivePrincipal> grantees, boolean adminOption, HivePrincipal grantor) {
    Set<String> existingRoles = listRoles();
    Set<RoleGrant> existingGrants = listRoleGrantsSanitized();
    Set<RoleGrant> modifiedGrants = new HashSet<>(existingGrants);
    for (HivePrincipal grantee : grantees) {
        for (String role : roles) {
            checkArgument(existingRoles.contains(role), "Role does not exist: %s", role);
            if (grantee.getType() == ROLE) {
                checkArgument(existingRoles.contains(grantee.getName()), "Role does not exist: %s", grantee.getName());
            }
            RoleGrant grantWithAdminOption = new RoleGrant(grantee.toTrinoPrincipal(), role, true);
            RoleGrant grantWithoutAdminOption = new RoleGrant(grantee.toTrinoPrincipal(), role, false);
            if (adminOption) {
                modifiedGrants.remove(grantWithoutAdminOption);
                modifiedGrants.add(grantWithAdminOption);
            } else {
                modifiedGrants.remove(grantWithAdminOption);
                modifiedGrants.add(grantWithoutAdminOption);
            }
        }
    }
    modifiedGrants = removeDuplicatedEntries(modifiedGrants);
    if (!existingGrants.equals(modifiedGrants)) {
        writeRoleGrantsFile(modifiedGrants);
    }
}
Also used : RoleGrant(io.trino.spi.security.RoleGrant) HivePrincipal(io.trino.plugin.hive.metastore.HivePrincipal) LinkedHashSet(java.util.LinkedHashSet) HashSet(java.util.HashSet)

Example 2 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class FileHiveMetastore method revokeRoles.

@Override
public synchronized void revokeRoles(Set<String> roles, Set<HivePrincipal> grantees, boolean adminOption, HivePrincipal grantor) {
    Set<RoleGrant> existingGrants = listRoleGrantsSanitized();
    Set<RoleGrant> modifiedGrants = new HashSet<>(existingGrants);
    for (HivePrincipal grantee : grantees) {
        for (String role : roles) {
            RoleGrant grantWithAdminOption = new RoleGrant(grantee.toTrinoPrincipal(), role, true);
            RoleGrant grantWithoutAdminOption = new RoleGrant(grantee.toTrinoPrincipal(), role, false);
            if (modifiedGrants.contains(grantWithAdminOption) || modifiedGrants.contains(grantWithoutAdminOption)) {
                if (adminOption) {
                    modifiedGrants.remove(grantWithAdminOption);
                    modifiedGrants.add(grantWithoutAdminOption);
                } else {
                    modifiedGrants.remove(grantWithAdminOption);
                    modifiedGrants.remove(grantWithoutAdminOption);
                }
            }
        }
    }
    modifiedGrants = removeDuplicatedEntries(modifiedGrants);
    if (!existingGrants.equals(modifiedGrants)) {
        writeRoleGrantsFile(modifiedGrants);
    }
}
Also used : RoleGrant(io.trino.spi.security.RoleGrant) HivePrincipal(io.trino.plugin.hive.metastore.HivePrincipal) LinkedHashSet(java.util.LinkedHashSet) HashSet(java.util.HashSet)

Example 3 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class FileHiveMetastore method listRoleGrants.

@Override
public synchronized Set<RoleGrant> listRoleGrants(HivePrincipal principal) {
    ImmutableSet.Builder<RoleGrant> result = ImmutableSet.builder();
    if (principal.getType() == USER) {
        result.add(new RoleGrant(principal.toTrinoPrincipal(), PUBLIC_ROLE_NAME, false));
        if (ADMIN_USERS.contains(principal.getName())) {
            result.add(new RoleGrant(principal.toTrinoPrincipal(), ADMIN_ROLE_NAME, true));
        }
    }
    result.addAll(listRoleGrantsSanitized().stream().filter(grant -> HivePrincipal.from(grant.getGrantee()).equals(principal)).collect(toSet()));
    return result.build();
}
Also used : RoleGrant(io.trino.spi.security.RoleGrant) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) ImmutableSet(com.google.common.collect.ImmutableSet)

Example 4 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class SqlStandardAccessControlMetadata method getRoleGrantsByRoles.

private Set<RoleGrant> getRoleGrantsByRoles(Set<String> roles, OptionalLong limit) {
    ImmutableSet.Builder<RoleGrant> roleGrants = ImmutableSet.builder();
    int count = 0;
    for (String role : roles) {
        if (limit.isPresent() && count >= limit.getAsLong()) {
            break;
        }
        for (RoleGrant grant : metastore.listGrantedPrincipals(role)) {
            count++;
            roleGrants.add(grant);
        }
    }
    return roleGrants.build();
}
Also used : RoleGrant(io.trino.spi.security.RoleGrant) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) ImmutableSet(com.google.common.collect.ImmutableSet)

Example 5 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class TestSetRoleTask method setUp.

@BeforeClass
public void setUp() {
    queryRunner = LocalQueryRunner.create(TEST_SESSION);
    MockConnectorFactory mockConnectorFactory = MockConnectorFactory.builder().withListRoleGrants((connectorSession, roles, grantees, limit) -> ImmutableSet.of(new RoleGrant(new TrinoPrincipal(USER, USER_NAME), ROLE_NAME, false))).build();
    queryRunner.createCatalog(CATALOG_NAME, mockConnectorFactory, ImmutableMap.of());
    MockConnectorFactory systemConnectorFactory = MockConnectorFactory.builder().withName("system_role_connector").build();
    queryRunner.createCatalog(SYSTEM_ROLE_CATALOG_NAME, systemConnectorFactory, ImmutableMap.of());
    transactionManager = queryRunner.getTransactionManager();
    accessControl = queryRunner.getAccessControl();
    metadata = queryRunner.getMetadata();
    parser = queryRunner.getSqlParser();
    executor = newCachedThreadPool(daemonThreadsNamed("test-set-role-task-executor-%s"));
}
Also used : TransactionManager(io.trino.transaction.TransactionManager) USER(io.trino.spi.security.PrincipalType.USER) ParsingOptions(io.trino.sql.parser.ParsingOptions) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) TrinoExceptionAssert.assertTrinoExceptionThrownBy(io.trino.testing.assertions.TrinoExceptionAssert.assertTrinoExceptionThrownBy) NOT_SUPPORTED(io.trino.spi.StandardErrorCode.NOT_SUPPORTED) ImmutableList(com.google.common.collect.ImmutableList) MockConnectorFactory(io.trino.connector.MockConnectorFactory) Threads.daemonThreadsNamed(io.airlift.concurrent.Threads.daemonThreadsNamed) Identity(io.trino.spi.security.Identity) LocalQueryRunner(io.trino.testing.LocalQueryRunner) Map(java.util.Map) TEST_SESSION(io.trino.SessionTestUtils.TEST_SESSION) SqlParser(io.trino.sql.parser.SqlParser) URI(java.net.URI) ExecutorService(java.util.concurrent.ExecutorService) ResourceGroupId(io.trino.spi.resourcegroups.ResourceGroupId) AfterClass(org.testng.annotations.AfterClass) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) BeforeClass(org.testng.annotations.BeforeClass) CATALOG_NOT_FOUND(io.trino.spi.StandardErrorCode.CATALOG_NOT_FOUND) RoleGrant(io.trino.spi.security.RoleGrant) SelectedRole(io.trino.spi.security.SelectedRole) TestingSession.testSessionBuilder(io.trino.testing.TestingSession.testSessionBuilder) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Executors.newCachedThreadPool(java.util.concurrent.Executors.newCachedThreadPool) SetRole(io.trino.sql.tree.SetRole) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) ROLE_NOT_FOUND(io.trino.spi.StandardErrorCode.ROLE_NOT_FOUND) RoleGrant(io.trino.spi.security.RoleGrant) MockConnectorFactory(io.trino.connector.MockConnectorFactory) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) BeforeClass(org.testng.annotations.BeforeClass)

Aggregations

RoleGrant (io.trino.spi.security.RoleGrant)13 ImmutableSet (com.google.common.collect.ImmutableSet)6 TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)6 HivePrincipal (io.trino.plugin.hive.metastore.HivePrincipal)5 ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)4 USER (io.trino.spi.security.PrincipalType.USER)3 SelectedRole (io.trino.spi.security.SelectedRole)3 HashSet (java.util.HashSet)3 Optional (java.util.Optional)3 ImmutableList (com.google.common.collect.ImmutableList)2 ImmutableMap (com.google.common.collect.ImmutableMap)2 Session (io.trino.Session)2 MockConnectorFactory (io.trino.connector.MockConnectorFactory)2 WarningCollector (io.trino.execution.warnings.WarningCollector)2 Metadata (io.trino.metadata.Metadata)2 AccessControl (io.trino.security.AccessControl)2 ROLE_NOT_FOUND (io.trino.spi.StandardErrorCode.ROLE_NOT_FOUND)2 Identity (io.trino.spi.security.Identity)2 SetRole (io.trino.sql.tree.SetRole)2 LinkedHashSet (java.util.LinkedHashSet)2