use of io.trino.spi.security.RoleGrant in project trino by trinodb.
the class SetRoleTask method execute.
@Override
public ListenableFuture<Void> execute(SetRole statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
if (statement.getType() == SetRole.Type.ROLE) {
String role = statement.getRole().map(c -> c.getValue().toLowerCase(ENGLISH)).orElseThrow();
if (!metadata.roleExists(session, role, catalog)) {
throw semanticException(ROLE_NOT_FOUND, statement, "Role '%s' does not exist", role);
}
if (catalog.isPresent()) {
accessControl.checkCanSetCatalogRole(SecurityContext.of(session), role, catalog.get());
} else {
Set<RoleGrant> roleGrants = metadata.listApplicableRoles(session, new TrinoPrincipal(USER, session.getUser()), Optional.empty());
if (roleGrants.stream().map(RoleGrant::getRoleName).noneMatch(role::equals)) {
denySetRole(role);
}
}
}
SelectedRole.Type type = toSelectedRoleType(statement.getType());
stateMachine.addSetRole(catalog.orElse("system"), new SelectedRole(type, statement.getRole().map(c -> c.getValue().toLowerCase(ENGLISH))));
return immediateVoidFuture();
}
use of io.trino.spi.security.RoleGrant in project trino by trinodb.
the class TestAccessControl method createQueryRunner.
@Override
protected QueryRunner createQueryRunner() throws Exception {
Session session = testSessionBuilder().setCatalog("blackhole").setSchema("default").build();
DistributedQueryRunner queryRunner = DistributedQueryRunner.builder(session).setNodeCount(1).build();
queryRunner.installPlugin(new BlackHolePlugin());
queryRunner.createCatalog("blackhole", "blackhole");
queryRunner.installPlugin(new TpchPlugin());
queryRunner.createCatalog("tpch", "tpch");
queryRunner.installPlugin(new MockConnectorPlugin(MockConnectorFactory.builder().withGetViews((connectorSession, prefix) -> {
ConnectorViewDefinition definitionRunAsDefiner = new ConnectorViewDefinition("select 1", Optional.of("mock"), Optional.of("default"), ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BIGINT.getTypeId())), Optional.of("comment"), Optional.of("admin"), false);
ConnectorViewDefinition definitionRunAsInvoker = new ConnectorViewDefinition("select 1", Optional.of("mock"), Optional.of("default"), ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BIGINT.getTypeId())), Optional.of("comment"), Optional.empty(), true);
return ImmutableMap.of(new SchemaTableName("default", "test_view_definer"), definitionRunAsDefiner, new SchemaTableName("default", "test_view_invoker"), definitionRunAsInvoker);
}).withListRoleGrants((connectorSession, roles, grantees, limit) -> ImmutableSet.of(new RoleGrant(new TrinoPrincipal(USER, "alice"), "alice_role", false))).build()));
queryRunner.createCatalog("mock", "mock");
for (String tableName : ImmutableList.of("orders", "nation", "region", "lineitem")) {
queryRunner.execute(format("CREATE TABLE %1$s AS SELECT * FROM tpch.tiny.%1$s WITH NO DATA", tableName));
}
return queryRunner;
}
use of io.trino.spi.security.RoleGrant in project trino by trinodb.
the class TestingSystemSecurityMetadata method getRoleGrantsRecursively.
private Set<RoleGrant> getRoleGrantsRecursively(TrinoPrincipal principal) {
Queue<RoleGrant> pending = new ArrayDeque<>(getRoleGrants(principal));
Set<RoleGrant> seen = new HashSet<>();
while (!pending.isEmpty()) {
RoleGrant current = pending.remove();
if (!seen.add(current)) {
continue;
}
pending.addAll(getRoleGrants(new TrinoPrincipal(ROLE, current.getRoleName())));
}
return ImmutableSet.copyOf(seen);
}
Aggregations