Search in sources :

Example 26 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testViewOperationsReadOnly.

@Test
public void testViewOperationsReadOnly() {
    TransactionManager transactionManager = createTestTransactionManager();
    AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_read_only.json");
    transaction(transactionManager, accessControlManager).execute(transactionId -> {
        SecurityContext context = new SecurityContext(transactionId, alice, queryId);
        accessControlManager.checkCanSelectFromColumns(context, aliceView, ImmutableSet.of());
        accessControlManager.checkCanSetCatalogSessionProperty(context, "alice-catalog", "property");
    });
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateView(new SecurityContext(transactionId, alice, queryId), aliceView);
    })).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot create view alice-catalog.schema.view");
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanDropView(new SecurityContext(transactionId, alice, queryId), aliceView);
    })).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot drop view alice-catalog.schema.view");
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanGrantTablePrivilege(new SecurityContext(transactionId, alice, queryId), SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true);
    })).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot grant privilege SELECT on table alice-catalog.schema.table");
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanRevokeTablePrivilege(new SecurityContext(transactionId, alice, queryId), SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true);
    })).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot revoke privilege SELECT on table alice-catalog.schema.table");
    assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> {
        accessControlManager.checkCanCreateView(new SecurityContext(transactionId, bob, queryId), aliceView);
    })).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
}
Also used : QueryId(io.trino.spi.QueryId) AccessDeniedException(io.trino.spi.security.AccessDeniedException) TransactionBuilder.transaction(io.trino.transaction.TransactionBuilder.transaction) TransactionManager(io.trino.transaction.TransactionManager) USER(io.trino.spi.security.PrincipalType.USER) URISyntaxException(java.net.URISyntaxException) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl) InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) SECURITY_CONFIG_FILE(io.trino.plugin.base.security.FileBasedAccessControlConfig.SECURITY_CONFIG_FILE) Identity(io.trino.spi.security.Identity) Map(java.util.Map) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) SELECT(io.trino.spi.security.Privilege.SELECT) Thread.sleep(java.lang.Thread.sleep) Files.newTemporaryFile(org.assertj.core.util.Files.newTemporaryFile) ImmutableSet(com.google.common.collect.ImmutableSet) ImmutableMap(com.google.common.collect.ImmutableMap) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Set(java.util.Set) SchemaTableName(io.trino.spi.connector.SchemaTableName) File(java.io.File) TestingEventListenerManager.emptyEventListenerManager(io.trino.testing.TestingEventListenerManager.emptyEventListenerManager) Resources.getResource(com.google.common.io.Resources.getResource) QualifiedObjectName(io.trino.metadata.QualifiedObjectName) DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) SECURITY_REFRESH_PERIOD(io.trino.plugin.base.security.FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD) Files.copy(com.google.common.io.Files.copy) Optional(java.util.Optional) AccessDeniedException(io.trino.spi.security.AccessDeniedException) TransactionManager(io.trino.transaction.TransactionManager) InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 27 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testEmptyFile.

@Test
public void testEmptyFile() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("empty.json");
    accessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
    accessControl.checkCanDropSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
    accessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown");
    accessControl.checkCanSetSchemaAuthorization(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanShowCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
    accessControl.checkCanSelectFromColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), ImmutableSet.of());
    accessControl.checkCanShowColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanInsertIntoTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanDeleteFromTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanCreateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
    accessControl.checkCanDropTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanRenameTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new CatalogSchemaTableName("some-catalog", "unknown", "new_unknown"));
    accessControl.checkCanCreateMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
    accessControl.checkCanDropMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanRefreshMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
    accessControl.checkCanSetUser(Optional.empty(), "unknown");
    accessControl.checkCanSetUser(Optional.of(new KerberosPrincipal("stuff@example.com")), "unknown");
    accessControl.checkCanSetSystemSessionProperty(UNKNOWN, "anything");
    accessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "unknown", "anything");
    accessControl.checkCanExecuteQuery(UNKNOWN);
    accessControl.checkCanViewQueryOwnedBy(UNKNOWN, anyone);
    accessControl.checkCanKillQueryOwnedBy(UNKNOWN, anyone);
    // system information access is denied by default
    assertThatThrownBy(() -> accessControl.checkCanReadSystemInformation(UNKNOWN)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
    assertThatThrownBy(() -> accessControl.checkCanWriteSystemInformation(UNKNOWN)).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) AccessDeniedException(io.trino.spi.security.AccessDeniedException) SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName) Test(org.testng.annotations.Test)

Example 28 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedAccessControl method testSchemaRules.

