Search in sources :

Example 16 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testSchemaAuthorizationForRole.

@Test
public void testSchemaAuthorizationForRole() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    assertUpdate(admin, "CREATE SCHEMA test_schema_authorization_role");
    // make sure role-grants only work on existing roles
    assertQueryFails(admin, "ALTER SCHEMA test_schema_authorization_role SET AUTHORIZATION ROLE nonexisting_role", ".*?Role 'nonexisting_role' does not exist in catalog 'hive'");
    assertUpdate(admin, "CREATE ROLE authorized_users IN hive");
    assertUpdate(admin, "GRANT authorized_users TO user IN hive");
    assertUpdate(admin, "ALTER SCHEMA test_schema_authorization_role SET AUTHORIZATION ROLE authorized_users");
    Session user = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization_role").setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    Session anotherUser = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization_role").setIdentity(Identity.forUser("anotheruser").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    assertUpdate(user, "CREATE TABLE test_schema_authorization_role.test (x bigint)");
    // another user should not be able to drop the table
    assertQueryFails(anotherUser, "DROP TABLE test_schema_authorization_role.test", "Access Denied: Cannot drop table test_schema_authorization_role.test");
    // or access the table in any way
    assertQueryFails(anotherUser, "SELECT 1 FROM test_schema_authorization_role.test", "Access Denied: Cannot select from table test_schema_authorization_role.test");
    assertUpdate(user, "DROP TABLE test_schema_authorization_role.test");
    assertUpdate(user, "DROP SCHEMA test_schema_authorization_role");
    assertUpdate(admin, "DROP ROLE authorized_users IN hive");
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Example 17 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testViewAuthorizationForRole.

@Test
public void testViewAuthorizationForRole() {
    Session admin = Session.builder(getSession()).setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session alice = testSessionBuilder().setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("alice").build()).build();
    String schema = "test_view_authorization" + TestTable.randomTableSuffix();
    assertUpdate(admin, "CREATE SCHEMA " + schema);
    assertUpdate(admin, "CREATE TABLE " + schema + ".test_table (col int)");
    assertUpdate(admin, "CREATE VIEW " + schema + ".test_view AS SELECT * FROM " + schema + ".test_table");
    // TODO Change assertions once https://github.com/trinodb/trino/issues/5706 is done
    assertAccessDenied(alice, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION ROLE admin", "Cannot set authorization for view " + schema + ".test_view to ROLE admin");
    assertUpdate(admin, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION alice");
    assertQueryFails(alice, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION ROLE admin", "Setting table owner type as a role is not supported");
    assertUpdate(admin, "DROP VIEW " + schema + ".test_view");
    assertUpdate(admin, "DROP TABLE " + schema + ".test_table");
    assertUpdate(admin, "DROP SCHEMA " + schema);
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Example 18 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testRequiredPartitionFilterInferred.

@Test(dataProvider = "queryPartitionFilterRequiredSchemasDataProvider")
public void testRequiredPartitionFilterInferred(String queryPartitionFilterRequiredSchemas) {
    Session session = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).setCatalogSessionProperty("hive", "query_partition_filter_required", "true").setCatalogSessionProperty("hive", "query_partition_filter_required_schemas", queryPartitionFilterRequiredSchemas).build();
    assertUpdate(session, "CREATE TABLE test_partition_filter_inferred_left(id integer, a varchar, b varchar, ds varchar) WITH (partitioned_by = ARRAY['ds'])");
    assertUpdate(session, "CREATE TABLE test_partition_filter_inferred_right(id integer, a varchar, b varchar, ds varchar) WITH (partitioned_by = ARRAY['ds'])");
    assertUpdate(session, "INSERT INTO test_partition_filter_inferred_left(id, a, ds) VALUES (1, 'a', '1')", 1);
    assertUpdate(session, "INSERT INTO test_partition_filter_inferred_right(id, a, ds) VALUES (1, 'a', '1')", 1);
    // Join on partition column allowing filter inference for the other table
    assertQuery(session, "SELECT l.id, r.id FROM test_partition_filter_inferred_left l JOIN test_partition_filter_inferred_right r ON l.ds = r.ds WHERE l.ds = '1'", "SELECT 1, 1");
    // Join on non-partition column
    assertQueryFails(session, "SELECT l.ds, r.ds FROM test_partition_filter_inferred_left l JOIN test_partition_filter_inferred_right r ON l.id = r.id WHERE l.ds = '1'", "Filter required on tpch\\.test_partition_filter_inferred_right for at least one partition column: ds");
    assertUpdate(session, "DROP TABLE test_partition_filter_inferred_left");
    assertUpdate(session, "DROP TABLE test_partition_filter_inferred_right");
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Example 19 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class AbstractTestHiveRoles method testSetRole.

