Search in sources :

Example 31 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedAccessControl method testGrantSchemaPrivilege.

@Test(dataProvider = "privilegeGrantOption")
public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) {
    ConnectorAccessControl accessControl = createAccessControl("schema.json");
    TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "bob", grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "staff", grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "authenticated", grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "test", grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "bob", grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "staff", grantee, grantOption);
    accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "authenticated", grantee, grantOption);
    assertDenied(() -> accessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "test", grantee, grantOption));
    assertDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "bob", grantee, grantOption));
    assertDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "staff", grantee, grantOption));
    accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "authenticated", grantee, grantOption);
    assertDenied(() -> accessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "test", grantee, grantOption));
}
Also used : ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 32 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testDenySchemaPrivilege.

@Test
public void testDenySchemaPrivilege() {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, new CatalogSchemaName("some-catalog", "bob"), grantee);
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, new CatalogSchemaName("some-catalog", "staff"), grantee);
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, new CatalogSchemaName("some-catalog", "authenticated"), grantee);
    accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, new CatalogSchemaName("some-catalog", "test"), grantee);
    accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, new CatalogSchemaName("some-catalog", "bob"), grantee);
    accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, new CatalogSchemaName("some-catalog", "staff"), grantee);
    accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, new CatalogSchemaName("some-catalog", "authenticated"), grantee);
    assertAccessDenied(() -> accessControl.checkCanDenySchemaPrivilege(BOB, UPDATE, new CatalogSchemaName("some-catalog", "test"), grantee), format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, UPDATE, "some-catalog.test", ""));
    assertAccessDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, new CatalogSchemaName("some-catalog", "bob"), grantee), format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, UPDATE, "some-catalog.bob", ""));
    assertAccessDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, new CatalogSchemaName("some-catalog", "staff"), grantee), format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, UPDATE, "some-catalog.staff", ""));
    accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, new CatalogSchemaName("some-catalog", "authenticated"), grantee);
    assertAccessDenied(() -> accessControl.checkCanDenySchemaPrivilege(CHARLIE, UPDATE, new CatalogSchemaName("some-catalog", "test"), grantee), format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, UPDATE, "some-catalog.test", ""));
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 33 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedSystemAccessControl method testRevokeSchemaPrivilege.

@Test(dataProvider = "privilegeGrantOption")
public void testRevokeSchemaPrivilege(Privilege privilege, boolean grantOption) {
    SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
    TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice");
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption);
    accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
    assertAccessDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
    assertAccessDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption), format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.bob", ""));
    assertAccessDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption), format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.staff", ""));
    accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "authenticated"), grantee, grantOption);
    assertAccessDenied(() -> accessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "test"), grantee, grantOption), format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
}
Also used : SystemAccessControl(io.trino.spi.security.SystemAccessControl) CatalogSchemaName(io.trino.spi.connector.CatalogSchemaName) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Example 34 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestFileBasedAccessControl method testTableRules.

