use of io.trino.spi.security.SelectedRole in project trino by trinodb.
the class BaseHiveConnectorTest method testSchemaAuthorizationForRole.
@Test
public void testSchemaAuthorizationForRole() {
Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
assertUpdate(admin, "CREATE SCHEMA test_schema_authorization_role");
// make sure role-grants only work on existing roles
assertQueryFails(admin, "ALTER SCHEMA test_schema_authorization_role SET AUTHORIZATION ROLE nonexisting_role", ".*?Role 'nonexisting_role' does not exist in catalog 'hive'");
assertUpdate(admin, "CREATE ROLE authorized_users IN hive");
assertUpdate(admin, "GRANT authorized_users TO user IN hive");
assertUpdate(admin, "ALTER SCHEMA test_schema_authorization_role SET AUTHORIZATION ROLE authorized_users");
Session user = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization_role").setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
Session anotherUser = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_schema_authorization_role").setIdentity(Identity.forUser("anotheruser").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
assertUpdate(user, "CREATE TABLE test_schema_authorization_role.test (x bigint)");
// another user should not be able to drop the table
assertQueryFails(anotherUser, "DROP TABLE test_schema_authorization_role.test", "Access Denied: Cannot drop table test_schema_authorization_role.test");
// or access the table in any way
assertQueryFails(anotherUser, "SELECT 1 FROM test_schema_authorization_role.test", "Access Denied: Cannot select from table test_schema_authorization_role.test");
assertUpdate(user, "DROP TABLE test_schema_authorization_role.test");
assertUpdate(user, "DROP SCHEMA test_schema_authorization_role");
assertUpdate(admin, "DROP ROLE authorized_users IN hive");
}
use of io.trino.spi.security.SelectedRole in project trino by trinodb.
the class BaseHiveConnectorTest method testViewAuthorizationForRole.
@Test
public void testViewAuthorizationForRole() {
Session admin = Session.builder(getSession()).setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
Session alice = testSessionBuilder().setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("alice").build()).build();
String schema = "test_view_authorization" + TestTable.randomTableSuffix();
assertUpdate(admin, "CREATE SCHEMA " + schema);
assertUpdate(admin, "CREATE TABLE " + schema + ".test_table (col int)");
assertUpdate(admin, "CREATE VIEW " + schema + ".test_view AS SELECT * FROM " + schema + ".test_table");
// TODO Change assertions once https://github.com/trinodb/trino/issues/5706 is done
assertAccessDenied(alice, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION ROLE admin", "Cannot set authorization for view " + schema + ".test_view to ROLE admin");
assertUpdate(admin, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION alice");
assertQueryFails(alice, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION ROLE admin", "Setting table owner type as a role is not supported");
assertUpdate(admin, "DROP VIEW " + schema + ".test_view");
assertUpdate(admin, "DROP TABLE " + schema + ".test_table");
assertUpdate(admin, "DROP SCHEMA " + schema);
}
use of io.trino.spi.security.SelectedRole in project trino by trinodb.
the class BaseHiveConnectorTest method testRequiredPartitionFilterInferred.
@Test(dataProvider = "queryPartitionFilterRequiredSchemasDataProvider")
public void testRequiredPartitionFilterInferred(String queryPartitionFilterRequiredSchemas) {
Session session = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).setCatalogSessionProperty("hive", "query_partition_filter_required", "true").setCatalogSessionProperty("hive", "query_partition_filter_required_schemas", queryPartitionFilterRequiredSchemas).build();
assertUpdate(session, "CREATE TABLE test_partition_filter_inferred_left(id integer, a varchar, b varchar, ds varchar) WITH (partitioned_by = ARRAY['ds'])");
assertUpdate(session, "CREATE TABLE test_partition_filter_inferred_right(id integer, a varchar, b varchar, ds varchar) WITH (partitioned_by = ARRAY['ds'])");
assertUpdate(session, "INSERT INTO test_partition_filter_inferred_left(id, a, ds) VALUES (1, 'a', '1')", 1);
assertUpdate(session, "INSERT INTO test_partition_filter_inferred_right(id, a, ds) VALUES (1, 'a', '1')", 1);
// Join on partition column allowing filter inference for the other table
assertQuery(session, "SELECT l.id, r.id FROM test_partition_filter_inferred_left l JOIN test_partition_filter_inferred_right r ON l.ds = r.ds WHERE l.ds = '1'", "SELECT 1, 1");
// Join on non-partition column
assertQueryFails(session, "SELECT l.ds, r.ds FROM test_partition_filter_inferred_left l JOIN test_partition_filter_inferred_right r ON l.id = r.id WHERE l.ds = '1'", "Filter required on tpch\\.test_partition_filter_inferred_right for at least one partition column: ds");
assertUpdate(session, "DROP TABLE test_partition_filter_inferred_left");
assertUpdate(session, "DROP TABLE test_partition_filter_inferred_right");
}
use of io.trino.spi.security.SelectedRole in project trino by trinodb.