@Test
public void testSchemaRules() {
    ConnectorAccessControl accessControl = createAccessControl("schema.json");
    accessControl.checkCanCreateSchema(ADMIN, "bob");
    accessControl.checkCanCreateSchema(ADMIN, "staff");
    accessControl.checkCanCreateSchema(ADMIN, "authenticated");
    accessControl.checkCanCreateSchema(ADMIN, "test");
    accessControl.checkCanCreateSchema(BOB, "bob");
    accessControl.checkCanCreateSchema(BOB, "staff");
    accessControl.checkCanCreateSchema(BOB, "authenticated");
    assertDenied(() -> accessControl.checkCanCreateSchema(BOB, "test"));
    assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "bob"));
    assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "staff"));
    accessControl.checkCanCreateSchema(CHARLIE, "authenticated");
    assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "test"));
    accessControl.checkCanDropSchema(ADMIN, "bob");
    accessControl.checkCanDropSchema(ADMIN, "staff");
    accessControl.checkCanDropSchema(ADMIN, "authenticated");
    accessControl.checkCanDropSchema(ADMIN, "test");
    accessControl.checkCanDropSchema(BOB, "bob");
    accessControl.checkCanDropSchema(BOB, "staff");
    accessControl.checkCanDropSchema(BOB, "authenticated");
    assertDenied(() -> accessControl.checkCanDropSchema(BOB, "test"));
    assertDenied(() -> accessControl.checkCanDropSchema(CHARLIE, "bob"));
    assertDenied(() -> accessControl.checkCanDropSchema(CHARLIE, "staff"));
    accessControl.checkCanDropSchema(CHARLIE, "authenticated");
    assertDenied(() -> accessControl.checkCanDropSchema(CHARLIE, "test"));
    accessControl.checkCanRenameSchema(ADMIN, "bob", "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, "staff", "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, "authenticated", "new_schema");
    accessControl.checkCanRenameSchema(ADMIN, "test", "new_schema");
    accessControl.checkCanRenameSchema(BOB, "bob", "staff");
    accessControl.checkCanRenameSchema(BOB, "staff", "authenticated");
    accessControl.checkCanRenameSchema(BOB, "authenticated", "bob");
    assertDenied(() -> accessControl.checkCanRenameSchema(BOB, "test", "bob"));
    assertDenied(() -> accessControl.checkCanRenameSchema(BOB, "bob", "test"));
    assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "bob", "new_schema"));
    assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "staff", "new_schema"));
    accessControl.checkCanRenameSchema(CHARLIE, "authenticated", "authenticated");
    assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "test", "new_schema"));
    accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.USER, "some_user"));
    accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.USER, "some_user"));
    assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role")));
    assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.USER, "some_user")));
    accessControl.checkCanShowCreateSchema(ADMIN, "bob");
    accessControl.checkCanShowCreateSchema(ADMIN, "staff");
    accessControl.checkCanShowCreateSchema(ADMIN, "authenticated");
    accessControl.checkCanShowCreateSchema(ADMIN, "test");
    accessControl.checkCanShowCreateSchema(BOB, "bob");
    accessControl.checkCanShowCreateSchema(BOB, "staff");
    accessControl.checkCanShowCreateSchema(BOB, "authenticated");
    assertDenied(() -> accessControl.checkCanShowCreateSchema(BOB, "test"));
    assertDenied(() -> accessControl.checkCanShowCreateSchema(CHARLIE, "bob"));
    assertDenied(() -> accessControl.checkCanShowCreateSchema(CHARLIE, "staff"));
    accessControl.checkCanShowCreateSchema(CHARLIE, "authenticated");
    assertDenied(() -> accessControl.checkCanShowCreateSchema(CHARLIE, "test"));
}
Also used : ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 29 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedAccessControl method testRevokeSchemaPrivilege.

@Test(dataProvider = "privilegeGrantOption")
public void testRevokeSchemaPrivilege(Privilege privilege, boolean grantOption) {
    ConnectorAccessControl accessControl = createAccessControl("schema.json");
    TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "bob", grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "staff", grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "authenticated", grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "test", grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "bob", grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "staff", grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "authenticated", grantee, grantOption);
    assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "test", grantee, grantOption));
    assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "bob", grantee, grantOption));
    assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "staff", grantee, grantOption));
    accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "authenticated", grantee, grantOption);
    assertDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "test", grantee, grantOption));
}
Also used : ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 30 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedAccessControl method testDenySchemaPrivilege.

@Test
public void testDenySchemaPrivilege() {
    ConnectorAccessControl accessControl = createAccessControl("schema.json");
    TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "bob", grantee);
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "staff", grantee);
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "authenticated", grantee);
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "test", grantee);
    accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "bob", grantee);
    accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "staff", grantee);
    accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "authenticated", grantee);
    assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, "test", grantee));
    assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "bob", grantee));
    assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "staff", grantee));
    accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "authenticated", grantee);
    assertDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, "test", grantee));
}
Also used : ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Aggregations

TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)57 Test (org.testng.annotations.Test)44 SchemaTableName (io.trino.spi.connector.SchemaTableName)20 Session (io.trino.Session)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)12 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)11 USER (io.trino.spi.security.PrincipalType.USER)9 Optional (java.util.Optional)9 MockConnectorFactory (io.trino.connector.MockConnectorFactory)8 Identity (io.trino.spi.security.Identity)8 ImmutableList (com.google.common.collect.ImmutableList)7 Privilege (io.trino.spi.security.Privilege)7 TestingSession.testSessionBuilder (io.trino.testing.TestingSession.testSessionBuilder)7 ImmutableSet (com.google.common.collect.ImmutableSet)6 MockConnectorPlugin (io.trino.connector.MockConnectorPlugin)6 WarningCollector (io.trino.execution.warnings.WarningCollector)6 Metadata (io.trino.metadata.Metadata)6 AccessControl (io.trino.security.AccessControl)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 RoleGrant (io.trino.spi.security.RoleGrant)6