@Test
public void testTableRules() {
    SchemaTableName testTable = new SchemaTableName("test", "test");
    SchemaTableName aliceTable = new SchemaTableName("aliceschema", "alicetable");
    SchemaTableName bobTable = new SchemaTableName("bobschema", "bobtable");
    ConnectorAccessControl accessControl = createAccessControl("table.json");
    accessControl.checkCanSelectFromColumns(ALICE, testTable, ImmutableSet.of());
    accessControl.checkCanSelectFromColumns(ALICE, bobTable, ImmutableSet.of());
    accessControl.checkCanSelectFromColumns(ALICE, bobTable, ImmutableSet.of("bobcolumn"));
    accessControl.checkCanShowColumns(ALICE, bobTable);
    assertEquals(accessControl.filterColumns(ALICE, bobTable, ImmutableSet.of("a")), ImmutableSet.of("a"));
    accessControl.checkCanSelectFromColumns(BOB, bobTable, ImmutableSet.of());
    accessControl.checkCanShowColumns(BOB, bobTable);
    assertEquals(accessControl.filterColumns(BOB, bobTable, ImmutableSet.of("a")), ImmutableSet.of("a"));
    accessControl.checkCanInsertIntoTable(BOB, bobTable);
    accessControl.checkCanDeleteFromTable(BOB, bobTable);
    accessControl.checkCanTruncateTable(BOB, bobTable);
    accessControl.checkCanSelectFromColumns(CHARLIE, bobTable, ImmutableSet.of());
    accessControl.checkCanSelectFromColumns(CHARLIE, bobTable, ImmutableSet.of("bobcolumn"));
    accessControl.checkCanInsertIntoTable(CHARLIE, bobTable);
    accessControl.checkCanSelectFromColumns(JOE, bobTable, ImmutableSet.of());
    accessControl.checkCanCreateTable(ADMIN, new SchemaTableName("bob", "test"), Map.of());
    accessControl.checkCanCreateTable(ADMIN, testTable, Map.of());
    accessControl.checkCanCreateTable(ADMIN, new SchemaTableName("authenticated", "test"), Map.of());
    assertDenied(() -> accessControl.checkCanCreateTable(ADMIN, new SchemaTableName("secret", "test"), Map.of()));
    accessControl.checkCanCreateTable(ALICE, new SchemaTableName("aliceschema", "test"), Map.of());
    assertDenied(() -> accessControl.checkCanCreateTable(ALICE, testTable, Map.of()));
    assertDenied(() -> accessControl.checkCanCreateTable(CHARLIE, new SchemaTableName("aliceschema", "test"), Map.of()));
    assertDenied(() -> accessControl.checkCanCreateTable(CHARLIE, testTable, Map.of()));
    accessControl.checkCanCreateViewWithSelectFromColumns(BOB, bobTable, ImmutableSet.of());
    accessControl.checkCanDropTable(ADMIN, bobTable);
    accessControl.checkCanTruncateTable(ADMIN, bobTable);
    accessControl.checkCanRenameTable(ADMIN, bobTable, new SchemaTableName("aliceschema", "newbobtable"));
    accessControl.checkCanRenameTable(ALICE, aliceTable, new SchemaTableName("aliceschema", "newalicetable"));
    accessControl.checkCanRenameView(ADMIN, new SchemaTableName("bobschema", "bobview"), new SchemaTableName("aliceschema", "newbobview"));
    accessControl.checkCanRenameView(ALICE, new SchemaTableName("aliceschema", "aliceview"), new SchemaTableName("aliceschema", "newaliceview"));
    accessControl.checkCanRenameMaterializedView(ADMIN, new SchemaTableName("bobschema", "bobmaterializedview"), new SchemaTableName("aliceschema", "newbobaterializedview"));
    accessControl.checkCanRenameMaterializedView(ALICE, new SchemaTableName("aliceschema", "alicevaterializediew"), new SchemaTableName("aliceschema", "newaliceaterializedview"));
    accessControl.checkCanSetMaterializedViewProperties(ADMIN, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of());
    accessControl.checkCanSetMaterializedViewProperties(ALICE, new SchemaTableName("aliceschema", "alicevaterializediew"), ImmutableMap.of());
    accessControl.checkCanSetTableProperties(ADMIN, bobTable, ImmutableMap.of());
    accessControl.checkCanSetTableProperties(ALICE, aliceTable, ImmutableMap.of());
    assertDenied(() -> accessControl.checkCanInsertIntoTable(ALICE, bobTable));
    assertDenied(() -> accessControl.checkCanDropTable(BOB, bobTable));
    assertDenied(() -> accessControl.checkCanRenameTable(BOB, bobTable, new SchemaTableName("bobschema", "newbobtable")));
    assertDenied(() -> accessControl.checkCanRenameTable(ALICE, aliceTable, new SchemaTableName("bobschema", "newalicetable")));
    assertDenied(() -> accessControl.checkCanSetTableProperties(BOB, bobTable, ImmutableMap.of()));
    assertDenied(() -> accessControl.checkCanInsertIntoTable(BOB, testTable));
    assertDenied(() -> accessControl.checkCanSelectFromColumns(ADMIN, new SchemaTableName("secret", "secret"), ImmutableSet.of()));
    assertDenied(() -> accessControl.checkCanSelectFromColumns(JOE, new SchemaTableName("secret", "secret"), ImmutableSet.of()));
    assertDenied(() -> accessControl.checkCanCreateViewWithSelectFromColumns(JOE, bobTable, ImmutableSet.of()));
    assertDenied(() -> accessControl.checkCanRenameView(BOB, new SchemaTableName("bobschema", "bobview"), new SchemaTableName("bobschema", "newbobview")));
    assertDenied(() -> accessControl.checkCanRenameView(ALICE, aliceTable, new SchemaTableName("bobschema", "newalicetable")));
    assertDenied(() -> accessControl.checkCanRenameMaterializedView(BOB, new SchemaTableName("bobschema", "bobmaterializedview"), new SchemaTableName("bobschema", "newbobaterializedview")));
    assertDenied(() -> accessControl.checkCanRenameMaterializedView(ALICE, aliceTable, new SchemaTableName("bobschema", "newaliceaterializedview")));
    assertDenied(() -> accessControl.checkCanSetMaterializedViewProperties(ALICE, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of()));
    assertDenied(() -> accessControl.checkCanSetMaterializedViewProperties(BOB, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of()));
    accessControl.checkCanSetTableAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetTableAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.USER, "some_user"));
    accessControl.checkCanSetTableAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetTableAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.USER, "some_user"));
    assertDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role")));
    assertDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.USER, "some_user")));
    accessControl.checkCanSetViewAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetViewAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.USER, "some_user"));
    accessControl.checkCanSetViewAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
    accessControl.checkCanSetViewAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.USER, "some_user"));
    assertDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role")));
    assertDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.USER, "some_user")));
}
Also used : ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl) TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) SchemaTableName(io.trino.spi.connector.SchemaTableName) Test(org.testng.annotations.Test)

