use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.
the class FileBasedSystemAccessControl method getColumnMask.
@Override
public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName table, String columnName, Type type) {
SchemaTableName tableName = table.getSchemaTableName();
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return Optional.empty();
}
Identity identity = context.getIdentity();
return tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.getColumnMask(identity.getUser(), table.getCatalogName(), table.getSchemaTableName().getSchemaName(), columnName)).findFirst().flatMap(Function.identity());
}
use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.
the class FileBasedSystemAccessControl method checkCanSelectFromColumns.
@Override
public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
if (!canAccessCatalog(context, table.getCatalogName(), READ_ONLY)) {
denySelectTable(table.toString());
}
if (INFORMATION_SCHEMA_NAME.equals(table.getSchemaTableName().getSchemaName())) {
return;
}
Identity identity = context.getIdentity();
boolean allowed = tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.canSelectColumns(columns)).findFirst().orElse(false);
if (!allowed) {
denySelectTable(table.toString());
}
}
use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.
the class FileBasedSystemAccessControl method getRowFilter.
@Override
public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName table) {
SchemaTableName tableName = table.getSchemaTableName();
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return Optional.empty();
}
Identity identity = context.getIdentity();
return tableRules.stream().filter(rule -> rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), table)).map(rule -> rule.getFilter(identity.getUser(), table.getCatalogName(), tableName.getSchemaName())).findFirst().flatMap(Function.identity());
}
use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSystemInformationNotSet.
@Test
public void testSystemInformationNotSet() {
SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("file-based-system-catalog.json");
assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
}
use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaOperations.
@Test
public void testSchemaOperations() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json");
TrinoPrincipal user = new TrinoPrincipal(PrincipalType.USER, "some_user");
TrinoPrincipal role = new TrinoPrincipal(PrincipalType.ROLE, "some_user");
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
}
Aggregations