the class AbstractTestHiveRoles method testSetRole.
@Test
public void testSetRole() {
executeFromAdmin(createRoleSql("set_role_1"));
executeFromAdmin(createRoleSql("set_role_2"));
executeFromAdmin(createRoleSql("set_role_3"));
executeFromAdmin(createRoleSql("set_role_4"));
executeFromAdmin(grantRoleToUserSql("set_role_1", "set_user_1"));
executeFromAdmin(grantRoleToRoleSql("set_role_2", "set_role_1"));
executeFromAdmin(grantRoleToRoleSql("set_role_3", "set_role_2"));
Session unsetRole = Session.builder(getSession()).setIdentity(Identity.ofUser("set_user_1")).build();
Session setRoleAll = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ALL, Optional.empty())).build()).build();
Session setRoleNone = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.NONE, Optional.empty())).build()).build();
Session setRole1 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_1"))).build()).build();
Session setRole2 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_2"))).build()).build();
Session setRole3 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_3"))).build()).build();
Session setRole4 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole("hive", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_4"))).build()).build();
MaterializedResult actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.applicable_roles");
MaterializedResult expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType(), createUnboundedVarcharType()).row("set_user_1", "USER", "public", "NO").row("set_user_1", "USER", "set_role_1", "NO").row("set_role_1", "ROLE", "set_role_2", "NO").row("set_role_2", "ROLE", "set_role_3", "NO").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(unsetRole, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(unsetRole, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRoleAll, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRoleAll, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRoleNone, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRoleNone, createUnboundedVarcharType()).row("public").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRole1, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRole1, createUnboundedVarcharType()).row("public").row("set_role_1").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRole2, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRole2, createUnboundedVarcharType()).row("public").row("set_role_2").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
actual = getQueryRunner().execute(setRole3, "SELECT * FROM hive.information_schema.enabled_roles");
expected = MaterializedResult.resultBuilder(setRole3, createUnboundedVarcharType()).row("public").row("set_role_3").build();
assertEqualsIgnoreOrder(actual, expected);
assertQueryFails(setRole4, "SELECT * FROM hive.information_schema.enabled_roles", ".*?Cannot set role set_role_4");
executeFromAdmin(dropRoleSql("set_role_1"));
executeFromAdmin(dropRoleSql("set_role_2"));
executeFromAdmin(dropRoleSql("set_role_3"));
executeFromAdmin(dropRoleSql("set_role_4"));
}
use of io.trino.spi.security.SelectedRole in project trino by trinodb.
the class BaseHiveConnectorTest method testIsNotNullWithNestedData.
@Test
public void testIsNotNullWithNestedData() {
Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).setCatalogSessionProperty(catalog, "parquet_use_column_names", "true").build();
assertUpdate(admin, "create table nest_test(id int, a row(x varchar, y integer, z varchar), b varchar) WITH (format='PARQUET')");
assertUpdate(admin, "insert into nest_test values(0, null, '1')", 1);
assertUpdate(admin, "insert into nest_test values(1, ('a', null, 'b'), '1')", 1);
assertUpdate(admin, "insert into nest_test values(2, ('b', 1, 'd'), '1')", 1);
assertQuery(admin, "select a.y from nest_test", "values (null), (null), (1)");
assertQuery(admin, "select id from nest_test where a.y IS NOT NULL", "values (2)");
assertUpdate(admin, "DROP TABLE nest_test");
}
Aggregations