Example 26 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestAccessControlManager method testColumnMaskOrdering.
@Test
public void testColumnMaskOrdering() {
try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) {
TransactionManager transactionManager = queryRunner.getTransactionManager();
AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
accessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() {
@Override
public String getName() {
return "test";
}
@Override
public SystemAccessControl create(Map<String, String> config) {
return new SystemAccessControl() {
@Override
public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String column, Type type) {
return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "system mask"));
}
@Override
public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
}
};
}
});
accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of());
accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new ConnectorAccessControl() {
@Override
public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) {
return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask"));
}
@Override
public void checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName) {
}
});
transaction(transactionManager, accessControlManager).execute(transactionId -> {
List<ViewExpression> masks = accessControlManager.getColumnMasks(context(transactionId), new QualifiedObjectName("catalog", "schema", "table"), "column", BIGINT);
assertEquals(masks.get(0).getExpression(), "connector mask");
assertEquals(masks.get(1).getExpression(), "system mask");
});
}
}
Also used :
Optional(java.util.Optional)
ConnectorAccessControl(io.trino.spi.connector.ConnectorAccessControl)
ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl)
AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl)
ConnectorSecurityContext(io.trino.spi.connector.ConnectorSecurityContext)
SchemaTableName(io.trino.spi.connector.SchemaTableName)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
LocalQueryRunner(io.trino.testing.LocalQueryRunner)
CatalogSchemaTableName(io.trino.spi.connector.CatalogSchemaTableName)
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
SystemAccessControlFactory(io.trino.spi.security.SystemAccessControlFactory)
SystemSecurityContext(io.trino.spi.security.SystemSecurityContext)
Type(io.trino.spi.type.Type)
TransactionManager(io.trino.transaction.TransactionManager)
InMemoryTransactionManager.createTestTransactionManager(io.trino.transaction.InMemoryTransactionManager.createTestTransactionManager)
CatalogName(io.trino.connector.CatalogName)
Test(org.testng.annotations.Test)
Example 27 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class AccessControlManager method getColumnMasks.
@Override
public List<ViewExpression> getColumnMasks(SecurityContext context, QualifiedObjectName tableName, String columnName, Type type) {
requireNonNull(context, "context is null");
requireNonNull(tableName, "tableName is null");
ImmutableList.Builder<ViewExpression> masks = ImmutableList.builder();
// connector-provided masks take precedence over global masks
CatalogAccessControlEntry entry = getConnectorAccessControl(context.getTransactionId(), tableName.getCatalogName());
if (entry != null) {
entry.getAccessControl().getColumnMask(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName(), columnName, type).ifPresent(masks::add);
}
for (SystemAccessControl systemAccessControl : getSystemAccessControls()) {
systemAccessControl.getColumnMask(context.toSystemSecurityContext(), tableName.asCatalogSchemaTableName(), columnName, type).ifPresent(masks::add);
}
return masks.build();
}
Also used :
ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl)
FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
ForwardingSystemAccessControl(io.trino.plugin.base.security.ForwardingSystemAccessControl)
DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl)
AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl)
ImmutableList.toImmutableList(com.google.common.collect.ImmutableList.toImmutableList)
ImmutableList(com.google.common.collect.ImmutableList)
ViewExpression(io.trino.spi.security.ViewExpression)
Example 28 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class AccessControlManager method getRowFilters.
@Override
public List<ViewExpression> getRowFilters(SecurityContext context, QualifiedObjectName tableName) {
requireNonNull(context, "context is null");
requireNonNull(tableName, "tableName is null");
ImmutableList.Builder<ViewExpression> filters = ImmutableList.builder();
CatalogAccessControlEntry entry = getConnectorAccessControl(context.getTransactionId(), tableName.getCatalogName());
if (entry != null) {
entry.getAccessControl().getRowFilter(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName()).ifPresent(filters::add);
}
for (SystemAccessControl systemAccessControl : getSystemAccessControls()) {
systemAccessControl.getRowFilter(context.toSystemSecurityContext(), tableName.asCatalogSchemaTableName()).ifPresent(filters::add);
}
return filters.build();
}
Also used :
ReadOnlySystemAccessControl(io.trino.plugin.base.security.ReadOnlySystemAccessControl)
FileBasedSystemAccessControl(io.trino.plugin.base.security.FileBasedSystemAccessControl)
SystemAccessControl(io.trino.spi.security.SystemAccessControl)
ForwardingSystemAccessControl(io.trino.plugin.base.security.ForwardingSystemAccessControl)
DefaultSystemAccessControl(io.trino.plugin.base.security.DefaultSystemAccessControl)
AllowAllSystemAccessControl(io.trino.plugin.base.security.AllowAllSystemAccessControl)
ImmutableList.toImmutableList(com.google.common.collect.ImmutableList.toImmutableList)
ImmutableList(com.google.common.collect.ImmutableList)
ViewExpression(io.trino.spi.security.ViewExpression)
Example 29 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestRowFilter method testDifferentIdentity.
@Test
public void testDifferentIdentity() {
accessControl.reset();
accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "orders"), RUN_AS_USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "orderkey = 1"));
accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "orders"), USER, new ViewExpression(RUN_AS_USER, Optional.of(CATALOG), Optional.of("tiny"), "orderkey IN (SELECT orderkey FROM orders)"));
assertThat(assertions.query("SELECT count(*) FROM orders")).matches("VALUES BIGINT '1'");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Example 30 with ViewExpression
use of io.trino.spi.security.ViewExpression in project trino by trinodb.
the class TestRowFilter method testOtherSchema.
@Test
public void testOtherSchema() {
accessControl.reset();
accessControl.rowFilter(new QualifiedObjectName(CATALOG, "tiny", "orders"), USER, // Filter is TRUE only if evaluating against sf1.customer
new ViewExpression(USER, Optional.of(CATALOG), Optional.of("sf1"), "(SELECT count(*) FROM customer) = 150000"));
assertThat(assertions.query("SELECT count(*) FROM orders")).matches("VALUES BIGINT '15000'");
}
Also used :
QualifiedObjectName(io.trino.metadata.QualifiedObjectName)
ViewExpression(io.trino.spi.security.ViewExpression)
Test(org.junit.jupiter.api.Test)
Aggregations
ViewExpression (io.trino.spi.security.ViewExpression)56
QualifiedObjectName (io.trino.metadata.QualifiedObjectName)48
Test (org.junit.jupiter.api.Test)41
Test (org.testng.annotations.Test)10
SystemAccessControl (io.trino.spi.security.SystemAccessControl)7
ImmutableList (com.google.common.collect.ImmutableList)5
TrinoException (io.trino.spi.TrinoException)5
CatalogSchemaTableName (io.trino.spi.connector.CatalogSchemaTableName)5
SchemaTableName (io.trino.spi.connector.SchemaTableName)4
ImmutableSet (com.google.common.collect.ImmutableSet)3
ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)3
AllowAllSystemAccessControl (io.trino.plugin.base.security.AllowAllSystemAccessControl)3
DefaultSystemAccessControl (io.trino.plugin.base.security.DefaultSystemAccessControl)3
ReadOnlySystemAccessControl (io.trino.plugin.base.security.ReadOnlySystemAccessControl)3
Suppliers.memoizeWithExpiration (com.google.common.base.Suppliers.memoizeWithExpiration)2
ImmutableList.toImmutableList (com.google.common.collect.ImmutableList.toImmutableList)2
Injector (com.google.inject.Injector)2
Bootstrap (io.airlift.bootstrap.Bootstrap)2
ConfigBinder.configBinder (io.airlift.configuration.ConfigBinder.configBinder)2
Logger (io.airlift.log.Logger)2
