Examples with SystemAccessControl io.trino.spi.security.SystemAccessControl used on opensource projects

Example 1 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class AccessControlManager method createSystemAccessControl.

private SystemAccessControl createSystemAccessControl(File configFile) {
    log.info("-- Loading system access control %s --", configFile);
    configFile = configFile.getAbsoluteFile();
    Map<String, String> properties;
    try {
        properties = new HashMap<>(loadPropertiesFrom(configFile.getPath()));
    } catch (IOException e) {
        throw new UncheckedIOException("Failed to read configuration file: " + configFile, e);
    }
    String name = properties.remove(NAME_PROPERTY);
    checkState(!isNullOrEmpty(name), "Access control configuration does not contain '%s' property: %s", NAME_PROPERTY, configFile);
    SystemAccessControlFactory factory = systemAccessControlFactories.get(name);
    checkState(factory != null, "Access control '%s' is not registered: %s", name, configFile);
    SystemAccessControl systemAccessControl;
    try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(factory.getClass().getClassLoader())) {
        systemAccessControl = factory.create(ImmutableMap.copyOf(properties));
    }
    log.info("-- Loaded system access control %s --", name);
    return systemAccessControl;
}

Example 2 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class AccessControlManager method filterSchemas.

@Override
public Set<String> filterSchemas(SecurityContext securityContext, String catalogName, Set<String> schemaNames) {
    requireNonNull(securityContext, "securityContext is null");
    requireNonNull(catalogName, "catalogName is null");
    requireNonNull(schemaNames, "schemaNames is null");
    if (filterCatalogs(securityContext, ImmutableSet.of(catalogName)).isEmpty()) {
        return ImmutableSet.of();
    }
    for (SystemAccessControl systemAccessControl : getSystemAccessControls()) {
        schemaNames = systemAccessControl.filterSchemas(securityContext.toSystemSecurityContext(), catalogName, schemaNames);
    }
    CatalogAccessControlEntry entry = getConnectorAccessControl(securityContext.getTransactionId(), catalogName);
    if (entry != null) {
        schemaNames = entry.getAccessControl().filterSchemas(entry.toConnectorSecurityContext(securityContext), schemaNames);
    }
    return schemaNames;
}

Example 3 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class AccessControlManager method setSystemAccessControl.

@VisibleForTesting
protected void setSystemAccessControl(String name, Map<String, String> properties) {
    requireNonNull(name, "name is null");
    requireNonNull(properties, "properties is null");
    SystemAccessControlFactory factory = systemAccessControlFactories.get(name);
    checkState(factory != null, "Access control '%s' is not registered", name);
    SystemAccessControl systemAccessControl;
    try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(factory.getClass().getClassLoader())) {
        systemAccessControl = factory.create(ImmutableMap.copyOf(properties));
    }
    setSystemAccessControls(ImmutableList.of(systemAccessControl));
}

Example 4 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanCreateSchema.

@Test
public void testSchemaRulesForCheckCanCreateSchema() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
    accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
    accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
    accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
    accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
}

Example 5 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanAddColumn.

@Test
public void testTableRulesForCheckCanAddColumn() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanAddColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
    assertAccessDenied(() -> accessControl.checkCanAddColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable")), ADD_COLUMNS_ACCESS_DENIED_MESSAGE);
}