Examples with SystemAccessControl io.trino.spi.security.SystemAccessControl used on opensource projects

Search in sources :

Example 41 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class AccessControlManager method getRowFilters.

@Override
public List<ViewExpression> getRowFilters(SecurityContext context, QualifiedObjectName tableName) {
    requireNonNull(context, "context is null");
    requireNonNull(tableName, "tableName is null");
    ImmutableList.Builder<ViewExpression> filters = ImmutableList.builder();
    CatalogAccessControlEntry entry = getConnectorAccessControl(context.getTransactionId(), tableName.getCatalogName());
    if (entry != null) {
        entry.getAccessControl().getRowFilter(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName()).ifPresent(filters::add);
    }
    for (SystemAccessControl systemAccessControl : getSystemAccessControls()) {
        systemAccessControl.getRowFilter(context.toSystemSecurityContext(), tableName.asCatalogSchemaTableName()).ifPresent(filters::add);
    }
    return filters.build();
}
Also used : ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl) FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl) SystemAccessControl(io.trino.spi.security.SystemAccessControl) ForwardingSystemAccessControl(io.trino.plugin.base.security.ForwardingSystemAccessControl) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl) ImmutableList.toImmutableList(com.google.common.collect.ImmutableList.toImmutableList) ImmutableList(com.google.common.collect.ImmutableList) ViewExpression(io.trino.spi.security.ViewExpression)

Example 42 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class AccessControlManager method filterTables.

@Override
public Set<SchemaTableName> filterTables(SecurityContext securityContext, String catalogName, Set<SchemaTableName> tableNames) {
    requireNonNull(securityContext, "securityContext is null");
    requireNonNull(catalogName, "catalogName is null");
    requireNonNull(tableNames, "tableNames is null");
    if (filterCatalogs(securityContext, ImmutableSet.of(catalogName)).isEmpty()) {
        return ImmutableSet.of();
    }
    for (SystemAccessControl systemAccessControl : getSystemAccessControls()) {
        tableNames = systemAccessControl.filterTables(securityContext.toSystemSecurityContext(), catalogName, tableNames);
    }
    CatalogAccessControlEntry entry = getConnectorAccessControl(securityContext.getTransactionId(), catalogName);
    if (entry != null) {
        tableNames = entry.getAccessControl().filterTables(entry.toConnectorSecurityContext(securityContext), tableNames);
    }
    return tableNames;
}
Also used : ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl) FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl) SystemAccessControl(io.trino.spi.security.SystemAccessControl) ForwardingSystemAccessControl(io.trino.plugin.base.security.ForwardingSystemAccessControl) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl)

Example 43 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanRenameSchema.

@Test
public void testSchemaRulesForCheckCanRenameSchema() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), "new_schema");
    accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "staff");
    accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), "authenticated");
    accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), "bob");
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "test"), "bob"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "test"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), "authenticated");
    assertAccessDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), "new_schema"), RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Test(org.testng.annotations.Test)

Example 44 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testFilterCatalogs.

@Test
public void testFilterCatalogs() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
    Set<String> allCatalogs = ImmutableSet.of("alice-catalog", "bob-catalog", "specific-catalog", "secret", "hidden", "open-to-all", "blocked-catalog", "unknown");
    assertEquals(accessControl.filterCatalogs(ADMIN, allCatalogs), Sets.difference(allCatalogs, ImmutableSet.of("blocked-catalog")));
    Set<String> aliceCatalogs = ImmutableSet.of("specific-catalog", "alice-catalog");
    assertEquals(accessControl.filterCatalogs(ALICE, allCatalogs), aliceCatalogs);
    Set<String> bobCatalogs = ImmutableSet.of("specific-catalog", "alice-catalog", "bob-catalog");
    assertEquals(accessControl.filterCatalogs(BOB, allCatalogs), bobCatalogs);
    Set<String> charlieCatalogs = ImmutableSet.of("specific-catalog");
    assertEquals(accessControl.filterCatalogs(CHARLIE, allCatalogs), charlieCatalogs);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) Test(org.testng.annotations.Test)

Example 45 with SystemAccessControl

use of io.trino.spi.security.SystemAccessControl in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testCanSetUserOperations.

@Test
public void testCanSetUserOperations() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog_principal.json");
    try {
        accessControl.checkCanSetUser(Optional.empty(), alice.getUser());
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    accessControl.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
    accessControl.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser());
    try {
        accessControl.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser());
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    accessControl.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser());
    try {
        accessControl.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser());
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    accessControl.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser());
    accessControl.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser());
    try {
        accessControl.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser());
        throw new AssertionError("expected AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    SystemAccessControl accessControlNoPatterns = newFileBasedSystemAccessControl("file-based-system-catalog.json");
    accessControlNoPatterns.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Test(org.testng.annotations.Test)

Aggregations

SystemAccessControl (io.trino.spi.security.SystemAccessControl)68 Test (org.testng.annotations.Test)59 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)36 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)12 TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)12 SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)10 AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)9 DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)9 FileBasedSystemAccessControl (io.trino.plugin.base.security.FileBasedSystemAccessControl)9 ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)9 ForwardingSystemAccessControl (io.trino.plugin.base.security.ForwardingSystemAccessControl)8 AccessDeniedException (io.trino.spi.security.AccessDeniedException)8 ViewExpression (io.trino.spi.security.ViewExpression)5 File (java.io.File)4 Files.newTemporaryFile (org.assertj.core.util.Files.newTemporaryFile)4 SchemaTableName (io.trino.spi.connector.SchemaTableName)3 SystemAccessControlFactory (io.trino.spi.security.SystemAccessControlFactory)3 ImmutableList (com.google.common.collect.ImmutableList)2 ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2 ThreadContextClassLoader (io.trino.spi.classloader.ThreadContextClassLoader)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial