Example 1 with RevokeRoles
use of io.trino.sql.tree.RevokeRoles in project trino by trinodb.
the class RevokeRolesTask method execute.
@Override
public ListenableFuture<Void> execute(RevokeRoles statement, QueryStateMachine stateMachine, List<Expression> parameters, WarningCollector warningCollector) {
Session session = stateMachine.getSession();
Set<String> roles = statement.getRoles().stream().map(role -> role.getValue().toLowerCase(Locale.ENGLISH)).collect(toImmutableSet());
Set<TrinoPrincipal> grantees = statement.getGrantees().stream().map(MetadataUtil::createPrincipal).collect(toImmutableSet());
boolean adminOption = statement.isAdminOption();
Optional<TrinoPrincipal> grantor = statement.getGrantor().map(specification -> createPrincipal(session, specification));
Optional<String> catalog = processRoleCommandCatalog(metadata, session, statement, statement.getCatalog().map(Identifier::getValue));
Set<String> specifiedRoles = new LinkedHashSet<>();
specifiedRoles.addAll(roles);
grantees.stream().filter(principal -> principal.getType() == ROLE).map(TrinoPrincipal::getName).forEach(specifiedRoles::add);
if (grantor.isPresent() && grantor.get().getType() == ROLE) {
specifiedRoles.add(grantor.get().getName());
}
for (String role : specifiedRoles) {
checkRoleExists(session, statement, metadata, role, catalog);
}
accessControl.checkCanRevokeRoles(session.toSecurityContext(), roles, grantees, adminOption, grantor, catalog);
metadata.revokeRoles(session, roles, grantees, adminOption, grantor, catalog);
return immediateVoidFuture();
}
Also used :
Futures.immediateVoidFuture(com.google.common.util.concurrent.Futures.immediateVoidFuture)
ListenableFuture(com.google.common.util.concurrent.ListenableFuture)
MetadataUtil.checkRoleExists(io.trino.metadata.MetadataUtil.checkRoleExists)
MetadataUtil(io.trino.metadata.MetadataUtil)
RevokeRoles(io.trino.sql.tree.RevokeRoles)
Set(java.util.Set)
ROLE(io.trino.spi.security.PrincipalType.ROLE)
Inject(javax.inject.Inject)
List(java.util.List)
AccessControl(io.trino.security.AccessControl)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
MetadataUtil.createPrincipal(io.trino.metadata.MetadataUtil.createPrincipal)
Locale(java.util.Locale)
Objects.requireNonNull(java.util.Objects.requireNonNull)
WarningCollector(io.trino.execution.warnings.WarningCollector)
Metadata(io.trino.metadata.Metadata)
Optional(java.util.Optional)
ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet)
Expression(io.trino.sql.tree.Expression)
MetadataUtil.processRoleCommandCatalog(io.trino.metadata.MetadataUtil.processRoleCommandCatalog)
Identifier(io.trino.sql.tree.Identifier)
LinkedHashSet(java.util.LinkedHashSet)
Session(io.trino.Session)
LinkedHashSet(java.util.LinkedHashSet)
TrinoPrincipal(io.trino.spi.security.TrinoPrincipal)
Session(io.trino.Session)
Example 2 with RevokeRoles
use of io.trino.sql.tree.RevokeRoles in project trino by trinodb.
the class TestSqlParser method testRevokeRoles.
@Test
public void testRevokeRoles() {
assertStatement("REVOKE role1 FROM user1", new RevokeRoles(ImmutableSet.of(new Identifier("role1")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.UNSPECIFIED, new Identifier("user1"))), false, Optional.empty(), Optional.empty()));
assertStatement("REVOKE ADMIN OPTION FOR role1, role2, role3 FROM user1, USER user2, ROLE role4", new RevokeRoles(ImmutableSet.of(new Identifier("role1"), new Identifier("role2"), new Identifier("role3")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.UNSPECIFIED, new Identifier("user1")), new PrincipalSpecification(PrincipalSpecification.Type.USER, new Identifier("user2")), new PrincipalSpecification(PrincipalSpecification.Type.ROLE, new Identifier("role4"))), true, Optional.empty(), Optional.empty()));
assertStatement("REVOKE ADMIN OPTION FOR role1 FROM user1 GRANTED BY admin", new RevokeRoles(ImmutableSet.of(new Identifier("role1")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.UNSPECIFIED, new Identifier("user1"))), true, Optional.of(new GrantorSpecification(GrantorSpecification.Type.PRINCIPAL, Optional.of(new PrincipalSpecification(PrincipalSpecification.Type.UNSPECIFIED, new Identifier("admin"))))), Optional.empty()));
assertStatement("REVOKE ADMIN OPTION FOR role1 FROM USER user1 GRANTED BY USER admin", new RevokeRoles(ImmutableSet.of(new Identifier("role1")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.USER, new Identifier("user1"))), true, Optional.of(new GrantorSpecification(GrantorSpecification.Type.PRINCIPAL, Optional.of(new PrincipalSpecification(PrincipalSpecification.Type.USER, new Identifier("admin"))))), Optional.empty()));
assertStatement("REVOKE role1 FROM ROLE role2 GRANTED BY ROLE admin", new RevokeRoles(ImmutableSet.of(new Identifier("role1")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.ROLE, new Identifier("role2"))), false, Optional.of(new GrantorSpecification(GrantorSpecification.Type.PRINCIPAL, Optional.of(new PrincipalSpecification(PrincipalSpecification.Type.ROLE, new Identifier("admin"))))), Optional.empty()));
assertStatement("REVOKE \"role1\" FROM ROLE \"role2\" GRANTED BY ROLE \"admin\"", new RevokeRoles(ImmutableSet.of(new Identifier("role1")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.ROLE, new Identifier("role2"))), false, Optional.of(new GrantorSpecification(GrantorSpecification.Type.PRINCIPAL, Optional.of(new PrincipalSpecification(PrincipalSpecification.Type.ROLE, new Identifier("admin"))))), Optional.empty()));
assertStatement("REVOKE role1 FROM user1 IN my_catalog", new RevokeRoles(ImmutableSet.of(new Identifier("role1")), ImmutableSet.of(new PrincipalSpecification(PrincipalSpecification.Type.UNSPECIFIED, new Identifier("user1"))), false, Optional.empty(), Optional.of(new Identifier("my_catalog"))));
}
Also used :
RevokeRoles(io.trino.sql.tree.RevokeRoles)
QueryUtil.quotedIdentifier(io.trino.sql.QueryUtil.quotedIdentifier)
Identifier(io.trino.sql.tree.Identifier)
PrincipalSpecification(io.trino.sql.tree.PrincipalSpecification)
GrantorSpecification(io.trino.sql.tree.GrantorSpecification)
Test(org.junit.jupiter.api.Test)
Aggregations
Identifier (io.trino.sql.tree.Identifier)2
RevokeRoles (io.trino.sql.tree.RevokeRoles)2
ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)1
Futures.immediateVoidFuture (com.google.common.util.concurrent.Futures.immediateVoidFuture)1
ListenableFuture (com.google.common.util.concurrent.ListenableFuture)1
Session (io.trino.Session)1
WarningCollector (io.trino.execution.warnings.WarningCollector)1
Metadata (io.trino.metadata.Metadata)1
MetadataUtil (io.trino.metadata.MetadataUtil)1
MetadataUtil.checkRoleExists (io.trino.metadata.MetadataUtil.checkRoleExists)1
MetadataUtil.createPrincipal (io.trino.metadata.MetadataUtil.createPrincipal)1
MetadataUtil.processRoleCommandCatalog (io.trino.metadata.MetadataUtil.processRoleCommandCatalog)1
AccessControl (io.trino.security.AccessControl)1
ROLE (io.trino.spi.security.PrincipalType.ROLE)1
TrinoPrincipal (io.trino.spi.security.TrinoPrincipal)1
QueryUtil.quotedIdentifier (io.trino.sql.QueryUtil.quotedIdentifier)1
Expression (io.trino.sql.tree.Expression)1
GrantorSpecification (io.trino.sql.tree.GrantorSpecification)1
PrincipalSpecification (io.trino.sql.tree.PrincipalSpecification)1
LinkedHashSet (java.util.LinkedHashSet)1
