Example 11 with TrinoPrincipal
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaRulesForCheckCanSetSchemaAuthorization.
@Test
public void testSchemaRulesForCheckCanSetSchemaAuthorization() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Test(org.testng.annotations.Test)
Example 12 with TrinoPrincipal
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCheckCanSetTableAuthorizationForNonOwner.
@Test
public void testCheckCanSetTableAuthorizationForNonOwner() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
assertAccessDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_TABLE_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_TABLE_ACCESS_DENIED_MESSAGE);
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 13 with TrinoPrincipal
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCheckCanSetTableAuthorizationForAdmin.
@Test
public void testCheckCanSetTableAuthorizationForAdmin() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
accessControl.checkCanSetTableAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetTableAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
Test(org.testng.annotations.Test)
Example 14 with TrinoPrincipal
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testGrantSchemaPrivilege.
@Test(dataProvider = "privilegeGrantOption")
public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.bob", ""));
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.staff", ""));
accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
assertAccessDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
}
Also used :
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Test(org.testng.annotations.Test)
Example 15 with TrinoPrincipal
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testSchemaOperations.
@Test
public void testSchemaOperations() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json");
TrinoPrincipal user = new TrinoPrincipal(PrincipalType.USER, "some_user");
TrinoPrincipal role = new TrinoPrincipal(PrincipalType.ROLE, "some_user");
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user);
accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role);
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), user)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), role)).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
}
Also used :
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Test(org.testng.annotations.Test)
Aggregations
TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)57
Test (org.testng.annotations.Test)44
SchemaTableName (io.trino.spi.connector.SchemaTableName)20
Session (io.trino.Session)15
SystemAccessControl (io.trino.spi.security.SystemAccessControl)12
CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)11
USER (io.trino.spi.security.PrincipalType.USER)9
Optional (java.util.Optional)9
MockConnectorFactory (io.trino.connector.MockConnectorFactory)8
Identity (io.trino.spi.security.Identity)8
ImmutableList (com.google.common.collect.ImmutableList)7
Privilege (io.trino.spi.security.Privilege)7
TestingSession.testSessionBuilder (io.trino.testing.TestingSession.testSessionBuilder)7
ImmutableSet (com.google.common.collect.ImmutableSet)6
MockConnectorPlugin (io.trino.connector.MockConnectorPlugin)6
WarningCollector (io.trino.execution.warnings.WarningCollector)6
Metadata (io.trino.metadata.Metadata)6
AccessControl (io.trino.security.AccessControl)6
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6
RoleGrant (io.trino.spi.security.RoleGrant)6
