Example 6 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testView.
@Test
public void testView() {
// mask on the underlying table for view owner when running query as different user
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.empty(), Optional.empty(), "reverse(name)"));
assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(RUN_AS_USER).build()).build(), "SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
// mask on the underlying table for view owner when running as themselves
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", VIEW_OWNER, new ViewExpression(VIEW_OWNER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(VIEW_OWNER).build()).build(), "SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
// mask on the underlying table for user running the query (different from view owner) should not be applied
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
assertThat(assertions.query(Session.builder(SESSION).setIdentity(Identity.forUser(RUN_AS_USER).build()).build(), "SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ARGENTINA' AS VARCHAR(25))");
// mask on the view
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(MOCK_CATALOG, "default", "nation_view"), "name", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "reverse(name)"));
assertThat(assertions.query("SELECT name FROM mock.default.nation_view WHERE nationkey = 1")).matches("VALUES CAST('ANITNEGRA' AS VARCHAR(25))");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 7 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testRecursion.
@Test
public void testRecursion() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM orders)"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessageMatching(".*\\QColumn mask for 'local.tiny.orders.orderkey' is recursive\\E.*");
// different reference style to same table
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM local.tiny.orders)"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessageMatching(".*\\QColumn mask for 'local.tiny.orders.orderkey' is recursive\\E.*");
// mutual recursion
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM orders)"));
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT orderkey FROM orders)"));
assertThatThrownBy(() -> assertions.query("SELECT orderkey FROM orders")).hasMessageMatching(".*\\QColumn mask for 'local.tiny.orders.orderkey' is recursive\\E.*");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 8 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testUpdateWithColumnMasking.
@Test
public void testUpdateWithColumnMasking() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "clerk", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "clerk"));
assertThatThrownBy(() -> assertions.query("UPDATE orders SET clerk = 'X'")).hasMessage("line 1:1: Updating a table with column masks is not supported");
assertThatThrownBy(() -> assertions.query("UPDATE orders SET orderkey = -orderkey")).hasMessage("line 1:1: Updating a table with column masks is not supported");
assertThatThrownBy(() -> assertions.query("UPDATE orders SET clerk = 'X', orderkey = -orderkey")).hasMessage("line 1:1: Updating a table with column masks is not supported");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 9 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testReferenceInUsingClause.
@Test
public void testReferenceInUsingClause() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "orders"), "orderkey", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "IF(orderkey = 1, -orderkey)"));
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "lineitem"), "orderkey", USER, new ViewExpression(USER, Optional.empty(), Optional.empty(), "IF(orderkey = 1, -orderkey)"));
assertThat(assertions.query("SELECT count(*) FROM orders JOIN lineitem USING (orderkey)")).matches("VALUES BIGINT '6'");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 10 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestColumnMask method testSqlInjection.
@Test
public void testSqlInjection() {
accessControl.reset();
accessControl.columnMask(new QualifiedObjectName(CATALOG, "tiny", "nation"), "name", USER, new ViewExpression(USER, Optional.of(CATALOG), Optional.of("tiny"), "(SELECT name FROM region WHERE regionkey = 0)"));
assertThat(assertions.query("WITH region(regionkey, name) AS (VALUES (0, 'ASIA'))" + "SELECT name FROM nation ORDER BY name LIMIT 1")).matches(// if sql-injection would work then query would return ASIA
"VALUES CAST('AFRICA' AS VARCHAR(25))");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Aggregations
ViewExpression (io.trino.spi.security.ViewExpression)56
QualifiedObjectName (io.trino.metadata.QualifiedObjectName)48
Test (org.junit.jupiter.api.Test)41
Test (org.testng.annotations.Test)10
SystemAccessControl (io.trino.spi.security.SystemAccessControl)7
ImmutableList (com.google.common.collect.ImmutableList)5
TrinoException (io.trino.spi.TrinoException)5
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5
SchemaTableName (io.trino.spi.connector.SchemaTableName)4
ImmutableSet (com.google.common.collect.ImmutableSet)3
ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)3
AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)3
DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)3
ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)3
Suppliers.memoizeWithExpiration (com.google.common.base.Suppliers.memoizeWithExpiration)2
ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2
Injector (com.google.inject.Injector)2
Bootstrap (io.airlift.bootstrap.Bootstrap)2
ConfigBinder.configBinder (io.airlift.configuration.ConfigBinder.configBinder)2
Logger (io.airlift.log.Logger)2