@Test
public void testSetRole() {
    executeFromAdmin(createRoleSql("set_role_1"));
    executeFromAdmin(createRoleSql("set_role_2"));
    executeFromAdmin(createRoleSql("set_role_3"));
    executeFromAdmin(createRoleSql("set_role_4"));
    executeFromAdmin(grantRoleToUserSql("set_role_1", "set_user_1"));
    executeFromAdmin(grantRoleToRoleSql("set_role_2", "set_role_1"));
    executeFromAdmin(grantRoleToRoleSql("set_role_3", "set_role_2"));
    Session unsetRole = Session.builder(getSession()).setIdentity(Identity.ofUser("set_user_1")).build();
    Session setRoleAll = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ALL, Optional.empty())).build()).build();
    Session setRoleNone = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.NONE, Optional.empty())).build()).build();
    Session setRole1 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_1"))).build()).build();
    Session setRole2 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_2"))).build()).build();
    Session setRole3 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_3"))).build()).build();
    Session setRole4 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_4"))).build()).build();
    MaterializedResult actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.applicable_roles");
    MaterializedResult expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType()).row("set_user_1", "USER", "public", "NO").row("set_user_1", "USER", "set_role_1", "NO").row("set_role_1", "ROLE", "set_role_2", "NO").row("set_role_2", "ROLE", "set_role_3", "NO").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRoleAll, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRoleAll, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRoleNone, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRoleNone, createUnboundedVarcharType()).row("public").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRole1, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRole1, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRole2, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRole2, createUnboundedVarcharType()).row("public").row("set_role_2").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    actual = getQueryRunner().execute(setRole3, "SELECT * FROM hive.information_schema.enabled_roles");
    expected = MaterializedResult.resultBuilder(setRole3, createUnboundedVarcharType()).row("public").row("set_role_3").build();
    assertEqualsIgnoreOrder(actual, expected);
    assertQueryFails(setRole4, "SELECT * FROM hive.information_schema.enabled_roles", ".*?Cannot set role set_role_4");
    executeFromAdmin(dropRoleSql("set_role_1"));
    executeFromAdmin(dropRoleSql("set_role_2"));
    executeFromAdmin(dropRoleSql("set_role_3"));
    executeFromAdmin(dropRoleSql("set_role_4"));
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) MaterializedResult(io.trino.testing.MaterializedResult) Session(io.trino.Session) Test(org.testng.annotations.Test)

Example 20 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testIsNotNullWithNestedData.

@Test
public void testIsNotNullWithNestedData() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).setCatalogSessionProperty(catalog, "parquet_use_column_names", "true").build();
    assertUpdate(admin, "create table nest_test(id int, a row(x varchar, y integer, z varchar), b varchar) WITH (format='PARQUET')");
    assertUpdate(admin, "insert into nest_test values(0, null, '1')", 1);
    assertUpdate(admin, "insert into nest_test values(1, ('a', null, 'b'), '1')", 1);
    assertUpdate(admin, "insert into nest_test values(2, ('b', 1, 'd'), '1')", 1);
    assertQuery(admin, "select a.y from nest_test", "values (null), (null), (1)");
    assertQuery(admin, "select id from nest_test where a.y IS NOT NULL", "values (2)");
    assertUpdate(admin, "DROP TABLE nest_test");
}
Also used : SelectedRole(io.trino.spi.security.SelectedRole) HiveQueryRunner.createBucketedSession(io.trino.plugin.hive.HiveQueryRunner.createBucketedSession) Session(io.trino.Session) Test(org.testng.annotations.Test) BaseConnectorTest(io.trino.testing.BaseConnectorTest)

Aggregations

SelectedRole (io.trino.spi.security.SelectedRole)30 Session (io.trino.Session)24 Test (org.testng.annotations.Test)22 HiveQueryRunner.createBucketedSession (io.trino.plugin.hive.HiveQueryRunner.createBucketedSession)19 BaseConnectorTest (io.trino.testing.BaseConnectorTest)19 ImmutableMap (com.google.common.collect.ImmutableMap)3 MaterializedResult (io.trino.testing.MaterializedResult)3 SecurityContext (io.trino.security.SecurityContext)2 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)2 Identity (io.trino.spi.security.Identity)2 ColumnConstraint (io.trino.sql.planner.planprinter.IoPlanPrinter.ColumnConstraint)2 EstimatedStatsAndCost (io.trino.sql.planner.planprinter.IoPlanPrinter.EstimatedStatsAndCost)2 FormattedDomain (io.trino.sql.planner.planprinter.IoPlanPrinter.FormattedDomain)2 FormattedMarker (io.trino.sql.planner.planprinter.IoPlanPrinter.FormattedMarker)2 FormattedRange (io.trino.sql.planner.planprinter.IoPlanPrinter.FormattedRange)2 IoPlan (io.trino.sql.planner.planprinter.IoPlanPrinter.IoPlan)2 TableColumnInfo (io.trino.sql.planner.planprinter.IoPlanPrinter.IoPlan.TableColumnInfo)2 ImmutableMap.toImmutableMap (com.google.common.collect.ImmutableMap.toImmutableMap)1 ImmutableSet (com.google.common.collect.ImmutableSet)1 Futures.immediateVoidFuture (com.google.common.util.concurrent.Futures.immediateVoidFuture)1