Search in sources :

Example 1 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class RevokeRolesTask method execute.

@Override
public ListenableFuture<Void> execute(RevokeRoles statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    Set<String> roles = statement.getRoles().stream().map(role -> role.getValue().toLowerCase(Locale.ENGLISH)).collect(toImmutableSet());
    Set<TrinoPrincipal> grantees = statement.getGrantees().stream().map(MetadataUtil::createPrincipal).collect(toImmutableSet());
    boolean adminOption = statement.isAdminOption();
    Optional<TrinoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
    Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
    Set<String> specifiedRoles = new LinkedHashSet<>();
    specifiedRoles.addAll(roles);
    grantees.stream().filter(principal -> principal.getType() == ROLE).map(TrinoPrincipal::getName).forEach(specifiedRoles::add);
    if (grantor.isPresent() && grantor.get().getType() == ROLE) {
        specifiedRoles.add(grantor.get().getName());
    }
    for (String role : specifiedRoles) {
        checkRoleExists(session, statement, metadata, role, catalog);
    }
    accessControl.checkCanRevokeRoles(session.toSecurityContext(), roles, grantees, adminOption, grantor, catalog);
    metadata.revokeRoles(session, roles, grantees, adminOption, grantor, catalog);
    return immediateVoidFuture();
}
Also used : Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) MetadataUtil.checkRoleExists(io.trino.metadata.MetadataUtil.checkRoleExists) MetadataUtil(io.trino.metadata.MetadataUtil) RevokeRoles(io.trino.sql.tree.RevokeRoles) Set(java.util.Set) ROLE(io.trino.spi.security.PrincipalType.ROLE) Inject(javax.inject.Inject) List(java.util.List) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MetadataUtil.createPrincipal(io.trino.metadata.MetadataUtil.createPrincipal) Locale(java.util.Locale) Objects.requireNonNull(java.util.Objects.requireNonNull) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) Expression(io.trino.sql.tree.Expression) MetadataUtil.processRoleCommandCatalog(io.trino.metadata.MetadataUtil.processRoleCommandCatalog) Identifier(io.trino.sql.tree.Identifier) LinkedHashSet(java.util.LinkedHashSet) Session(io.trino.Session) LinkedHashSet(java.util.LinkedHashSet) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Session(io.trino.Session)

Example 2 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class SetSchemaAuthorizationTask method execute.

@Override
public ListenableFuture<Void> execute(SetSchemaAuthorization statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    CatalogSchemaName source = createCatalogSchemaName(session, statement, Optional.of(statement.getSource()));
    if (!metadata.schemaExists(session, source)) {
        throw semanticException(SCHEMA_NOT_FOUND, statement, "Schema '%s' does not exist", source);
    }
    TrinoPrincipal principal = createPrincipal(statement.getPrincipal());
    checkRoleExists(session, statement, metadata, principal, Optional.of(source.getCatalogName()).filter(catalog -> metadata.isCatalogManagedSecurity(session, catalog)));
    accessControl.checkCanSetSchemaAuthorization(session.toSecurityContext(), source, principal);
    metadata.setSchemaAuthorization(session, source, principal);
    return immediateVoidFuture();
}
Also used : Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) MetadataUtil.checkRoleExists(io.trino.metadata.MetadataUtil.checkRoleExists) Inject(javax.inject.Inject) List(java.util.List) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MetadataUtil.createPrincipal(io.trino.metadata.MetadataUtil.createPrincipal) Objects.requireNonNull(java.util.Objects.requireNonNull) WarningCollector(io.trino.execution.warnings.WarningCollector) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) Metadata(io.trino.metadata.Metadata) SetSchemaAuthorization(io.trino.sql.tree.SetSchemaAuthorization) Optional(java.util.Optional) Expression(io.trino.sql.tree.Expression) MetadataUtil.createCatalogSchemaName(io.trino.metadata.MetadataUtil.createCatalogSchemaName) SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException) Session(io.trino.Session) SCHEMA_NOT_FOUND(io.trino.spi.StandardErrorCode.SCHEMA_NOT_FOUND) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) MetadataUtil.createCatalogSchemaName(io.trino.metadata.MetadataUtil.createCatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Session(io.trino.Session)

Example 3 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class SetTableAuthorizationTask method execute.

@Override
public ListenableFuture<Void> execute(SetTableAuthorization statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    QualifiedObjectName tableName = createQualifiedObjectName(session, statement, statement.getSource());
    getRequiredCatalogHandle(metadata, session, statement, tableName.getCatalogName());
    if (metadata.getTableHandle(session, tableName).isEmpty()) {
        throw semanticException(TABLE_NOT_FOUND, statement, "Table '%s' does not exist", tableName);
    }
    TrinoPrincipal principal = createPrincipal(statement.getPrincipal());
    checkRoleExists(session, statement, metadata, principal, Optional.of(tableName.getCatalogName()).filter(catalog -> metadata.isCatalogManagedSecurity(session, catalog)));
    accessControl.checkCanSetTableAuthorization(session.toSecurityContext(), tableName, principal);
    metadata.setTableAuthorization(session, tableName.asCatalogSchemaTableName(), principal);
    return immediateVoidFuture();
}
Also used : Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) MetadataUtil.checkRoleExists(io.trino.metadata.MetadataUtil.checkRoleExists) MetadataUtil.getRequiredCatalogHandle(io.trino.metadata.MetadataUtil.getRequiredCatalogHandle) Inject(javax.inject.Inject) List(java.util.List) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MetadataUtil.createPrincipal(io.trino.metadata.MetadataUtil.createPrincipal) MetadataUtil.createQualifiedObjectName(io.trino.metadata.MetadataUtil.createQualifiedObjectName) TABLE_NOT_FOUND(io.trino.spi.StandardErrorCode.TABLE_NOT_FOUND) Objects.requireNonNull(java.util.Objects.requireNonNull) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) Expression(io.trino.sql.tree.Expression) SetTableAuthorization(io.trino.sql.tree.SetTableAuthorization) SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException) Session(io.trino.Session) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) MetadataUtil.createQualifiedObjectName(io.trino.metadata.MetadataUtil.createQualifiedObjectName) Session(io.trino.Session)

Example 4 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class SetViewAuthorizationTask method execute.

@Override
public ListenableFuture<Void> execute(SetViewAuthorization statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    QualifiedObjectName viewName = createQualifiedObjectName(session, statement, statement.getSource());
    getRequiredCatalogHandle(metadata, session, statement, viewName.getCatalogName());
    ViewDefinition view = metadata.getView(session, viewName).orElseThrow(() -> semanticException(TABLE_NOT_FOUND, statement, "View '%s' does not exist", viewName));
    TrinoPrincipal principal = createPrincipal(statement.getPrincipal());
    checkRoleExists(session, statement, metadata, principal, Optional.of(viewName.getCatalogName()).filter(catalog -> metadata.isCatalogManagedSecurity(session, catalog)));
    if (!view.isRunAsInvoker() && !isAllowSetViewAuthorization) {
        throw new TrinoException(NOT_SUPPORTED, format("Cannot set authorization for view %s to %s: this feature is disabled", viewName.getCatalogName() + '.' + viewName.getSchemaName() + '.' + viewName.getObjectName(), principal));
    }
    accessControl.checkCanSetViewAuthorization(session.toSecurityContext(), viewName, principal);
    metadata.setViewAuthorization(session, viewName.asCatalogSchemaTableName(), principal);
    return immediateVoidFuture();
}
Also used : ListenableFuture(com.google.common.util.concurrent.ListenableFuture) MetadataUtil.checkRoleExists(io.trino.metadata.MetadataUtil.checkRoleExists) Inject(javax.inject.Inject) NOT_SUPPORTED(io.trino.spi.StandardErrorCode.NOT_SUPPORTED) MetadataUtil.createQualifiedObjectName(io.trino.metadata.MetadataUtil.createQualifiedObjectName) TABLE_NOT_FOUND(io.trino.spi.StandardErrorCode.TABLE_NOT_FOUND) Objects.requireNonNull(java.util.Objects.requireNonNull) SemanticExceptions.semanticException(io.trino.sql.analyzer.SemanticExceptions.semanticException) Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) SetViewAuthorization(io.trino.sql.tree.SetViewAuthorization) ViewDefinition(io.trino.metadata.ViewDefinition) TrinoException(io.trino.spi.TrinoException) MetadataUtil.getRequiredCatalogHandle(io.trino.metadata.MetadataUtil.getRequiredCatalogHandle) String.format(java.lang.String.format) List(java.util.List) FeaturesConfig(io.trino.FeaturesConfig) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MetadataUtil.createPrincipal(io.trino.metadata.MetadataUtil.createPrincipal) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) Expression(io.trino.sql.tree.Expression) Session(io.trino.Session) ViewDefinition(io.trino.metadata.ViewDefinition) TrinoException(io.trino.spi.TrinoException) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MetadataUtil.createQualifiedObjectName(io.trino.metadata.MetadataUtil.createQualifiedObjectName) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) Session(io.trino.Session)

Example 5 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestSetRoleTask method setUp.

@BeforeClass
public void setUp() {
    queryRunner = LocalQueryRunner.create(TEST_SESSION);
    MockConnectorFactory mockConnectorFactory = MockConnectorFactory.builder().withListRoleGrants((connectorSession, roles, grantees, limit) -> ImmutableSet.of(new RoleGrant(new TrinoPrincipal(USER, USER_NAME), ROLE_NAME, false))).build();
    queryRunner.createCatalog(CATALOG_NAME, mockConnectorFactory, ImmutableMap.of());
    MockConnectorFactory systemConnectorFactory = MockConnectorFactory.builder().withName("system_role_connector").build();
    queryRunner.createCatalog(SYSTEM_ROLE_CATALOG_NAME, systemConnectorFactory, ImmutableMap.of());
    transactionManager = queryRunner.getTransactionManager();
    accessControl = queryRunner.getAccessControl();
    metadata = queryRunner.getMetadata();
    parser = queryRunner.getSqlParser();
    executor = newCachedThreadPool(daemonThreadsNamed("test-set-role-task-executor-%s"));
}
Also used : TransactionManager(io.trino.transaction.TransactionManager) USER(io.trino.spi.security.PrincipalType.USER) ParsingOptions(io.trino.sql.parser.ParsingOptions) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) TrinoExceptionAssert.assertTrinoExceptionThrownBy(io.trino.testing.assertions.TrinoExceptionAssert.assertTrinoExceptionThrownBy) NOT_SUPPORTED(io.trino.spi.StandardErrorCode.NOT_SUPPORTED) ImmutableList(com.google.common.collect.ImmutableList) MockConnectorFactory(io.trino.connector.MockConnectorFactory) Threads.daemonThreadsNamed(io.airlift.concurrent.Threads.daemonThreadsNamed) Identity(io.trino.spi.security.Identity) LocalQueryRunner(io.trino.testing.LocalQueryRunner) Map(java.util.Map) TEST_SESSION(io.trino.SessionTestUtils.TEST_SESSION) SqlParser(io.trino.sql.parser.SqlParser) URI(java.net.URI) ExecutorService(java.util.concurrent.ExecutorService) ResourceGroupId(io.trino.spi.resourcegroups.ResourceGroupId) AfterClass(org.testng.annotations.AfterClass) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) BeforeClass(org.testng.annotations.BeforeClass) CATALOG_NOT_FOUND(io.trino.spi.StandardErrorCode.CATALOG_NOT_FOUND) RoleGrant(io.trino.spi.security.RoleGrant) SelectedRole(io.trino.spi.security.SelectedRole) TestingSession.testSessionBuilder(io.trino.testing.TestingSession.testSessionBuilder) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Executors.newCachedThreadPool(java.util.concurrent.Executors.newCachedThreadPool) SetRole(io.trino.sql.tree.SetRole) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) ROLE_NOT_FOUND(io.trino.spi.StandardErrorCode.ROLE_NOT_FOUND) RoleGrant(io.trino.spi.security.RoleGrant) MockConnectorFactory(io.trino.connector.MockConnectorFactory) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) BeforeClass(org.testng.annotations.BeforeClass)

Aggregations

TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)57 Test (org.testng.annotations.Test)44 SchemaTableName (io.trino.spi.connector.SchemaTableName)20 Session (io.trino.Session)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)12 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)11 USER (io.trino.spi.security.PrincipalType.USER)9 Optional (java.util.Optional)9 MockConnectorFactory (io.trino.connector.MockConnectorFactory)8 Identity (io.trino.spi.security.Identity)8 ImmutableList (com.google.common.collect.ImmutableList)7 Privilege (io.trino.spi.security.Privilege)7 TestingSession.testSessionBuilder (io.trino.testing.TestingSession.testSessionBuilder)7 ImmutableSet (com.google.common.collect.ImmutableSet)6 MockConnectorPlugin (io.trino.connector.MockConnectorPlugin)6 WarningCollector (io.trino.execution.warnings.WarningCollector)6 Metadata (io.trino.metadata.Metadata)6 AccessControl (io.trino.security.AccessControl)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 RoleGrant (io.trino.spi.security.RoleGrant)6