Examples with SelectedRole io.trino.spi.security.SelectedRole used on opensource projects

Search in sources :

Example 1 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class Session method beginTransactionId.

public Session beginTransactionId(TransactionId transactionId, TransactionManager transactionManager, AccessControl accessControl) {
    requireNonNull(transactionId, "transactionId is null");
    checkArgument(this.transactionId.isEmpty(), "Session already has an active transaction");
    requireNonNull(transactionManager, "transactionManager is null");
    requireNonNull(accessControl, "accessControl is null");
    validateSystemProperties(accessControl, this.systemProperties);
    // Now that there is a transaction, the catalog name can be resolved to a connector, and the catalog properties can be validated
    ImmutableMap.Builder<String, Map<String, String>> connectorProperties = ImmutableMap.builder();
    for (Entry<String, Map<String, String>> catalogEntry : this.catalogProperties.entrySet()) {
        String catalogName = catalogEntry.getKey();
        Map<String, String> catalogProperties = catalogEntry.getValue();
        if (catalogProperties.isEmpty()) {
            continue;
        }
        CatalogName catalog = transactionManager.getCatalogName(transactionId, catalogName).orElseThrow(() -> new TrinoException(NOT_FOUND, "Session property catalog does not exist: " + catalogName));
        validateCatalogProperties(Optional.of(transactionId), accessControl, catalog, catalogProperties);
        connectorProperties.put(catalogName, catalogProperties);
    }
    ImmutableMap.Builder<String, SelectedRole> connectorRoles = ImmutableMap.builder();
    for (Entry<String, SelectedRole> entry : identity.getCatalogRoles().entrySet()) {
        String catalogName = entry.getKey();
        SelectedRole role = entry.getValue();
        if (transactionManager.getCatalogName(transactionId, catalogName).isEmpty()) {
            throw new TrinoException(NOT_FOUND, "Catalog for role does not exist: " + catalogName);
        }
        if (role.getType() == SelectedRole.Type.ROLE) {
            accessControl.checkCanSetCatalogRole(new SecurityContext(transactionId, identity, queryId), role.getRole().orElseThrow(), catalogName);
        }
        connectorRoles.put(catalogName, role);
    }
    return new Session(queryId, Optional.of(transactionId), clientTransactionSupport, Identity.from(identity).withConnectorRoles(connectorRoles.buildOrThrow()).build(), source, catalog, schema, path, traceToken, timeZoneKey, locale, remoteUserAddress, userAgent, clientInfo, clientTags, clientCapabilities, resourceEstimates, start, systemProperties, connectorProperties.buildOrThrow(), sessionPropertyManager, preparedStatements, protocolHeaders);
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) ImmutableMap(com.google.common.collect.ImmutableMap) SecurityContext(io.trino.security.SecurityContext) TrinoException(io.trino.spi.TrinoException) CatalogName(io.trino.connector.CatalogName) HashMap(java.util.HashMap) Map(java.util.Map) ImmutableMap(com.google.common.collect.ImmutableMap) ConnectorSession(io.trino.spi.connector.ConnectorSession)

Example 2 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testShowCreateSchema.

@Test
@Override
public void testShowCreateSchema() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session user = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_show_create_schema").setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    assertUpdate(admin, "CREATE ROLE test_show_create_schema_role IN hive");
    assertUpdate(admin, "GRANT test_show_create_schema_role TO user IN hive");
    assertUpdate(admin, "CREATE SCHEMA test_show_create_schema");
    String createSchemaSql = format("" + "CREATE SCHEMA %s.test_show_create_schema\n" + "AUTHORIZATION USER hive\n" + "WITH \\(\n" + "   location = '.*test_show_create_schema'\n" + "\\)", getSession().getCatalog().get());
    String actualResult = getOnlyElement(computeActual(admin, "SHOW CREATE SCHEMA test_show_create_schema").getOnlyColumnAsSet()).toString();
    assertThat(actualResult).matches(createSchemaSql);
    assertQueryFails(user, "SHOW CREATE SCHEMA test_show_create_schema", "Access Denied: Cannot show create schema for test_show_create_schema");
    assertUpdate(admin, "ALTER SCHEMA test_show_create_schema SET AUTHORIZATION ROLE test_show_create_schema_role");
    createSchemaSql = format("" + "CREATE SCHEMA %s.test_show_create_schema\n" + "AUTHORIZATION ROLE test_show_create_schema_role\n" + "WITH \\(\n" + "   location = '.*test_show_create_schema'\n" + "\\)", getSession().getCatalog().get());
    actualResult = getOnlyElement(computeActual(admin, "SHOW CREATE SCHEMA test_show_create_schema").getOnlyColumnAsSet()).toString();
    assertThat(actualResult).matches(createSchemaSql);
    assertUpdate(user, "DROP SCHEMA test_show_create_schema");
    assertUpdate(admin, "DROP ROLE test_show_create_schema_role IN hive");
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Example 3 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testViewAuthorizationSecurityInvoker.

@Test
public void testViewAuthorizationSecurityInvoker() {
    Session admin = Session.builder(getSession()).setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session alice = testSessionBuilder().setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("alice").build()).build();
    String schema = "test_view_authorization" + TestTable.randomTableSuffix();
    assertUpdate(admin, "CREATE SCHEMA " + schema);
    assertUpdate(admin, "CREATE TABLE " + schema + ".test_table (col int)");
    assertUpdate(admin, "INSERT INTO " + schema + ".test_table VALUES (1)", 1);
    assertUpdate(admin, "CREATE VIEW " + schema + ".test_view SECURITY INVOKER AS SELECT * from " + schema + ".test_table");
    assertUpdate(admin, "GRANT SELECT ON " + schema + ".test_view TO alice");
    assertQueryFails(alice, "SELECT * FROM " + schema + ".test_view", "Access Denied: Cannot select from table " + schema + ".test_table");
    assertUpdate(admin, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION alice");
    assertQueryFails(alice, "SELECT * FROM " + schema + ".test_view", "Access Denied: Cannot select from table " + schema + ".test_table");
    assertUpdate(alice, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION admin");
    assertUpdate(admin, "DROP VIEW " + schema + ".test_view");
    assertUpdate(admin, "DROP TABLE " + schema + ".test_table");
    assertUpdate(admin, "DROP SCHEMA " + schema);
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Example 4 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testSchemaAuthorization.

@Test
public void testSchemaAuthorization() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session user = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization").setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    assertUpdate(admin, "CREATE SCHEMA test_schema_authorization");
    assertUpdate(admin, "ALTER SCHEMA test_schema_authorization SET AUTHORIZATION user");
    assertUpdate(user, "ALTER SCHEMA test_schema_authorization SET AUTHORIZATION ROLE admin");
    assertQueryFails(user, "ALTER SCHEMA test_schema_authorization SET AUTHORIZATION ROLE admin", "Access Denied: Cannot set authorization for schema test_schema_authorization to ROLE admin");
    // switch owner back to user, and then change the owner to ROLE admin from a different catalog to verify roles are relative to the catalog of the schema
    assertUpdate(admin, "ALTER SCHEMA test_schema_authorization SET AUTHORIZATION user");
    Session userSessionInDifferentCatalog = testSessionBuilder().setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    assertUpdate(userSessionInDifferentCatalog, "ALTER SCHEMA hive.test_schema_authorization SET AUTHORIZATION ROLE admin");
    assertUpdate(admin, "ALTER SCHEMA test_schema_authorization SET AUTHORIZATION user");
    assertUpdate(admin, "DROP SCHEMA test_schema_authorization");
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Example 5 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testSchemaAuthorizationForUser.

@Test
public void testSchemaAuthorizationForUser() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    assertUpdate(admin, "CREATE SCHEMA test_schema_authorization_user");
    Session user = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization_user").setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    Session anotherUser = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization_user").setIdentity(Identity.forUser("anotheruser").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    // ordinary users cannot drop a schema or create a table in a schema the do not own
    assertQueryFails(user, "DROP SCHEMA test_schema_authorization_user", "Access Denied: Cannot drop schema test_schema_authorization_user");
    assertQueryFails(user, "CREATE TABLE test_schema_authorization_user.test (x bigint)", "Access Denied: Cannot create table test_schema_authorization_user.test");
    // change owner to user
    assertUpdate(admin, "ALTER SCHEMA test_schema_authorization_user SET AUTHORIZATION user");
    // another user still cannot create tables
    assertQueryFails(anotherUser, "CREATE TABLE test_schema_authorization_user.test (x bigint)", "Access Denied: Cannot create table test_schema_authorization_user.test");
    assertUpdate(user, "CREATE TABLE test_schema_authorization_user.test (x bigint)");
    // another user should not be able to drop the table
    assertQueryFails(anotherUser, "DROP TABLE test_schema_authorization_user.test", "Access Denied: Cannot drop table test_schema_authorization_user.test");
    // or access the table in any way
    assertQueryFails(anotherUser, "SELECT 1 FROM test_schema_authorization_user.test", "Access Denied: Cannot select from table test_schema_authorization_user.test");
    assertUpdate(user, "DROP TABLE test_schema_authorization_user.test");
    assertUpdate(user, "DROP SCHEMA test_schema_authorization_user");
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Aggregations

SelectedRole (io.trino.spi.security.SelectedRole)30 Session (io.trino.Session)24 Test (org.testng.annotations.Test)22 HiveQueryRunner.createBucketedSession (io.trino.plugin.hive.HiveQueryRunner.createBucketedSession)19 BaseConnectorTest (io.trino.testing.BaseConnectorTest)19 ImmutableMap (com.google.common.collect.ImmutableMap)3 MaterializedResult (io.trino.testing.MaterializedResult)3 SecurityContext (io.trino.security.SecurityContext)2 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)2 Identity (io.trino.spi.security.Identity)2 ColumnConstraint (io.trino.sql.planner.planprinter.IoPlanPrinter.ColumnConstraint)2 EstimatedStatsAndCost (io.trino.sql.planner.planprinter.IoPlanPrinter.EstimatedStatsAndCost)2 FormattedDomain (io.trino.sql.planner.planprinter.IoPlanPrinter.FormattedDomain)2 FormattedMarker (io.trino.sql.planner.planprinter.IoPlanPrinter.FormattedMarker)2 FormattedRange (io.trino.sql.planner.planprinter.IoPlanPrinter.FormattedRange)2 IoPlan (io.trino.sql.planner.planprinter.IoPlanPrinter.IoPlan)2 TableColumnInfo (io.trino.sql.planner.planprinter.IoPlanPrinter.IoPlan.TableColumnInfo)2 ImmutableMap.toImmutableMap (com.google.common.collect.ImmutableMap.toImmutableMap)1 ImmutableSet (com.google.common.collect.ImmutableSet)1 Futures.immediateVoidFuture (com.google.common.util.concurrent.Futures.immediateVoidFuture)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial