use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testViewOperationsReadOnly.
@Test
public void testViewOperationsReadOnly() {
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_read_only.json");
transaction(transactionManager, accessControlManager).execute(transactionId -> {
SecurityContext context = new SecurityContext(transactionId, alice, queryId);
accessControlManager.checkCanSelectFromColumns(context, aliceView, ImmutableSet.of());
accessControlManager.checkCanSetCatalogSessionProperty(context, "alice-catalog", "property");
});
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateView(new SecurityContext(transactionId, alice, queryId), aliceView);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot create view alice-catalog.schema.view");
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanDropView(new SecurityContext(transactionId, alice, queryId), aliceView);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot drop view alice-catalog.schema.view");
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanGrantTablePrivilege(new SecurityContext(transactionId, alice, queryId), SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot grant privilege SELECT on table alice-catalog.schema.table");
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanRevokeTablePrivilege(new SecurityContext(transactionId, alice, queryId), SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot revoke privilege SELECT on table alice-catalog.schema.table");
assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
accessControlManager.checkCanCreateView(new SecurityContext(transactionId, bob, queryId), aliceView);
})).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedSystemAccessControl method testEmptyFile.
@Test
public void testEmptyFile() {
SystemAccessControl accessControl = newFileBasedSystemAccessControl("empty.json");
accessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
accessControl.checkCanDropSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
accessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown");
accessControl.checkCanSetSchemaAuthorization(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanShowCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
accessControl.checkCanSelectFromColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), ImmutableSet.of());
accessControl.checkCanShowColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanInsertIntoTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanDeleteFromTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanCreateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
accessControl.checkCanDropTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanRenameTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new CatalogSchemaTableName("some-catalog", "unknown", "new_unknown"));
accessControl.checkCanCreateMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
accessControl.checkCanDropMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanRefreshMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
accessControl.checkCanSetUser(Optional.empty(), "unknown");
accessControl.checkCanSetUser(Optional.of(new KerberosPrincipal("stuff@example.com")), "unknown");
accessControl.checkCanSetSystemSessionProperty(UNKNOWN, "anything");
accessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "unknown", "anything");
accessControl.checkCanExecuteQuery(UNKNOWN);
accessControl.checkCanViewQueryOwnedBy(UNKNOWN, anyone);
accessControl.checkCanKillQueryOwnedBy(UNKNOWN, anyone);
// system information access is denied by default
assertThatThrownBy(() -> accessControl.checkCanReadSystemInformation(UNKNOWN)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
assertThatThrownBy(() -> accessControl.checkCanWriteSystemInformation(UNKNOWN)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedAccessControl method testSchemaRules.
@Test
public void testSchemaRules() {
ConnectorAccessControl accessControl = createAccessControl("schema.json");
accessControl.checkCanCreateSchema(ADMIN, "bob");
accessControl.checkCanCreateSchema(ADMIN, "staff");
accessControl.checkCanCreateSchema(ADMIN, "authenticated");
accessControl.checkCanCreateSchema(ADMIN, "test");
accessControl.checkCanCreateSchema(BOB, "bob");
accessControl.checkCanCreateSchema(BOB, "staff");
accessControl.checkCanCreateSchema(BOB, "authenticated");
assertDenied(() -> accessControl.checkCanCreateSchema(BOB, "test"));
assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "bob"));
assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "staff"));
accessControl.checkCanCreateSchema(CHARLIE, "authenticated");
assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "test"));
accessControl.checkCanDropSchema(ADMIN, "bob");
accessControl.checkCanDropSchema(ADMIN, "staff");
accessControl.checkCanDropSchema(ADMIN, "authenticated");
accessControl.checkCanDropSchema(ADMIN, "test");
accessControl.checkCanDropSchema(BOB, "bob");
accessControl.checkCanDropSchema(BOB, "staff");
accessControl.checkCanDropSchema(BOB, "authenticated");
assertDenied(() -> accessControl.checkCanDropSchema(BOB, "test"));
assertDenied(() -> accessControl.checkCanDropSchema(CHARLIE, "bob"));
assertDenied(() -> accessControl.checkCanDropSchema(CHARLIE, "staff"));
accessControl.checkCanDropSchema(CHARLIE, "authenticated");
assertDenied(() -> accessControl.checkCanDropSchema(CHARLIE, "test"));
accessControl.checkCanRenameSchema(ADMIN, "bob", "new_schema");
accessControl.checkCanRenameSchema(ADMIN, "staff", "new_schema");
accessControl.checkCanRenameSchema(ADMIN, "authenticated", "new_schema");
accessControl.checkCanRenameSchema(ADMIN, "test", "new_schema");
accessControl.checkCanRenameSchema(BOB, "bob", "staff");
accessControl.checkCanRenameSchema(BOB, "staff", "authenticated");
accessControl.checkCanRenameSchema(BOB, "authenticated", "bob");
assertDenied(() -> accessControl.checkCanRenameSchema(BOB, "test", "bob"));
assertDenied(() -> accessControl.checkCanRenameSchema(BOB, "bob", "test"));
assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "bob", "new_schema"));
assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "staff", "new_schema"));
accessControl.checkCanRenameSchema(CHARLIE, "authenticated", "authenticated");
assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "test", "new_schema"));
accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.USER, "some_user"));
accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.USER, "some_user"));
assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role")));
assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.USER, "some_user")));
accessControl.checkCanShowCreateSchema(ADMIN, "bob");
accessControl.checkCanShowCreateSchema(ADMIN, "staff");
accessControl.checkCanShowCreateSchema(ADMIN, "authenticated");
accessControl.checkCanShowCreateSchema(ADMIN, "test");
accessControl.checkCanShowCreateSchema(BOB, "bob");
accessControl.checkCanShowCreateSchema(BOB, "staff");
accessControl.checkCanShowCreateSchema(BOB, "authenticated");
assertDenied(() -> accessControl.checkCanShowCreateSchema(BOB, "test"));
assertDenied(() -> accessControl.checkCanShowCreateSchema(CHARLIE, "bob"));
assertDenied(() -> accessControl.checkCanShowCreateSchema(CHARLIE, "staff"));
accessControl.checkCanShowCreateSchema(CHARLIE, "authenticated");
assertDenied(() -> accessControl.checkCanShowCreateSchema(CHARLIE, "test"));
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedAccessControl method testRevokeSchemaPrivilege.
@Test(dataProvider = "privilegeGrantOption")
public void testRevokeSchemaPrivilege(Privilege privilege, boolean grantOption) {
ConnectorAccessControl accessControl = createAccessControl("schema.json");
TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "bob", grantee, grantOption);
accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "staff", grantee, grantOption);
accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "authenticated", grantee, grantOption);
accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "test", grantee, grantOption);
accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "bob", grantee, grantOption);
accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "staff", grantee, grantOption);
accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "authenticated", grantee, grantOption);
assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "test", grantee, grantOption));
assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "bob", grantee, grantOption));
assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "staff", grantee, grantOption));
accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "authenticated", grantee, grantOption);
assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "test", grantee, grantOption));
}
use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.
the class TestFileBasedAccessControl method testDenySchemaPrivilege.
@Test
public void testDenySchemaPrivilege() {
ConnectorAccessControl accessControl = createAccessControl("schema.json");
TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "bob", grantee);
accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "staff", grantee);
accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "authenticated", grantee);
accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "test", grantee);
accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "bob", grantee);
accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "staff", grantee);
accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "authenticated", grantee);
assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "test", grantee));
assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "bob", grantee));
assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "staff", grantee));
accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "authenticated", grantee);
assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "test", grantee));
}
Aggregations