use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class RevokeRolesTask method execute.
@Override
public ListenableFuture<Void> execute(RevokeRoles statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
Set<String> roles = statement.getRoles().stream().map(role -> role.getValue().toLowerCase(Locale.ENGLISH)).collect(toImmutableSet());
Set<TrinoPrincipal> grantees = statement.getGrantees().stream().map(MetadataUtil::createPrincipal).collect(toImmutableSet());
boolean adminOption = statement.isAdminOption();
Optional<TrinoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
Set<String> specifiedRoles = new LinkedHashSet<>();
specifiedRoles.addAll(roles);
grantees.stream().filter(principal -> principal.getType() == ROLE).map(TrinoPrincipal::getName).forEach(specifiedRoles::add);
if (grantor.isPresent() && grantor.get().getType() == ROLE) {
specifiedRoles.add(grantor.get().getName());
}
for (String role : specifiedRoles) {
checkRoleExists(session, statement, metadata, role, catalog);
}
accessControl.checkCanRevokeRoles(session.toSecurityContext(), roles, grantees, adminOption, grantor, catalog);
metadata.revokeRoles(session, roles, grantees, adminOption, grantor, catalog);
return immediateVoidFuture();
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class SetSchemaAuthorizationTask method execute.
@Override
public ListenableFuture<Void> execute(SetSchemaAuthorization statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
CatalogSchemaName source = createCatalogSchemaName(session, statement, Optional.of(statement.getSource()));
if (!metadata.schemaExists(session, source)) {
throw semanticException(SCHEMA_NOT_FOUND, statement, "Schema '%s' does not exist", source);
}
TrinoPrincipal principal = createPrincipal(statement.getPrincipal());
checkRoleExists(session, statement, metadata, principal, Optional.of(source.getCatalogName()).filter(catalog -> metadata.isCatalogManagedSecurity(session, catalog)));
accessControl.checkCanSetSchemaAuthorization(session.toSecurityContext(), source, principal);
metadata.setSchemaAuthorization(session, source, principal);
return immediateVoidFuture();
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class SetTableAuthorizationTask method execute.
@Override
public ListenableFuture<Void> execute(SetTableAuthorization statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
QualifiedObjectName tableName = createQualifiedObjectName(session, statement, statement.getSource());
getRequiredCatalogHandle(metadata, session, statement, tableName.getCatalogName());
if (metadata.getTableHandle(session, tableName).isEmpty()) {
throw semanticException(TABLE_NOT_FOUND, statement, "Table '%s' does not exist", tableName);
}
TrinoPrincipal principal = createPrincipal(statement.getPrincipal());
checkRoleExists(session, statement, metadata, principal, Optional.of(tableName.getCatalogName()).filter(catalog -> metadata.isCatalogManagedSecurity(session, catalog)));
accessControl.checkCanSetTableAuthorization(session.toSecurityContext(), tableName, principal);
metadata.setTableAuthorization(session, tableName.asCatalogSchemaTableName(), principal);
return immediateVoidFuture();
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class SetViewAuthorizationTask method execute.
@Override
public ListenableFuture<Void> execute(SetViewAuthorization statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
QualifiedObjectName viewName = createQualifiedObjectName(session, statement, statement.getSource());
getRequiredCatalogHandle(metadata, session, statement, viewName.getCatalogName());
ViewDefinition view = metadata.getView(session, viewName).orElseThrow(() -> semanticException(TABLE_NOT_FOUND, statement, "View '%s' does not exist", viewName));
TrinoPrincipal principal = createPrincipal(statement.getPrincipal());
checkRoleExists(session, statement, metadata, principal, Optional.of(viewName.getCatalogName()).filter(catalog -> metadata.isCatalogManagedSecurity(session, catalog)));
if (!view.isRunAsInvoker() && !isAllowSetViewAuthorization) {
throw new TrinoException(NOT_SUPPORTED, format("Cannot set authorization for view %s to %s: this feature is disabled", viewName.getCatalogName() + '.' + viewName.getSchemaName() + '.' + viewName.getObjectName(), principal));
}
accessControl.checkCanSetViewAuthorization(session.toSecurityContext(), viewName, principal);
metadata.setViewAuthorization(session, viewName.asCatalogSchemaTableName(), principal);
return immediateVoidFuture();
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestSetRoleTask method setUp.
@BeforeClass
public void setUp() {
queryRunner = LocalQueryRunner.create(TEST_SESSION);
MockConnectorFactory mockConnectorFactory = MockConnectorFactory.builder().withListRoleGrants((connectorSession, roles, grantees, limit) -> ImmutableSet.of(new RoleGrant(new TrinoPrincipal(USER, USER_NAME), ROLE_NAME, false))).build();
queryRunner.createCatalog(CATALOG_NAME, mockConnectorFactory, ImmutableMap.of());
MockConnectorFactory systemConnectorFactory = MockConnectorFactory.builder().withName("system_role_connector").build();
queryRunner.createCatalog(SYSTEM_ROLE_CATALOG_NAME, systemConnectorFactory, ImmutableMap.of());
transactionManager = queryRunner.getTransactionManager();
accessControl = queryRunner.getAccessControl();
metadata = queryRunner.getMetadata();
parser = queryRunner.getSqlParser();
executor = newCachedThreadPool(daemonThreadsNamed("test-set-role-task-executor-%s"));
}
Aggregations