Search in sources :

Example 1 with SystemAccessControlFactory

use of io.trino.spi.security.SystemAccessControlFactory in project trino by trinodb.

the class AccessControlManager method createSystemAccessControl.

private SystemAccessControl createSystemAccessControl(File configFile) {
    log.info("-- Loading system access control %s --", configFile);
    configFile = configFile.getAbsoluteFile();
    Map<String, String> properties;
    try {
        properties = new HashMap<>(loadPropertiesFrom(configFile.getPath()));
    } catch (IOException e) {
        throw new UncheckedIOException("Failed to read configuration file: " + configFile, e);
    }
    String name = properties.remove(NAME_PROPERTY);
    checkState(!isNullOrEmpty(name), "Access control configuration does not contain '%s' property: %s", NAME_PROPERTY, configFile);
    SystemAccessControlFactory factory = systemAccessControlFactories.get(name);
    checkState(factory != null, "Access control '%s' is not registered: %s", name, configFile);
    SystemAccessControl systemAccessControl;
    try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(factory.getClass().getClassLoader())) {
        systemAccessControl = factory.create(ImmutableMap.copyOf(properties));
    }
    log.info("-- Loaded system access control %s --", name);
    return systemAccessControl;
}
Also used : SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl) FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl) SystemAccessControl(io.trino.spi.security.SystemAccessControl) ForwardingSystemAccessControl(io.trino.plugin.base.security.ForwardingSystemAccessControl) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl) UncheckedIOException(java.io.UncheckedIOException) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) ThreadContextClassLoader(io.trino.spi.classloader.ThreadContextClassLoader)

Example 2 with SystemAccessControlFactory

use of io.trino.spi.security.SystemAccessControlFactory in project trino by trinodb.

the class AccessControlManager method setSystemAccessControl.

@VisibleForTesting
protected void setSystemAccessControl(String name, Map<String, String> properties) {
    requireNonNull(name, "name is null");
    requireNonNull(properties, "properties is null");
    SystemAccessControlFactory factory = systemAccessControlFactories.get(name);
    checkState(factory != null, "Access control '%s' is not registered", name);
    SystemAccessControl systemAccessControl;
    try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(factory.getClass().getClassLoader())) {
        systemAccessControl = factory.create(ImmutableMap.copyOf(properties));
    }
    setSystemAccessControls(ImmutableList.of(systemAccessControl));
}
Also used : SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl) FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl) SystemAccessControl(io.trino.spi.security.SystemAccessControl) ForwardingSystemAccessControl(io.trino.plugin.base.security.ForwardingSystemAccessControl) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl) ThreadContextClassLoader(io.trino.spi.classloader.ThreadContextClassLoader) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Example 3 with SystemAccessControlFactory

use of io.trino.spi.security.SystemAccessControlFactory in project trino by trinodb.

the class PluginManager method installPluginInternal.

private void installPluginInternal(Plugin plugin, Function<CatalogName, ClassLoader> duplicatePluginClassLoaderFactory) {
    for (BlockEncoding blockEncoding : plugin.getBlockEncodings()) {
        log.info("Registering block encoding %s", blockEncoding.getName());
        blockEncodingManager.addBlockEncoding(blockEncoding);
    }
    for (Type type : plugin.getTypes()) {
        log.info("Registering type %s", type.getTypeSignature());
        typeRegistry.addType(type);
    }
    for (ParametricType parametricType : plugin.getParametricTypes()) {
        log.info("Registering parametric type %s", parametricType.getName());
        typeRegistry.addParametricType(parametricType);
    }
    for (ConnectorFactory connectorFactory : plugin.getConnectorFactories()) {
        log.info("Registering connector %s", connectorFactory.getName());
        connectorManager.addConnectorFactory(connectorFactory, duplicatePluginClassLoaderFactory);
    }
    Set<Class<?>> functions = plugin.getFunctions();
    if (!functions.isEmpty()) {
        log.info("Registering functions from %s", plugin.getClass().getSimpleName());
        InternalFunctionBundleBuilder builder = InternalFunctionBundle.builder();
        functions.forEach(builder::functions);
        globalFunctionCatalog.addFunctions(builder.build());
    }
    for (SessionPropertyConfigurationManagerFactory sessionConfigFactory : plugin.getSessionPropertyConfigurationManagerFactories()) {
        log.info("Registering session property configuration manager %s", sessionConfigFactory.getName());
        sessionPropertyDefaults.addConfigurationManagerFactory(sessionConfigFactory);
    }
    for (ResourceGroupConfigurationManagerFactory configurationManagerFactory : plugin.getResourceGroupConfigurationManagerFactories()) {
        log.info("Registering resource group configuration manager %s", configurationManagerFactory.getName());
        resourceGroupManager.addConfigurationManagerFactory(configurationManagerFactory);
    }
    for (SystemAccessControlFactory accessControlFactory : plugin.getSystemAccessControlFactories()) {
        log.info("Registering system access control %s", accessControlFactory.getName());
        accessControlManager.addSystemAccessControlFactory(accessControlFactory);
    }
    passwordAuthenticatorManager.ifPresent(authenticationManager -> {
        for (PasswordAuthenticatorFactory authenticatorFactory : plugin.getPasswordAuthenticatorFactories()) {
            log.info("Registering password authenticator %s", authenticatorFactory.getName());
            authenticationManager.addPasswordAuthenticatorFactory(authenticatorFactory);
        }
    });
    for (CertificateAuthenticatorFactory authenticatorFactory : plugin.getCertificateAuthenticatorFactories()) {
        log.info("Registering certificate authenticator %s", authenticatorFactory.getName());
        certificateAuthenticatorManager.addCertificateAuthenticatorFactory(authenticatorFactory);
    }
    headerAuthenticatorManager.ifPresent(authenticationManager -> {
        for (HeaderAuthenticatorFactory authenticatorFactory : plugin.getHeaderAuthenticatorFactories()) {
            log.info("Registering header authenticator %s", authenticatorFactory.getName());
            authenticationManager.addHeaderAuthenticatorFactory(authenticatorFactory);
        }
    });
    for (EventListenerFactory eventListenerFactory : plugin.getEventListenerFactories()) {
        log.info("Registering event listener %s", eventListenerFactory.getName());
        eventListenerManager.addEventListenerFactory(eventListenerFactory);
    }
    for (GroupProviderFactory groupProviderFactory : plugin.getGroupProviderFactories()) {
        log.info("Registering group provider %s", groupProviderFactory.getName());
        groupProviderManager.addGroupProviderFactory(groupProviderFactory);
    }
    for (ExchangeManagerFactory exchangeManagerFactory : plugin.getExchangeManagerFactories()) {
        log.info("Registering exchange manager %s", exchangeManagerFactory.getName());
        exchangeManagerRegistry.addExchangeManagerFactory(exchangeManagerFactory);
    }
}
Also used : ResourceGroupConfigurationManagerFactory(io.trino.spi.resourcegroups.ResourceGroupConfigurationManagerFactory) HeaderAuthenticatorFactory(io.trino.spi.security.HeaderAuthenticatorFactory) EventListenerFactory(io.trino.spi.eventlistener.EventListenerFactory) SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) Type(io.trino.spi.type.Type) ParametricType(io.trino.spi.type.ParametricType) PasswordAuthenticatorFactory(io.trino.spi.security.PasswordAuthenticatorFactory) ConnectorFactory(io.trino.spi.connector.ConnectorFactory) InternalFunctionBundleBuilder(io.trino.metadata.InternalFunctionBundle.InternalFunctionBundleBuilder) ParametricType(io.trino.spi.type.ParametricType) SessionPropertyConfigurationManagerFactory(io.trino.spi.session.SessionPropertyConfigurationManagerFactory) BlockEncoding(io.trino.spi.block.BlockEncoding) CertificateAuthenticatorFactory(io.trino.spi.security.CertificateAuthenticatorFactory) GroupProviderFactory(io.trino.spi.security.GroupProviderFactory) ExchangeManagerFactory(io.trino.spi.exchange.ExchangeManagerFactory)

Example 4 with SystemAccessControlFactory

use of io.trino.spi.security.SystemAccessControlFactory in project trino by trinodb.

the class TestAccessControlManager method testColumnMaskOrdering.

@Test
public void testColumnMaskOrdering() {
    try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) {
        TransactionManager transactionManager = queryRunner.getTransactionManager();
        AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
        accessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() {

            @Override
            public String getName() {
                return "test";
            }

            @Override
            public SystemAccessControl create(Map<String, String> config) {
                return new SystemAccessControl() {

                    @Override
                    public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String column, Type type) {
                        return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "system mask"));
                    }

                    @Override
                    public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
                    }
                };
            }
        });
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of());
        accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new ConnectorAccessControl() {

            @Override
            public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) {
                return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask"));
            }

            @Override
            public void checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName) {
            }
        });
        transaction(transactionManager, accessControlManager).execute(transactionId -> {
            List<ViewExpression> masks = accessControlManager.getColumnMasks(context(transactionId), new QualifiedObjectName("catalog", "schema", "table"), "column", BIGINT);
            assertEquals(masks.get(0).getExpression(), "connector mask");
            assertEquals(masks.get(1).getExpression(), "system mask");
        });
    }
}
Also used : Optional(java.util.Optional) ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl) SystemAccessControl(io.trino.spi.security.SystemAccessControl) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl) ConnectorSecurityContext(io.trino.spi.connector.ConnectorSecurityContext) SchemaTableName(io.trino.spi.connector.SchemaTableName) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) LocalQueryRunner(io.trino.testing.LocalQueryRunner) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) ViewExpression(io.trino.spi.security.ViewExpression) SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory) SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) Type(io.trino.spi.type.Type) TransactionManager(io.trino.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager) CatalogName(io.trino.connector.CatalogName) Test(org.testng.annotations.Test)

Aggregations

SystemAccessControlFactory (io.trino.spi.security.SystemAccessControlFactory)4 AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)3 DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)3 ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)3 SystemAccessControl (io.trino.spi.security.SystemAccessControl)3 FileBasedSystemAccessControl (io.trino.plugin.base.security.FileBasedSystemAccessControl)2 ForwardingSystemAccessControl (io.trino.plugin.base.security.ForwardingSystemAccessControl)2 ThreadContextClassLoader (io.trino.spi.classloader.ThreadContextClassLoader)2 Type (io.trino.spi.type.Type)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 CatalogName (io.trino.connector.CatalogName)1 InternalFunctionBundleBuilder (io.trino.metadata.InternalFunctionBundle.InternalFunctionBundleBuilder)1 QualifiedObjectName (io.trino.metadata.QualifiedObjectName)1 BlockEncoding (io.trino.spi.block.BlockEncoding)1 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)1 ConnectorAccessControl (io.trino.spi.connector.ConnectorAccessControl)1 ConnectorFactory (io.trino.spi.connector.ConnectorFactory)1 ConnectorSecurityContext (io.trino.spi.connector.ConnectorSecurityContext)1 SchemaTableName (io.trino.spi.connector.SchemaTableName)1 EventListenerFactory (io.trino.spi.eventlistener.EventListenerFactory)1