Examples with SelectedRole io.trino.spi.security.SelectedRole used on opensource projects

Example 21 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testRequiredPartitionFilter.

@Test(dataProvider = "queryPartitionFilterRequiredSchemasDataProvider")
public void testRequiredPartitionFilter(String queryPartitionFilterRequiredSchemas) {
    Session session = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).setCatalogSessionProperty("hive", "query_partition_filter_required", "true").setCatalogSessionProperty("hive", "query_partition_filter_required_schemas", queryPartitionFilterRequiredSchemas).build();
    assertUpdate(session, "CREATE TABLE test_required_partition_filter(id integer, a varchar, b varchar, ds varchar) WITH (partitioned_by = ARRAY['ds'])");
    assertUpdate(session, "INSERT INTO test_required_partition_filter(id, a, ds) VALUES (1, 'a', '1')", 1);
    String filterRequiredMessage = "Filter required on tpch\\.test_required_partition_filter for at least one partition column: ds";
    // no partition filter
    assertQueryFails(session, "SELECT id FROM test_required_partition_filter WHERE a = '1'", filterRequiredMessage);
    assertQueryFails(session, "EXPLAIN SELECT id FROM test_required_partition_filter WHERE a = '1'", filterRequiredMessage);
    assertQueryFails(session, "EXPLAIN ANALYZE SELECT id FROM test_required_partition_filter WHERE a = '1'", filterRequiredMessage);
    // partition filter that gets removed by planner
    assertQueryFails(session, "SELECT id FROM test_required_partition_filter WHERE ds IS NOT NULL OR true", filterRequiredMessage);
    // equality partition filter
    assertQuery(session, "SELECT id FROM test_required_partition_filter WHERE ds = '1'", "SELECT 1");
    computeActual(session, "EXPLAIN SELECT id FROM test_required_partition_filter WHERE ds = '1'");
    // IS NOT NULL partition filter
    assertQuery(session, "SELECT id FROM test_required_partition_filter WHERE ds IS NOT NULL", "SELECT 1");
    // predicate involving a CAST (likely unwrapped)
    assertQuery(session, "SELECT id FROM test_required_partition_filter WHERE CAST(ds AS integer) = 1", "SELECT 1");
    // partition predicate in outer query only
    assertQuery(session, "SELECT id FROM (SELECT * FROM test_required_partition_filter WHERE CAST(id AS smallint) = 1) WHERE CAST(ds AS integer) = 1", "select 1");
    computeActual(session, "EXPLAIN SELECT id FROM (SELECT * FROM test_required_partition_filter WHERE CAST(id AS smallint) = 1) WHERE CAST(ds AS integer) = 1");
    // ANALYZE
    assertQueryFails(session, "ANALYZE test_required_partition_filter", filterRequiredMessage);
    assertQueryFails(session, "EXPLAIN ANALYZE test_required_partition_filter", filterRequiredMessage);
    assertUpdate(session, "ANALYZE test_required_partition_filter WITH (partitions=ARRAY[ARRAY['1']])", 1);
    computeActual(session, "EXPLAIN ANALYZE test_required_partition_filter WITH (partitions=ARRAY[ARRAY['1']])");
    assertUpdate(session, "DROP TABLE test_required_partition_filter");
}

Example 22 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testIoExplainNoFilter.

@Test
public void testIoExplainNoFilter() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    assertUpdate(admin, "create table io_explain_test_no_filter(\n" + "id integer,\n" + "a varchar,\n" + "b varchar,\n" + "ds varchar)" + "WITH (format='PARQUET', partitioned_by = ARRAY['ds'])");
    assertUpdate(admin, "insert into io_explain_test_no_filter(id,a,ds) values(1, 'a','a')", 1);
    EstimatedStatsAndCost estimate = new EstimatedStatsAndCost(1.0, 22.0, 22.0, 0.0, 0.0);
    EstimatedStatsAndCost finalEstimate = new EstimatedStatsAndCost(1.0, 22.0, 22.0, 0.0, 22.0);
    MaterializedResult result = computeActual("EXPLAIN (TYPE IO, FORMAT JSON) SELECT * FROM io_explain_test_no_filter");
    assertEquals(getIoPlanCodec().fromJson((String) getOnlyElement(result.getOnlyColumnAsSet())), new IoPlan(ImmutableSet.of(new TableColumnInfo(new CatalogSchemaTableName(catalog, "tpch", "io_explain_test_no_filter"), ImmutableSet.of(new ColumnConstraint("ds", VARCHAR, new FormattedDomain(false, ImmutableSet.of(new FormattedRange(new FormattedMarker(Optional.of("a"), EXACTLY), new FormattedMarker(Optional.of("a"), EXACTLY)))))), estimate)), Optional.empty(), finalEstimate));
    assertUpdate("DROP TABLE io_explain_test_no_filter");
}

Example 23 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testViewAuthorizationSecurityDefiner.

@Test
public void testViewAuthorizationSecurityDefiner() {
    Session admin = Session.builder(getSession()).setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session alice = testSessionBuilder().setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("alice").build()).build();
    String schema = "test_view_authorization" + TestTable.randomTableSuffix();
    assertUpdate(admin, "CREATE SCHEMA " + schema);
    assertUpdate(admin, "CREATE TABLE " + schema + ".test_table (col int)");
    assertUpdate(admin, "INSERT INTO " + schema + ".test_table VALUES (1)", 1);
    assertUpdate(admin, "CREATE VIEW " + schema + ".test_view SECURITY DEFINER AS SELECT * from " + schema + ".test_table");
    assertUpdate(admin, "GRANT SELECT ON " + schema + ".test_view TO alice");
    assertQuery(alice, "SELECT * FROM " + schema + ".test_view", "VALUES (1)");
    assertUpdate(admin, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION alice");
    assertQueryFails(alice, "SELECT * FROM " + schema + ".test_view", "Access Denied: Cannot select from table " + schema + ".test_table");
    assertUpdate(alice, "ALTER VIEW " + schema + ".test_view SET AUTHORIZATION admin");
    assertUpdate(admin, "DROP VIEW " + schema + ".test_view");
    assertUpdate(admin, "DROP TABLE " + schema + ".test_table");
    assertUpdate(admin, "DROP SCHEMA " + schema);
}

Example 24 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testCreateSchemaWithAuthorizationForRole.

@Test
public void testCreateSchemaWithAuthorizationForRole() {
    Session admin = Session.builder(getSession()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session user = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_createschema_authorization_role").setIdentity(Identity.forUser("user").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    Session userWithoutRole = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_createschema_authorization_role").setIdentity(Identity.forUser("user").withConnectorRoles(Collections.emptyMap()).build()).build();
    Session anotherUser = testSessionBuilder().setCatalog(getSession().getCatalog()).setSchema("test_createschema_authorization_role").setIdentity(Identity.forUser("anotheruser").withPrincipal(getSession().getIdentity().getPrincipal()).build()).build();
    assertUpdate(admin, "CREATE ROLE authorized_users IN hive");
    assertUpdate(admin, "GRANT authorized_users TO user IN hive");
    assertQueryFails(admin, "CREATE SCHEMA test_createschema_authorization_role AUTHORIZATION ROLE nonexisting_role", ".*?Role 'nonexisting_role' does not exist in catalog 'hive'");
    assertUpdate(admin, "CREATE SCHEMA test_createschema_authorization_role AUTHORIZATION ROLE authorized_users");
    assertUpdate(user, "CREATE TABLE test_createschema_authorization_role.test (x bigint)");
    // "user" without the role enabled cannot create new tables
    assertQueryFails(userWithoutRole, "CREATE TABLE test_schema_authorization_role.test1 (x bigint)", "Access Denied: Cannot create table test_schema_authorization_role.test1");
    // another user should not be able to drop the table
    assertQueryFails(anotherUser, "DROP TABLE test_createschema_authorization_role.test", "Access Denied: Cannot drop table test_createschema_authorization_role.test");
    // or access the table in any way
    assertQueryFails(anotherUser, "SELECT 1 FROM test_createschema_authorization_role.test", "Access Denied: Cannot select from table test_createschema_authorization_role.test");
    assertUpdate(user, "DROP TABLE test_createschema_authorization_role.test");
    assertUpdate(user, "DROP SCHEMA test_createschema_authorization_role");
    assertUpdate(admin, "DROP ROLE authorized_users IN hive");
}

Example 25 with SelectedRole

use of io.trino.spi.security.SelectedRole in project trino by trinodb.

the class BaseHiveConnectorTest method testTableAuthorizationForRole.

@Test
public void testTableAuthorizationForRole() {
    Session admin = Session.builder(getSession()).setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("hive").withConnectorRole("hive", new SelectedRole(ROLE, Optional.of("admin"))).build()).build();
    Session alice = testSessionBuilder().setCatalog(getSession().getCatalog()).setIdentity(Identity.forUser("alice").build()).build();
    assertUpdate(admin, "CREATE SCHEMA test_table_authorization");
    assertUpdate(admin, "CREATE TABLE test_table_authorization.foo (col int)");
    // TODO Change assertions once https://github.com/trinodb/trino/issues/5706 is done
    assertAccessDenied(alice, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION ROLE admin", "Cannot set authorization for table test_table_authorization.foo to ROLE admin");
    assertUpdate(admin, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice");
    assertQueryFails(alice, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION ROLE admin", "Setting table owner type as a role is not supported");
    assertUpdate(admin, "DROP TABLE test_table_authorization.foo");
    assertUpdate(admin, "DROP SCHEMA test_table_authorization");
}