Example 46 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testNotReferencedAndDeniedColumnMasking.
@Test
public void testNotReferencedAndDeniedColumnMasking() {
// mask on not used varchar column
accessControl.reset();
accessControl.deny(privilege("orders.clerk", SELECT_COLUMN));
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "clerk", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "clerk"));
assertThat(assertions.query("SELECT orderkey FROM orders WHERE orderkey = 1")).matches("VALUES BIGINT '1'");
// mask on long column
accessControl.reset();
accessControl.deny(privilege("orders.totalprice", SELECT_COLUMN));
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "totalprice", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "totalprice"));
assertThat(assertions.query("SELECT orderkey FROM orders WHERE orderkey = 1")).matches("VALUES BIGINT '1'");
// mask on not used varchar column with subquery masking
accessControl.reset();
accessControl.deny(privilege("orders.clerk", SELECT_COLUMN));
accessControl.deny(privilege("orders.orderstatus", SELECT_COLUMN));
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "clerk", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "(SELECT orderstatus FROM local.tiny.orders)"));
assertThat(assertions.query("SELECT orderkey FROM orders WHERE orderkey = 1")).matches("VALUES BIGINT '1'");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 47 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testInsertWithColumnMasking.
@Test
public void testInsertWithColumnMasking() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "clerk", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "clerk"));
assertThatThrownBy(() -> assertions.query("INSERT INTO orders SELECT * FROM orders")).hasMessage("Insert into table with column masks is not supported");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 48 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testInvalidMasks.
@Test
public void testInvalidMasks() {
// parse error
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "$$$"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessage("line 1:22: Invalid column mask for 'local.tiny.orders.orderkey': mismatched input '$'. Expecting: <expression>");
// unknown column
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "unknown_column"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessage("line 1:22: Invalid column mask for 'local.tiny.orders.orderkey': Column 'unknown_column' cannot be resolved");
// invalid type
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "'foo'"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessage("line 1:22: Expected column mask for 'local.tiny.orders.orderkey' to be of type bigint, but was varchar(3)");
// aggregation
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "count(*) > 0"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessage("line 1:10: Column mask for 'orders.orderkey' cannot contain aggregations, window functions or grouping operations: [count(*)]");
// window function
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "row_number() OVER () > 0"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessage("line 1:22: Column mask for 'orders.orderkey' cannot contain aggregations, window functions or grouping operations: [row_number() OVER ()]");
// grouping function
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "grouping(orderkey) = 0"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessage("line 1:20: Column mask for 'orders.orderkey' cannot contain aggregations, window functions or grouping operations: [GROUPING (orderkey)]");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 49 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testSimpleMask.
@Test
public void testSimpleMask() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "custkey", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "-custkey"));
assertThat(assertions.query("SELECT custkey FROM orders WHERE orderkey = 1")).matches("VALUES BIGINT '-370'");
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "custkey", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "NULL"));
assertThat(assertions.query("SELECT custkey FROM orders WHERE orderkey = 1")).matches("VALUES CAST(NULL AS BIGINT)");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 50 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testShowStats.
@Test
public void testShowStats() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "7"));
assertThat(assertions.query("SHOW STATS FOR (SELECT * FROM orders)")).containsAll("VALUES " + "(VARCHAR 'orderkey', CAST(NULL AS double), 1e0, 0e1, NULL, '7', '7')," + "(VARCHAR 'clerk', 15e3, 1e3, 0e1, NULL, CAST(NULL AS varchar), CAST(NULL AS varchar))," + "(NULL, NULL, NULL, NULL, 15e3, NULL, NULL)");
assertThat(assertions.query("SHOW STATS FOR (SELECT orderkey FROM orders)")).matches("VALUES " + "(VARCHAR 'orderkey', CAST(NULL AS double), 1e0, 0e1, NULL, VARCHAR '7', VARCHAR '7')," + "(NULL, NULL, NULL, NULL, 15e3, NULL, NULL)");
assertThat(assertions.query("SHOW STATS FOR (SELECT clerk FROM orders)")).matches("VALUES " + "(VARCHAR 'clerk', 15e3, 1e3, 0e1, NULL, CAST(NULL AS varchar), CAST(NULL AS varchar))," + "(NULL, NULL, NULL, NULL, 15e3, NULL, NULL)");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Aggregations
ViewExpression (io.trino.spi.security.ViewExpression)56
QualifiedObjectName (io.trino.metadata.QualifiedObjectName)48
Test (org.junit.jupiter.api.Test)41
Test (org.testng.annotations.Test)10
SystemAccessControl (io.trino.spi.security.SystemAccessControl)7
ImmutableList (com.google.common.collect.ImmutableList)5
TrinoException (io.trino.spi.TrinoException)5
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5
SchemaTableName (io.trino.spi.connector.SchemaTableName)4
ImmutableSet (com.google.common.collect.ImmutableSet)3
ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)3
AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)3
DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)3
ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)3
Suppliers.memoizeWithExpiration (com.google.common.base.Suppliers.memoizeWithExpiration)2
ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2
Injector (com.google.inject.Injector)2
Bootstrap (io.airlift.bootstrap.Bootstrap)2
ConfigBinder.configBinder (io.airlift.configuration.ConfigBinder.configBinder)2
Logger (io.airlift.log.Logger)2
