Search in sources :

Example 6 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class CreateRoleTask method execute.

@Override
public ListenableFuture<Void> execute(CreateRole statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
    String role = statement.getName().getValue().toLowerCase(ENGLISH);
    Optional<TrinoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
    accessControl.checkCanCreateRole(session.toSecurityContext(), role, grantor, catalog);
    if (metadata.roleExists(session, role, catalog)) {
        throw semanticException(ROLE_ALREADY_EXISTS, statement, "Role '%s' already exists", role);
    }
    grantor.ifPresent(trinoPrincipal -> checkRoleExists(session, statement, metadata, trinoPrincipal, catalog));
    metadata.createRole(session, role, grantor, catalog);
    return immediateVoidFuture();
}
Also used : TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Session(io.trino.Session)

Example 7 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class CreateSchemaTask method internalExecute.

@VisibleForTesting
static ListenableFuture<Void> internalExecute(CreateSchema statement, PlannerContext plannerContext, AccessControl accessControl, SchemaPropertyManager schemaPropertyManager, Session session, List<Expression> parameters) {
    CatalogSchemaName schema = createCatalogSchemaName(session, statement, Optional.of(statement.getSchemaName()));
    // TODO: validate that catalog exists
    accessControl.checkCanCreateSchema(session.toSecurityContext(), schema);
    if (plannerContext.getMetadata().schemaExists(session, schema)) {
        if (!statement.isNotExists()) {
            throw semanticException(SCHEMA_ALREADY_EXISTS, statement, "Schema '%s' already exists", schema);
        }
        return immediateVoidFuture();
    }
    CatalogName catalogName = getRequiredCatalogHandle(plannerContext.getMetadata(), session, statement, schema.getCatalogName());
    Map<String, Object> properties = schemaPropertyManager.getProperties(catalogName, statement.getProperties(), session, plannerContext, accessControl, parameterExtractor(statement, parameters), true);
    TrinoPrincipal principal = getCreatePrincipal(statement, session, plannerContext.getMetadata(), catalogName.getCatalogName());
    try {
        plannerContext.getMetadata().createSchema(session, schema, properties, principal);
    } catch (TrinoException e) {
        // connectors are not required to handle the ignoreExisting flag
        if (!e.getErrorCode().equals(ALREADY_EXISTS.toErrorCode()) || !statement.isNotExists()) {
            throw e;
        }
    }
    return immediateVoidFuture();
}
Also used : CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) MetadataUtil.createCatalogSchemaName(io.trino.metadata.MetadataUtil.createCatalogSchemaName) TrinoException(io.trino.spi.TrinoException) CatalogName(io.trino.connector.CatalogName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Example 8 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class GrantRolesTask method execute.

@Override
public ListenableFuture<Void> execute(GrantRoles statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
    Session session = stateMachine.getSession();
    Set<String> roles = statement.getRoles().stream().map(role -> role.getValue().toLowerCase(Locale.ENGLISH)).collect(toImmutableSet());
    Set<TrinoPrincipal> grantees = statement.getGrantees().stream().map(MetadataUtil::createPrincipal).collect(toImmutableSet());
    boolean adminOption = statement.isAdminOption();
    Optional<TrinoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
    Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
    Set<String> specifiedRoles = new LinkedHashSet<>();
    specifiedRoles.addAll(roles);
    grantees.stream().filter(principal -> principal.getType() == ROLE).map(TrinoPrincipal::getName).forEach(specifiedRoles::add);
    if (grantor.isPresent() && grantor.get().getType() == ROLE) {
        specifiedRoles.add(grantor.get().getName());
    }
    for (String role : specifiedRoles) {
        checkRoleExists(session, statement, metadata, role, catalog);
    }
    accessControl.checkCanGrantRoles(session.toSecurityContext(), roles, grantees, adminOption, grantor, catalog);
    metadata.grantRoles(session, roles, grantees, adminOption, grantor, catalog);
    return immediateVoidFuture();
}
Also used : Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) MetadataUtil.checkRoleExists(io.trino.metadata.MetadataUtil.checkRoleExists) MetadataUtil(io.trino.metadata.MetadataUtil) Set(java.util.Set) ROLE(io.trino.spi.security.PrincipalType.ROLE) GrantRoles(io.trino.sql.tree.GrantRoles) Inject(javax.inject.Inject) List(java.util.List) AccessControl(io.trino.security.AccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) MetadataUtil.createPrincipal(io.trino.metadata.MetadataUtil.createPrincipal) Locale(java.util.Locale) Objects.requireNonNull(java.util.Objects.requireNonNull) WarningCollector(io.trino.execution.warnings.WarningCollector) Metadata(io.trino.metadata.Metadata) Optional(java.util.Optional) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) Expression(io.trino.sql.tree.Expression) MetadataUtil.processRoleCommandCatalog(io.trino.metadata.MetadataUtil.processRoleCommandCatalog) Identifier(io.trino.sql.tree.Identifier) LinkedHashSet(java.util.LinkedHashSet) Session(io.trino.Session) LinkedHashSet(java.util.LinkedHashSet) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Session(io.trino.Session)

Example 9 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testViewOperations.

@Test
public void testViewOperations() {
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        SecurityContext aliceContext = new SecurityContext(transactionId, alice, queryId);
        SecurityContext bobContext = new SecurityContext(transactionId, bob, queryId);
        SecurityContext nonAsciiContext = new SecurityContext(transactionId, nonAsciiUser, queryId);
        accessControlManager.checkCanCreateView(aliceContext, aliceView);
        accessControlManager.checkCanDropView(aliceContext, aliceView);
        accessControlManager.checkCanSelectFromColumns(aliceContext, aliceView, ImmutableSet.of());
        accessControlManager.checkCanCreateViewWithSelectFromColumns(aliceContext, aliceTable, ImmutableSet.of());
        accessControlManager.checkCanCreateViewWithSelectFromColumns(aliceContext, aliceView, ImmutableSet.of());
        accessControlManager.checkCanSetCatalogSessionProperty(aliceContext, "alice-catalog", "property");
        accessControlManager.checkCanGrantTablePrivilege(aliceContext, SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true);
        accessControlManager.checkCanRevokeTablePrivilege(aliceContext, SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true);
        accessControlManager.checkCanCreateView(aliceContext, staffView);
        accessControlManager.checkCanDropView(aliceContext, staffView);
        accessControlManager.checkCanSelectFromColumns(aliceContext, staffView, ImmutableSet.of());
        accessControlManager.checkCanCreateViewWithSelectFromColumns(aliceContext, staffTable, ImmutableSet.of());
        accessControlManager.checkCanCreateViewWithSelectFromColumns(aliceContext, staffView, ImmutableSet.of());
        accessControlManager.checkCanSetCatalogSessionProperty(aliceContext, "alice-catalog", "property");
        accessControlManager.checkCanGrantTablePrivilege(aliceContext, SELECT, staffTable, new TrinoPrincipal(USER, "grantee"), true);
        accessControlManager.checkCanRevokeTablePrivilege(aliceContext, SELECT, staffTable, new TrinoPrincipal(USER, "revokee"), true);
        assertThatThrownBy(() -> accessControlManager.checkCanCreateView(bobContext, aliceView)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanDropView(bobContext, aliceView)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanSelectFromColumns(bobContext, aliceView, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateViewWithSelectFromColumns(bobContext, aliceTable, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateViewWithSelectFromColumns(bobContext, aliceView, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanSetCatalogSessionProperty(bobContext, "alice-catalog", "property")).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanGrantTablePrivilege(bobContext, SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanRevokeTablePrivilege(bobContext, SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        accessControlManager.checkCanCreateView(bobContext, staffView);
        accessControlManager.checkCanDropView(bobContext, staffView);
        accessControlManager.checkCanSelectFromColumns(bobContext, staffView, ImmutableSet.of());
        accessControlManager.checkCanCreateViewWithSelectFromColumns(bobContext, staffTable, ImmutableSet.of());
        accessControlManager.checkCanCreateViewWithSelectFromColumns(bobContext, staffView, ImmutableSet.of());
        accessControlManager.checkCanSetCatalogSessionProperty(bobContext, "staff-catalog", "property");
        accessControlManager.checkCanGrantTablePrivilege(bobContext, SELECT, staffTable, new TrinoPrincipal(USER, "grantee"), true);
        accessControlManager.checkCanRevokeTablePrivilege(bobContext, SELECT, staffTable, new TrinoPrincipal(USER, "revokee"), true);
        assertThatThrownBy(() -> accessControlManager.checkCanCreateView(nonAsciiContext, aliceView)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanDropView(nonAsciiContext, aliceView)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanSelectFromColumns(nonAsciiContext, aliceView, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateViewWithSelectFromColumns(nonAsciiContext, aliceTable, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateViewWithSelectFromColumns(nonAsciiContext, aliceView, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanSetCatalogSessionProperty(nonAsciiContext, "alice-catalog", "property")).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanGrantTablePrivilege(nonAsciiContext, SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanRevokeTablePrivilege(nonAsciiContext, SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateView(nonAsciiContext, staffView)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanDropView(nonAsciiContext, staffView)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanSelectFromColumns(nonAsciiContext, staffView, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateViewWithSelectFromColumns(nonAsciiContext, staffTable, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanCreateViewWithSelectFromColumns(nonAsciiContext, staffView, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanSetCatalogSessionProperty(nonAsciiContext, "staff-catalog", "property")).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanGrantTablePrivilege(nonAsciiContext, SELECT, staffTable, new TrinoPrincipal(USER, "grantee"), true)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        assertThatThrownBy(() -> accessControlManager.checkCanRevokeTablePrivilege(nonAsciiContext, SELECT, staffTable, new TrinoPrincipal(USER, "revokee"), true)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
    });
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) TransactionManager(io.trino.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 10 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testCheckCanSetViewAuthorizationForOwner.

@Test
public void testCheckCanSetViewAuthorizationForOwner() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Aggregations

TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)57 Test (org.testng.annotations.Test)44 SchemaTableName (io.trino.spi.connector.SchemaTableName)20 Session (io.trino.Session)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)12 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)11 USER (io.trino.spi.security.PrincipalType.USER)9 Optional (java.util.Optional)9 MockConnectorFactory (io.trino.connector.MockConnectorFactory)8 Identity (io.trino.spi.security.Identity)8 ImmutableList (com.google.common.collect.ImmutableList)7 Privilege (io.trino.spi.security.Privilege)7 TestingSession.testSessionBuilder (io.trino.testing.TestingSession.testSessionBuilder)7 ImmutableSet (com.google.common.collect.ImmutableSet)6 MockConnectorPlugin (io.trino.connector.MockConnectorPlugin)6 WarningCollector (io.trino.execution.warnings.WarningCollector)6 Metadata (io.trino.metadata.Metadata)6 AccessControl (io.trino.security.AccessControl)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 RoleGrant (io.trino.spi.security.RoleGrant)6