Search in sources :

Example 11 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class SetRoleTask method execute.

@Override
public ListenableFuture<Void> execute(SetRole statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
    if (statement.getType() == SetRole.Type.ROLE) {
        String role = statement.getRole().map(c -> c.getValue().toLowerCase(ENGLISH)).orElseThrow();
        if (!metadata.roleExists(session, role, catalog)) {
            throw semanticException(ROLE_NOT_FOUND, statement, "Role '%s' does not exist", role);
        }
        if (catalog.isPresent()) {
            accessControl.checkCanSetCatalogRole(SecurityContext.of(session), role, catalog.get());
        } else {
            Set<RoleGrant> roleGrants = metadata.listApplicableRoles(session, new TrinoPrincipal(USER, session.getUser()), Optional.empty());
            if (roleGrants.stream().map(RoleGrant::getRoleName).noneMatch(role::equals)) {
                denySetRole(role);
            }
        }
    }
    SelectedRole.Type type = toSelectedRoleType(statement.getType());
    stateMachine.addSetRole(catalog.orElse("system"), new SelectedRole(type, statement.getRole().map(c -> c.getValue().toLowerCase(ENGLISH))));
    return immediateVoidFuture();
}
Also used : Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) USER(io.trino.spi.security.PrincipalType.USER) Set(java.util.Set) RoleGrant(io.trino.spi.security.RoleGrant) AccessDeniedException.denySetRole(io.trino.spi.security.AccessDeniedException.denySetRole) Inject(javax.inject.Inject) SelectedRole(io.trino.spi.security.SelectedRole) List(java.util.List) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) SetRole(io.trino.sql.tree.SetRole) Objects.requireNonNull(java.util.Objects.requireNonNull) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) Expression(io.trino.sql.tree.Expression) SecurityContext(io.trino.security.SecurityContext) MetadataUtil.processRoleCommandCatalog(io.trino.metadata.MetadataUtil.processRoleCommandCatalog) SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException) ENGLISH(java.util.Locale.ENGLISH) Identifier(io.trino.sql.tree.Identifier) ROLE_NOT_FOUND(io.trino.spi.StandardErrorCode.ROLE_NOT_FOUND) Session(io.trino.Session) RoleGrant(io.trino.spi.security.RoleGrant) SelectedRole(io.trino.spi.security.SelectedRole) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Session(io.trino.Session)

Example 12 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class TestAccessControl method createQueryRunner.

@Override
protected QueryRunner createQueryRunner() throws Exception {
    Session session = testSessionBuilder().setCatalog("blackhole").setSchema("default").build();
    DistributedQueryRunner queryRunner = DistributedQueryRunner.builder(session).setNodeCount(1).build();
    queryRunner.installPlugin(new BlackHolePlugin());
    queryRunner.createCatalog("blackhole", "blackhole");
    queryRunner.installPlugin(new TpchPlugin());
    queryRunner.createCatalog("tpch", "tpch");
    queryRunner.installPlugin(new MockConnectorPlugin(MockConnectorFactory.builder().withGetViews((connectorSession, prefix) -> {
        ConnectorViewDefinition definitionRunAsDefiner = new ConnectorViewDefinition("select 1", Optional.of("mock"), Optional.of("default"), ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BIGINT.getTypeId())), Optional.of("comment"), Optional.of("admin"), false);
        ConnectorViewDefinition definitionRunAsInvoker = new ConnectorViewDefinition("select 1", Optional.of("mock"), Optional.of("default"), ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BIGINT.getTypeId())), Optional.of("comment"), Optional.empty(), true);
        return ImmutableMap.of(new SchemaTableName("default", "test_view_definer"), definitionRunAsDefiner, new SchemaTableName("default", "test_view_invoker"), definitionRunAsInvoker);
    }).withListRoleGrants((connectorSession, roles, grantees, limit) -> ImmutableSet.of(new RoleGrant(new TrinoPrincipal(USER, "alice"), "alice_role", false))).build()));
    queryRunner.createCatalog("mock", "mock");
    for (String tableName : ImmutableList.of("orders", "nation", "region", "lineitem")) {
        queryRunner.execute(format("CREATE TABLE %1$s AS SELECT * FROM tpch.tiny.%1$s WITH NO DATA", tableName));
    }
    return queryRunner;
}
Also used : EXECUTE_QUERY(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.EXECUTE_QUERY) SHOW_COLUMNS(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.SHOW_COLUMNS) USER(io.trino.spi.security.PrincipalType.USER) Test(org.testng.annotations.Test) TRUNCATE_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.TRUNCATE_TABLE) CREATE_VIEW_WITH_SELECT_COLUMNS(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS) SHOW_CREATE_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.SHOW_CREATE_TABLE) BlackHolePlugin(io.trino.plugin.blackhole.BlackHolePlugin) AbstractTestQueryFramework(io.trino.testing.AbstractTestQueryFramework) Assertions(io.airlift.testing.Assertions) DELETE_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.DELETE_TABLE) DistributedQueryRunner(io.trino.testing.DistributedQueryRunner) MockConnectorFactory(io.trino.connector.MockConnectorFactory) TestingPrivilege(io.trino.testing.TestingAccessControlManager.TestingPrivilege) SET_TABLE_PROPERTIES(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.SET_TABLE_PROPERTIES) ConnectorViewDefinition(io.trino.spi.connector.ConnectorViewDefinition) TpchPlugin(io.trino.plugin.tpch.TpchPlugin) CREATE_MATERIALIZED_VIEW(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_MATERIALIZED_VIEW) TestTable.randomTableSuffix(io.trino.testing.sql.TestTable.randomTableSuffix) INSERT_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.INSERT_TABLE) RENAME_COLUMN(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.RENAME_COLUMN) ImmutableSet(com.google.common.collect.ImmutableSet) QUERY_MAX_MEMORY(io.trino.SystemSessionProperties.QUERY_MAX_MEMORY) ImmutableMap(com.google.common.collect.ImmutableMap) DROP_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.DROP_TABLE) SchemaTableName(io.trino.spi.connector.SchemaTableName) String.format(java.lang.String.format) SelectedRole(io.trino.spi.security.SelectedRole) DROP_COLUMN(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.DROP_COLUMN) TestingSession.testSessionBuilder(io.trino.testing.TestingSession.testSessionBuilder) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) BIGINT(io.trino.spi.type.BigintType.BIGINT) RENAME_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.RENAME_TABLE) ROLE(io.trino.spi.security.SelectedRole.Type.ROLE) UPDATE_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.UPDATE_TABLE) TestingSession(io.trino.testing.TestingSession) Optional(java.util.Optional) CREATE_VIEW(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW) SET_USER(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.SET_USER) Session(io.trino.Session) SELECT_COLUMN(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN) CREATE_TABLE(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.CREATE_TABLE) ImmutableList(com.google.common.collect.ImmutableList) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) Identity(io.trino.spi.security.Identity) SET_SESSION(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.SET_SESSION) MockConnectorPlugin(io.trino.connector.MockConnectorPlugin) EXECUTE_FUNCTION(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION) GRANT_EXECUTE_FUNCTION(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.GRANT_EXECUTE_FUNCTION) RoleGrant(io.trino.spi.security.RoleGrant) TestingAccessControlManager.privilege(io.trino.testing.TestingAccessControlManager.privilege) QueryRunner(io.trino.testing.QueryRunner) ADD_COLUMN(io.trino.testing.TestingAccessControlManager.TestingPrivilegeType.ADD_COLUMN) RoleGrant(io.trino.spi.security.RoleGrant) DistributedQueryRunner(io.trino.testing.DistributedQueryRunner) BlackHolePlugin(io.trino.plugin.blackhole.BlackHolePlugin) TpchPlugin(io.trino.plugin.tpch.TpchPlugin) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MockConnectorPlugin(io.trino.connector.MockConnectorPlugin) SchemaTableName(io.trino.spi.connector.SchemaTableName) TestingSession(io.trino.testing.TestingSession) Session(io.trino.Session) ConnectorViewDefinition(io.trino.spi.connector.ConnectorViewDefinition)

Example 13 with RoleGrant

use of io.trino.spi.security.RoleGrant in project trino by trinodb.

the class TestingSystemSecurityMetadata method getRoleGrantsRecursively.

private Set<RoleGrant> getRoleGrantsRecursively(TrinoPrincipal principal) {
    Queue<RoleGrant> pending = new ArrayDeque<>(getRoleGrants(principal));
    Set<RoleGrant> seen = new HashSet<>();
    while (!pending.isEmpty()) {
        RoleGrant current = pending.remove();
        if (!seen.add(current)) {
            continue;
        }
        pending.addAll(getRoleGrants(new TrinoPrincipal(ROLE, current.getRoleName())));
    }
    return ImmutableSet.copyOf(seen);
}
Also used : RoleGrant(io.trino.spi.security.RoleGrant) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) ArrayDeque(java.util.ArrayDeque) HashSet(java.util.HashSet)

Aggregations

RoleGrant (io.trino.spi.security.RoleGrant)13 ImmutableSet (com.google.common.collect.ImmutableSet)6 TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)6 HivePrincipal (io.trino.plugin.hive.metastore.HivePrincipal)5 ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)4 USER (io.trino.spi.security.PrincipalType.USER)3 SelectedRole (io.trino.spi.security.SelectedRole)3 HashSet (java.util.HashSet)3 Optional (java.util.Optional)3 ImmutableList (com.google.common.collect.ImmutableList)2 ImmutableMap (com.google.common.collect.ImmutableMap)2 Session (io.trino.Session)2 MockConnectorFactory (io.trino.connector.MockConnectorFactory)2 WarningCollector (io.trino.execution.warnings.WarningCollector)2 Metadata (io.trino.metadata.Metadata)2 AccessControl (io.trino.security.AccessControl)2 ROLE_NOT_FOUND (io.trino.spi.StandardErrorCode.ROLE_NOT_FOUND)2 Identity (io.trino.spi.security.Identity)2 SetRole (io.trino.sql.tree.SetRole)2 LinkedHashSet (java.util.LinkedHashSet)2