Example 56 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testTableFilter.
@Test
public void testTableFilter() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table-filter.json");
Set<SchemaTableName> tables = ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build();
assertEquals(accessControl.filterTables(ALICE, "any", tables), ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).build());
assertEquals(accessControl.filterTables(BOB, "any", tables), ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).build());
assertEquals(accessControl.filterTables(ADMIN, "any", tables), ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build());
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
SchemaTableName(io.trino.spi.connector.SchemaTableName)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 57 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testEmptyFile.
@Test
public void testEmptyFile() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("empty.json");
accessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
accessControl.checkCanDropSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
accessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown");
accessControl.checkCanSetSchemaAuthorization(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanShowCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
accessControl.checkCanSelectFromColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), ImmutableSet.of());
accessControl.checkCanShowColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanInsertIntoTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanDeleteFromTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanCreateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
accessControl.checkCanDropTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanRenameTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new CatalogSchemaTableName("some-catalog", "unknown", "new_unknown"));
accessControl.checkCanCreateMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
accessControl.checkCanDropMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanRefreshMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanSetUser(Optional.empty(), "unknown");
accessControl.checkCanSetUser(Optional.of(new KerberosPrincipal("stuff@example.com")), "unknown");
accessControl.checkCanSetSystemSessionProperty(UNKNOWN, "anything");
accessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "unknown", "anything");
accessControl.checkCanExecuteQuery(UNKNOWN);
accessControl.checkCanViewQueryOwnedBy(UNKNOWN, anyone);
accessControl.checkCanKillQueryOwnedBy(UNKNOWN, anyone);
// system information access is denied by default
assertThatThrownBy(() -> accessControl.checkCanReadSystemInformation(UNKNOWN)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
assertThatThrownBy(() -> accessControl.checkCanWriteSystemInformation(UNKNOWN)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 58 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSessionPropertyDocsExample.
@Test
public void testSessionPropertyDocsExample() {
String rulesFile = new File("../../docs/src/main/sphinx/security/session-property-access.json").getAbsolutePath();
SystemAccessControl accessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
SystemSecurityContext bannedUser = new SystemSecurityContext(Identity.ofUser("banned_user"), queryId);
accessControl.checkCanSetSystemSessionProperty(ADMIN, "any");
assertAccessDenied(() -> accessControl.checkCanSetSystemSessionProperty(ALICE, "any"), SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanSetSystemSessionProperty(bannedUser, "any"), SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
accessControl.checkCanSetSystemSessionProperty(ADMIN, "resource_overcommit");
accessControl.checkCanSetSystemSessionProperty(ALICE, "resource_overcommit");
assertAccessDenied(() -> accessControl.checkCanSetSystemSessionProperty(bannedUser, "resource_overcommit"), SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
accessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "any");
assertAccessDenied(() -> accessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "any"), SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanSetCatalogSessionProperty(bannedUser, "hive", "any"), SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
accessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "bucket_execution_enabled");
accessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "bucket_execution_enabled");
assertAccessDenied(() -> accessControl.checkCanSetCatalogSessionProperty(bannedUser, "hive", "bucket_execution_enabled"), SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile)
File(java.io.File)
Test(org.testng.annotations.Test)
Example 59 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanDropColumn.
@Test
public void testTableRulesForCheckCanDropColumn() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
accessControl.checkCanDropColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
assertAccessDenied(() -> accessControl.checkCanDropColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable")), DROP_COLUMNS_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 60 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSystemInformationDocsExample.
@Test
public void testSystemInformationDocsExample() {
String rulesFile = new File("../../docs/src/main/sphinx/security/system-information-access.json").getAbsolutePath();
SystemAccessControl accessControlManager = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
}
Also used :
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile)
File(java.io.File)
Test(org.testng.annotations.Test)
Aggregations
SystemAccessControl (io.trino.spi.security.SystemAccessControl)68
Test (org.testng.annotations.Test)59
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)36
CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)12
TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)12
SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)10
AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)9
DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)9
FileBasedSystemAccessControl (io.trino.plugin.base.security.FileBasedSystemAccessControl)9
ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)9
ForwardingSystemAccessControl (io.trino.plugin.base.security.ForwardingSystemAccessControl)8
AccessDeniedException (io.trino.spi.security.AccessDeniedException)8
ViewExpression (io.trino.spi.security.ViewExpression)5
File (java.io.File)4
Files.newTemporaryFile (org.assertj.core.util.Files.newTemporaryFile)4
SchemaTableName (io.trino.spi.connector.SchemaTableName)3
SystemAccessControlFactory (io.trino.spi.security.SystemAccessControlFactory)3
ImmutableList (com.google.common.collect.ImmutableList)2
ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2
ThreadContextClassLoader (io.trino.spi.classloader.ThreadContextClassLoader)2
