Examples with SystemSecurityContext io.trino.spi.security.SystemSecurityContext used on opensource projects

Search in sources :

Example 11 with SystemSecurityContext

use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testQueryDocsExample.

@Test
public void testQueryDocsExample() {
    String rulesFile = new File("../../docs/src/main/sphinx/security/query-access.json").getAbsolutePath();
    SystemAccessControl accessControlManager = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
    accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any);
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
    accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any);
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice);
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave);
    assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave"));
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
    accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId));
    accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave);
    assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Identity(io.trino.spi.security.Identity) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 12 with SystemSecurityContext

use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testRefreshing.

@Test
public void testRefreshing() throws Exception {
    File configFile = newTemporaryFile();
    configFile.deleteOnExit();
    copy(new File(getResourcePath("file-based-system-catalog.json")), configFile);
    SystemAccessControl accessControl = newFileBasedSystemAccessControl(ImmutableMap.of(SECURITY_CONFIG_FILE, configFile.getAbsolutePath(), SECURITY_REFRESH_PERIOD, "1ms"));
    SystemSecurityContext alice = new SystemSecurityContext(TestFileBasedSystemAccessControl.alice, queryId);
    accessControl.checkCanCreateView(alice, aliceView);
    accessControl.checkCanCreateView(alice, aliceView);
    accessControl.checkCanCreateView(alice, aliceView);
    copy(new File(getResourcePath("file-based-system-security-config-file-with-unknown-rules.json")), configFile);
    sleep(2);
    assertThatThrownBy(() -> accessControl.checkCanCreateView(alice, aliceView)).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    // test if file based cached control was not cached somewhere
    assertThatThrownBy(() -> accessControl.checkCanCreateView(alice, aliceView)).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    copy(new File(getResourcePath("file-based-system-catalog.json")), configFile);
    sleep(2);
    accessControl.checkCanCreateView(alice, aliceView);
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 13 with SystemSecurityContext

use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSessionPropertyDocsExample.

@Test
public void testSessionPropertyDocsExample() {
    String rulesFile = new File("../../docs/src/main/sphinx/security/session-property-access.json").getAbsolutePath();
    SystemAccessControl accessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
    SystemSecurityContext bannedUser = new SystemSecurityContext(Identity.ofUser("banned_user"), queryId);
    accessControl.checkCanSetSystemSessionProperty(ADMIN, "any");
    assertAccessDenied(() -> accessControl.checkCanSetSystemSessionProperty(ALICE, "any"), SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanSetSystemSessionProperty(bannedUser, "any"), SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanSetSystemSessionProperty(ADMIN, "resource_overcommit");
    accessControl.checkCanSetSystemSessionProperty(ALICE, "resource_overcommit");
    assertAccessDenied(() -> accessControl.checkCanSetSystemSessionProperty(bannedUser, "resource_overcommit"), SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "any");
    assertAccessDenied(() -> accessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "any"), SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanSetCatalogSessionProperty(bannedUser, "hive", "any"), SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    accessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "bucket_execution_enabled");
    accessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "bucket_execution_enabled");
    assertAccessDenied(() -> accessControl.checkCanSetCatalogSessionProperty(bannedUser, "hive", "bucket_execution_enabled"), SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 14 with SystemSecurityContext

use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSystemInformationDocsExample.

@Test
public void testSystemInformationDocsExample() {
    String rulesFile = new File("../../docs/src/main/sphinx/security/system-information-access.json").getAbsolutePath();
    SystemAccessControl accessControlManager = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", rulesFile));
    accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
    accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
    accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
    assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
    assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) File(java.io.File) Test(org.testng.annotations.Test)

Example 15 with SystemSecurityContext

use of io.trino.spi.security.SystemSecurityContext in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testSystemInformation.

@Test
public void testSystemInformation() {
    SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("system-information.json");
    accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
    accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
    accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
    assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
    assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(nonAsciiUser, Optional.empty()));
    accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(nonAsciiUser, Optional.empty()));
}
Also used : SystemSecurityContext(io.trino.spi.security.SystemSecurityContext) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) Test(org.testng.annotations.Test)

Aggregations

SystemAccessControl (io.trino.spi.security.SystemAccessControl)15 SystemSecurityContext (io.trino.spi.security.SystemSecurityContext)15 Test (org.testng.annotations.Test)10 Identity (io.trino.spi.security.Identity)7 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 SchemaTableName (io.trino.spi.connector.SchemaTableName)6 AccessDeniedException (io.trino.spi.security.AccessDeniedException)6 Suppliers.memoizeWithExpiration (com.google.common.base.Suppliers.memoizeWithExpiration)5 ImmutableList (com.google.common.collect.ImmutableList)5 ImmutableSet (com.google.common.collect.ImmutableSet)5 ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)5 Injector (com.google.inject.Injector)5 Bootstrap (io.airlift.bootstrap.Bootstrap)5 ConfigBinder.configBinder (io.airlift.configuration.ConfigBinder.configBinder)5 Logger (io.airlift.log.Logger)5 Duration (io.airlift.units.Duration)5 AccessMode (io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode)5 ALL (io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.ALL)5 READ_ONLY (io.trino.plugin.base.security.CatalogAccessControlRule.AccessMode.READ_ONLY)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial