Examples with SystemAccessControl io.trino.spi.security.SystemAccessControl used on opensource projects

Search in sources :

Example 46 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testQueryDocsExample.

@Test
public void testQueryDocsExample() {
    String rulesFile = new File("../../docs/src/main/sphinx/security/query-access.json").getAbsolutePath();
    SystemAccessControl accessControlManager = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
    accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
    accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any);
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice);
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave);
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave"));
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave);
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Identity(io.trino.spi.security.Identity) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 47 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanSelectFromColumns.

@Test
public void testTableRulesForCheckCanSelectFromColumns() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), ImmutableSet.of());
    accessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
    accessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn", "private", "restricted"));
    accessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
    accessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn"));
    assertAccessDenied(() -> accessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn", "private")), SELECT_TABLE_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
    assertAccessDenied(() -> accessControl.checkCanSelectFromColumns(ADMIN, new CatalogSchemaTableName("secret", "secret", "secret"), ImmutableSet.of()), SELECT_TABLE_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("secret", "secret", "secret"), ImmutableSet.of()), SELECT_TABLE_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 48 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testRefreshing.

@Test
public void testRefreshing() throws Exception {
    File configFile = newTemporaryFile();
    configFile.deleteOnExit();
    copy(new File(getResourcePath("file-based-system-catalog.json")), configFile);
    SystemAccessControl accessControl = newFileBasedSystemAccessControl(ImmutableMap.of(SECURITY_CONFIG_FILE, configFile.getAbsolutePath(), SECURITY_REFRESH_PERIOD, "1ms"));
    SystemSecurityContext alice = new SystemSecurityContext(TestFileBasedSystemAccessControl.alice, queryId);
    accessControl.checkCanCreateView(alice, aliceView);
    accessControl.checkCanCreateView(alice, aliceView);
    accessControl.checkCanCreateView(alice, aliceView);
    copy(new File(getResourcePath("file-based-system-security-config-file-with-unknown-rules.json")), configFile);
    sleep(2);
    assertThatThrownBy(() -> accessControl.checkCanCreateView(alice, aliceView)).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    // test if file based cached control was not cached somewhere
    assertThatThrownBy(() -> accessControl.checkCanCreateView(alice, aliceView)).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    copy(new File(getResourcePath("file-based-system-catalog.json")), configFile);
    sleep(2);
    accessControl.checkCanCreateView(alice, aliceView);
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 49 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanRenameColumn.

@Test
public void testTableRulesForCheckCanRenameColumn() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanRenameColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
    assertAccessDenied(() -> accessControl.checkCanRenameColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable")), RENAME_COLUMNS_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 50 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanSetTableProperties.

@Test
public void testTableRulesForCheckCanSetTableProperties() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanSetTableProperties(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), ImmutableMap.of());
    accessControl.checkCanSetTableProperties(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alicetable"), ImmutableMap.of());
    assertAccessDenied(() -> accessControl.checkCanSetTableProperties(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), ImmutableMap.of()), SET_TABLE_PROPERTIES_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Aggregations

SystemAccessControl (io.trino.spi.security.SystemAccessControl)68 Test (org.testng.annotations.Test)59 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)36 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)12 TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)12 SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)10 AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)9 DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)9 FileBasedSystemAccessControl (io.trino.plugin.base.security.FileBasedSystemAccessControl)9 ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)9 ForwardingSystemAccessControl (io.trino.plugin.base.security.ForwardingSystemAccessControl)8 AccessDeniedException (io.trino.spi.security.AccessDeniedException)8 ViewExpression (io.trino.spi.security.ViewExpression)5 File (java.io.File)4 Files.newTemporaryFile (org.assertj.core.util.Files.newTemporaryFile)4 SchemaTableName (io.trino.spi.connector.SchemaTableName)3 SystemAccessControlFactory (io.trino.spi.security.SystemAccessControlFactory)3 ImmutableList (com.google.common.collect.ImmutableList)2 ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2 ThreadContextClassLoader (io.trino.spi.classloader.ThreadContextClassLoader)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial