Example 21 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testGetColumnMask.
@Test
public void testGetColumnMask() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
assertEquals(accessControl.getColumnMask(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked", VARCHAR), Optional.empty());
assertViewExpressionEquals(accessControl.getColumnMask(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked", VARCHAR), new ViewExpression(CHARLIE.getIdentity().getUser(), Optional.of("some-catalog"), Optional.of("bobschema"), "'mask'"));
assertViewExpressionEquals(accessControl.getColumnMask(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked_with_user", VARCHAR), new ViewExpression("mask-user", Optional.of("some-catalog"), Optional.of("bobschema"), "'mask-with-user'"));
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.testng.annotations.Test)
Example 22 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanShowColumnsWithNoAccess.
@Test
public void testTableRulesForCheckCanShowColumnsWithNoAccess() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
assertAccessDenied(() -> accessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable")), SHOW_COLUMNS_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanShowTables(BOB, new CatalogSchemaName("some-catalog", "bobschema")), SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 23 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testQueryNotSet.
@Test
public void testQueryNotSet() {
SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("file-based-system-catalog.json");
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any);
}
Also used :
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
Test(org.testng.annotations.Test)
Example 24 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testTableRulesForCheckCanCreateMaterializedView.
@Test
public void testTableRulesForCheckCanCreateMaterializedView() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
accessControl.checkCanCreateMaterializedView(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), Map.of());
assertAccessDenied(() -> accessControl.checkCanCreateMaterializedView(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), Map.of()), CREATE_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 25 with SystemAccessControl
use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testQuery.
@Test
public void testQuery() {
SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("query.json");
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any);
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice);
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave"));
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave);
assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(nonAsciiUser, queryId));
accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any);
assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any);
}
Also used :
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
Identity(io.trino.spi.security.Identity)
Test(org.testng.annotations.Test)
Aggregations
SystemAccessControl (io.trino.spi.security.SystemAccessControl)68
Test (org.testng.annotations.Test)59
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)36
CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)12
TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)12
SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)10
AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)9
DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)9
FileBasedSystemAccessControl (io.trino.plugin.base.security.FileBasedSystemAccessControl)9
ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)9
ForwardingSystemAccessControl (io.trino.plugin.base.security.ForwardingSystemAccessControl)8
AccessDeniedException (io.trino.spi.security.AccessDeniedException)8
ViewExpression (io.trino.spi.security.ViewExpression)5
File (java.io.File)4
Files.newTemporaryFile (org.assertj.core.util.Files.newTemporaryFile)4
SchemaTableName (io.trino.spi.connector.SchemaTableName)3
SystemAccessControlFactory (io.trino.spi.security.SystemAccessControlFactory)3
ImmutableList (com.google.common.collect.ImmutableList)2
ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2
ThreadContextClassLoader (io.trino.spi.classloader.ThreadContextClassLoader)2
