Search in sources :

Example 16 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testCheckCanSetTableAuthorizationForOwner.

@Test
public void testCheckCanSetTableAuthorizationForOwner() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 17 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testCheckCanSetViewAuthorizationForNonOwner.

@Test
public void testCheckCanSetViewAuthorizationForNonOwner() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_VIEW_ACCESS_DENIED_MESSAGE);
    assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_VIEW_ACCESS_DENIED_MESSAGE);
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 18 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testCheckCanSetViewAuthorizationForAdmin.

@Test
public void testCheckCanSetViewAuthorizationForAdmin() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
    accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 19 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedAccessControl method testEmptyFile.

@Test
public void testEmptyFile() {
    ConnectorAccessControl accessControl = createAccessControl("empty.json");
    accessControl.checkCanCreateSchema(UNKNOWN, "unknown");
    accessControl.checkCanDropSchema(UNKNOWN, "unknown");
    accessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown");
    accessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanShowCreateSchema(UNKNOWN, "unknown");
    accessControl.checkCanSelectFromColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"), ImmutableSet.of());
    accessControl.checkCanShowColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"));
    accessControl.checkCanInsertIntoTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
    accessControl.checkCanDeleteFromTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
    accessControl.checkCanCreateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), Map.of());
    accessControl.checkCanDropTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
    accessControl.checkCanTruncateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
    accessControl.checkCanRenameTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), new SchemaTableName("unknown", "new_unknown"));
    accessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "anything");
    Set<SchemaTableName> tables = ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
    assertEquals(accessControl.filterTables(UNKNOWN, tables), tables);
    // permissions management APIs are hard coded to deny
    TrinoPrincipal someUser = new TrinoPrincipal(PrincipalType.USER, "some_user");
    assertDenied(() -> accessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false));
    assertDenied(() -> accessControl.checkCanDenyTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser));
    assertDenied(() -> accessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false));
    assertDenied(() -> accessControl.checkCanCreateRole(ADMIN, "role", Optional.empty()));
    assertDenied(() -> accessControl.checkCanDropRole(ADMIN, "role"));
    assertDenied(() -> accessControl.checkCanGrantRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(someUser), false, Optional.empty()));
    assertDenied(() -> accessControl.checkCanRevokeRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(someUser), false, Optional.empty()));
    assertDenied(() -> accessControl.checkCanSetRole(ADMIN, "role"));
    // showing roles and permissions is hard coded to allow
    accessControl.checkCanShowRoleAuthorizationDescriptors(UNKNOWN);
    accessControl.checkCanShowRoles(UNKNOWN);
    accessControl.checkCanShowCurrentRoles(UNKNOWN);
    accessControl.checkCanShowRoleGrants(UNKNOWN);
}
Also used : ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) SchemaTableName(io.trino.spi.connector.SchemaTableName) Test(org.testng.annotations.Test)

Example 20 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestThriftMetastoreUtil method testListApplicableRoles.

@Test
public void testListApplicableRoles() {
    TrinoPrincipal admin = new TrinoPrincipal(USER, "admin");
    Multimap<String, String> inheritance = ImmutableMultimap.<String, String>builder().put("a", "b1").put("a", "b2").put("b1", "d").put("b1", "e").put("b2", "d").put("b2", "e").put("d", "u").put("e", "w").build();
    assertThat(ThriftMetastoreUtil.listApplicableRoles(new HivePrincipal(ROLE, "a"), principal -> inheritance.get(principal.getName()).stream().map(name -> new RoleGrant(admin, name, false)).collect(toImmutableSet()))).containsOnly(new RoleGrant(admin, "b1", false), new RoleGrant(admin, "b2", false), new RoleGrant(admin, "d", false), new RoleGrant(admin, "e", false), new RoleGrant(admin, "u", false), new RoleGrant(admin, "w", false));
}
Also used : RoleGrant(io.trino.spi.security.RoleGrant) HivePrincipal(io.trino.plugin.hive.metastore.HivePrincipal) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Aggregations

TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)57 Test (org.testng.annotations.Test)44 SchemaTableName (io.trino.spi.connector.SchemaTableName)20 Session (io.trino.Session)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)12 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)11 USER (io.trino.spi.security.PrincipalType.USER)9 Optional (java.util.Optional)9 MockConnectorFactory (io.trino.connector.MockConnectorFactory)8 Identity (io.trino.spi.security.Identity)8 ImmutableList (com.google.common.collect.ImmutableList)7 Privilege (io.trino.spi.security.Privilege)7 TestingSession.testSessionBuilder (io.trino.testing.TestingSession.testSessionBuilder)7 ImmutableSet (com.google.common.collect.ImmutableSet)6 MockConnectorPlugin (io.trino.connector.MockConnectorPlugin)6 WarningCollector (io.trino.execution.warnings.WarningCollector)6 Metadata (io.trino.metadata.Metadata)6 AccessControl (io.trino.security.AccessControl)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 RoleGrant (io.trino.spi.security.RoleGrant)6