use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCheckCanSetTableAuthorizationForOwner.
@Test
public void testCheckCanSetTableAuthorizationForOwner() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCheckCanSetViewAuthorizationForNonOwner.
@Test
public void testCheckCanSetViewAuthorizationForNonOwner() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_VIEW_ACCESS_DENIED_MESSAGE);
assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_VIEW_ACCESS_DENIED_MESSAGE);
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testCheckCanSetViewAuthorizationForAdmin.
@Test
public void testCheckCanSetViewAuthorizationForAdmin() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user"));
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedAccessControl method testEmptyFile.
@Test
public void testEmptyFile() {
ConnectorAccessControl accessControl = createAccessControl("empty.json");
accessControl.checkCanCreateSchema(UNKNOWN, "unknown");
accessControl.checkCanDropSchema(UNKNOWN, "unknown");
accessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown");
accessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanShowCreateSchema(UNKNOWN, "unknown");
accessControl.checkCanSelectFromColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"), ImmutableSet.of());
accessControl.checkCanShowColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanInsertIntoTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanDeleteFromTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanCreateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), Map.of());
accessControl.checkCanDropTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanTruncateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
accessControl.checkCanRenameTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), new SchemaTableName("unknown", "new_unknown"));
accessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "anything");
Set<SchemaTableName> tables = ImmutableSet.<SchemaTableName>builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
assertEquals(accessControl.filterTables(UNKNOWN, tables), tables);
// permissions management APIs are hard coded to deny
TrinoPrincipal someUser = new TrinoPrincipal(PrincipalType.USER, "some_user");
assertDenied(() -> accessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false));
assertDenied(() -> accessControl.checkCanDenyTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser));
assertDenied(() -> accessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false));
assertDenied(() -> accessControl.checkCanCreateRole(ADMIN, "role", Optional.empty()));
assertDenied(() -> accessControl.checkCanDropRole(ADMIN, "role"));
assertDenied(() -> accessControl.checkCanGrantRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(someUser), false, Optional.empty()));
assertDenied(() -> accessControl.checkCanRevokeRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(someUser), false, Optional.empty()));
assertDenied(() -> accessControl.checkCanSetRole(ADMIN, "role"));
// showing roles and permissions is hard coded to allow
accessControl.checkCanShowRoleAuthorizationDescriptors(UNKNOWN);
accessControl.checkCanShowRoles(UNKNOWN);
accessControl.checkCanShowCurrentRoles(UNKNOWN);
accessControl.checkCanShowRoleGrants(UNKNOWN);
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestThriftMetastoreUtil method testListApplicableRoles.
@Test
public void testListApplicableRoles() {
TrinoPrincipal admin = new TrinoPrincipal(USER, "admin");
Multimap<String, String> inheritance = ImmutableMultimap.<String, String>builder().put("a", "b1").put("a", "b2").put("b1", "d").put("b1", "e").put("b2", "d").put("b2", "e").put("d", "u").put("e", "w").build();
assertThat(ThriftMetastoreUtil.listApplicableRoles(new HivePrincipal(ROLE, "a"), principal -> inheritance.get(principal.getName()).stream().map(name -> new RoleGrant(admin, name, false)).collect(toImmutableSet()))).containsOnly(new RoleGrant(admin, "b1", false), new RoleGrant(admin, "b2", false), new RoleGrant(admin, "d", false), new RoleGrant(admin, "e", false), new RoleGrant(admin, "u", false), new RoleGrant(admin, "w", false));
}
Aggregations