Example 35 with TrinoPrincipal

use of io.trino.spi.security.TrinoPrincipal in project trino by trinodb.

the class TestBlackHoleMetadata method testCreateSchema.

@Test
public void testCreateSchema() {
    assertEquals(metadata.listSchemaNames(SESSION), ImmutableList.of("default"));
    metadata.createSchema(SESSION, "test", ImmutableMap.of(), new TrinoPrincipal(USER, SESSION.getUser()));
    assertEquals(metadata.listSchemaNames(SESSION), ImmutableList.of("default", "test"));
}
Also used : TrinoPrincipal(io.trino.spi.security.TrinoPrincipal) Test(org.testng.annotations.Test)

Aggregations

TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)57 Test (org.testng.annotations.Test)44 SchemaTableName (io.trino.spi.connector.SchemaTableName)20 Session (io.trino.Session)15 SystemAccessControl (io.trino.spi.security.SystemAccessControl)12 CatalogSchemaName (io.trino.spi.connector.CatalogSchemaName)11 USER (io.trino.spi.security.PrincipalType.USER)9 Optional (java.util.Optional)9 MockConnectorFactory (io.trino.connector.MockConnectorFactory)8 Identity (io.trino.spi.security.Identity)8 ImmutableList (com.google.common.collect.ImmutableList)7 Privilege (io.trino.spi.security.Privilege)7 TestingSession.testSessionBuilder (io.trino.testing.TestingSession.testSessionBuilder)7 ImmutableSet (com.google.common.collect.ImmutableSet)6 MockConnectorPlugin (io.trino.connector.MockConnectorPlugin)6 WarningCollector (io.trino.execution.warnings.WarningCollector)6 Metadata (io.trino.metadata.Metadata)6 AccessControl (io.trino.security.AccessControl)6 CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)6 RoleGrant (io.trino.spi.security.RoleGrant)6