From e16620f09b94cc7f6dea96dd5b9a509b388b23e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Grzegorz=20Kokosi=C5=84ski?= Date: Thu, 24 Nov 2022 13:40:05 +0100 Subject: [PATCH] Pass properties when checking access for CREATE SCHEMA --- .../io/trino/execution/CreateSchemaTask.java | 20 ++++++------ .../java/io/trino/security/AccessControl.java | 2 +- .../trino/security/AccessControlManager.java | 6 ++-- .../trino/security/AllowAllAccessControl.java | 2 +- .../trino/security/DenyAllAccessControl.java | 2 +- .../security/ForwardingAccessControl.java | 4 +-- .../InjectedConnectorAccessControl.java | 10 +++++- .../testing/AllowAllAccessControlManager.java | 2 +- .../testing/TestingAccessControlManager.java | 4 +-- .../TestFileBasedSystemAccessControl.java | 8 ++--- .../spi/connector/ConnectorAccessControl.java | 11 +++++++ .../spi/security/SystemAccessControl.java | 11 +++++++ ...ClassLoaderSafeConnectorAccessControl.java | 8 +++++ .../base/security/AllowAllAccessControl.java | 5 +++ .../security/AllowAllSystemAccessControl.java | 5 +++ .../base/security/FileBasedAccessControl.java | 6 ++++ .../FileBasedSystemAccessControl.java | 6 ++++ .../ForwardingConnectorAccessControl.java | 6 ++++ .../ForwardingSystemAccessControl.java | 6 ++++ .../security/TestFileBasedAccessControl.java | 31 ++++++++++--------- .../TestFileBasedSystemAccessControl.java | 31 ++++++++++--------- .../hive/security/LegacyAccessControl.java | 5 +++ .../security/SqlStandardAccessControl.java | 6 ++++ 23 files changed, 140 insertions(+), 57 deletions(-) diff --git a/core/trino-main/src/main/java/io/trino/execution/CreateSchemaTask.java b/core/trino-main/src/main/java/io/trino/execution/CreateSchemaTask.java index 82093ebae5e0..dabcedd5c8c8 100644 --- a/core/trino-main/src/main/java/io/trino/execution/CreateSchemaTask.java +++ b/core/trino-main/src/main/java/io/trino/execution/CreateSchemaTask.java @@ -88,17 +88,6 @@ static ListenableFuture internalExecute( { CatalogSchemaName schema = createCatalogSchemaName(session, statement, Optional.of(statement.getSchemaName())); - // TODO: validate that catalog exists - - accessControl.checkCanCreateSchema(session.toSecurityContext(), schema); - - if (plannerContext.getMetadata().schemaExists(session, schema)) { - if (!statement.isNotExists()) { - throw semanticException(SCHEMA_ALREADY_EXISTS, statement, "Schema '%s' already exists", schema); - } - return immediateVoidFuture(); - } - String catalogName = schema.getCatalogName(); CatalogHandle catalogHandle = getRequiredCatalogHandle(plannerContext.getMetadata(), session, statement, catalogName); @@ -112,6 +101,15 @@ static ListenableFuture internalExecute( bindParameters(statement, parameters), true); + accessControl.checkCanCreateSchema(session.toSecurityContext(), schema, properties); + + if (plannerContext.getMetadata().schemaExists(session, schema)) { + if (!statement.isNotExists()) { + throw semanticException(SCHEMA_ALREADY_EXISTS, statement, "Schema '%s' already exists", schema); + } + return immediateVoidFuture(); + } + TrinoPrincipal principal = getCreatePrincipal(statement, session, plannerContext.getMetadata(), catalogName); try { plannerContext.getMetadata().createSchema(session, schema, properties, principal); diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControl.java b/core/trino-main/src/main/java/io/trino/security/AccessControl.java index 6b53d9320718..83e19df1d5de 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControl.java @@ -109,7 +109,7 @@ public interface AccessControl * * @throws AccessDeniedException if not allowed */ - void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName); + void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties); /** * Check if identity is allowed to drop the specified schema. diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index b57e69fb7ae3..dd7178cb6669 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -303,16 +303,16 @@ public Set filterCatalogs(SecurityContext securityContext, Set c } @Override - public void checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName schemaName) + public void checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName schemaName, Map properties) { requireNonNull(securityContext, "securityContext is null"); requireNonNull(schemaName, "schemaName is null"); checkCanAccessCatalog(securityContext, schemaName.getCatalogName()); - systemAuthorizationCheck(control -> control.checkCanCreateSchema(securityContext.toSystemSecurityContext(), schemaName)); + systemAuthorizationCheck(control -> control.checkCanCreateSchema(securityContext.toSystemSecurityContext(), schemaName, properties)); - catalogAuthorizationCheck(schemaName.getCatalogName(), securityContext, (control, context) -> control.checkCanCreateSchema(context, schemaName.getSchemaName())); + catalogAuthorizationCheck(schemaName.getCatalogName(), securityContext, (control, context) -> control.checkCanCreateSchema(context, schemaName.getSchemaName(), properties)); } @Override diff --git a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java index a3e34dddb459..948be0785ee5 100644 --- a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java @@ -79,7 +79,7 @@ public Set filterCatalogs(SecurityContext context, Set catalogs) } @Override - public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName) + public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties) { } diff --git a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java index 9243fe23347b..a4a7f2bee9aa 100644 --- a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java @@ -152,7 +152,7 @@ public Set filterCatalogs(SecurityContext context, Set catalogs) } @Override - public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName) + public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties) { denyCreateSchema(schemaName.toString()); } diff --git a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java index ba1198188207..7479533c4a16 100644 --- a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java @@ -108,9 +108,9 @@ public Set filterCatalogs(SecurityContext context, Set catalogs) } @Override - public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName) + public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties) { - delegate().checkCanCreateSchema(context, schemaName); + delegate().checkCanCreateSchema(context, schemaName, properties); } @Override diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index 4707020ea0e7..5f80f04accc9 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -14,6 +14,7 @@ package io.trino.security; import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; import io.trino.metadata.QualifiedObjectName; import io.trino.spi.TrinoException; import io.trino.spi.connector.CatalogSchemaName; @@ -52,11 +53,18 @@ public InjectedConnectorAccessControl(AccessControl accessControl, SecurityConte this.catalogName = requireNonNull(catalogName, "catalogName is null"); } + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + checkArgument(context == null, "context must be null"); + accessControl.checkCanCreateSchema(securityContext, getCatalogSchemaName(schemaName), properties); + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { checkArgument(context == null, "context must be null"); - accessControl.checkCanCreateSchema(securityContext, getCatalogSchemaName(schemaName)); + accessControl.checkCanCreateSchema(securityContext, getCatalogSchemaName(schemaName), ImmutableMap.of()); } @Override diff --git a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java index fa6f9bf0e857..556ffc227f3e 100644 --- a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java @@ -67,7 +67,7 @@ public Set filterCatalogs(SecurityContext context, Set catalogs) } @Override - public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName) {} + public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties) {} @Override public void checkCanDropSchema(SecurityContext context, CatalogSchemaName schemaName) {} diff --git a/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java index ff9b8cc39f8f..ddb45fb97625 100644 --- a/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java @@ -309,13 +309,13 @@ public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) } @Override - public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName) + public void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties) { if (shouldDenyPrivilege(context.getIdentity().getUser(), schemaName.getSchemaName(), CREATE_SCHEMA)) { denyCreateSchema(schemaName.toString()); } if (denyPrivileges.isEmpty()) { - super.checkCanCreateSchema(context, schemaName); + super.checkCanCreateSchema(context, schemaName, properties); } } diff --git a/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java b/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java index 1b42e3f57a08..3e06f94dc369 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java @@ -250,13 +250,13 @@ public void testSchemaOperations() assertEquals(accessControlManager.filterSchemas(new SecurityContext(transactionId, alice, queryId), "alice-catalog", aliceSchemas), aliceSchemas); assertEquals(accessControlManager.filterSchemas(new SecurityContext(transactionId, bob, queryId), "alice-catalog", aliceSchemas), ImmutableSet.of()); - accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema); + accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema, ImmutableMap.of()); accessControlManager.checkCanDropSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema); accessControlManager.checkCanRenameSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema, "new-schema"); accessControlManager.checkCanShowSchemas(new SecurityContext(transactionId, alice, queryId), "alice-catalog"); }); assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> { - accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, bob, queryId), aliceSchema); + accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, bob, queryId), aliceSchema, ImmutableMap.of()); })).isInstanceOf(AccessDeniedException.class) .hasMessage("Access Denied: Cannot access catalog alice-catalog"); } @@ -277,7 +277,7 @@ public void testSchemaOperationsReadOnly() }); assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> { - accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema); + accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema, ImmutableMap.of()); })).isInstanceOf(AccessDeniedException.class) .hasMessage("Access Denied: Cannot create schema alice-catalog.schema"); @@ -292,7 +292,7 @@ public void testSchemaOperationsReadOnly() .hasMessage("Access Denied: Cannot rename schema from alice-catalog.schema to new-schema"); assertThatThrownBy(() -> transaction(transactionManager, accessControlManager).execute(transactionId -> { - accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, bob, queryId), aliceSchema); + accessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, bob, queryId), aliceSchema, ImmutableMap.of()); })).isInstanceOf(AccessDeniedException.class) .hasMessage("Access Denied: Cannot access catalog alice-catalog"); } diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index a91527c5ce8c..4755f90744e4 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -88,11 +88,22 @@ public interface ConnectorAccessControl { + /** + * Check if identity is allowed to create the specified schema with properties. + * + * @throws io.trino.spi.security.AccessDeniedException if not allowed + */ + default void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + denyCreateSchema(schemaName); + } + /** * Check if identity is allowed to create the specified schema. * * @throws io.trino.spi.security.AccessDeniedException if not allowed */ + @Deprecated default void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { denyCreateSchema(schemaName); diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index 70f53bb3b386..5cc46e8d81d1 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -253,11 +253,22 @@ default Set filterCatalogs(SystemSecurityContext context, Set ca return emptySet(); } + /** + * Check if identity is allowed to create the specified schema with properties in a catalog. + * + * @throws AccessDeniedException if not allowed + */ + default void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) + { + denyCreateSchema(schema.toString()); + } + /** * Check if identity is allowed to create the specified schema in a catalog. * * @throws AccessDeniedException if not allowed */ + @Deprecated default void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { denyCreateSchema(schema.toString()); diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index 21e171da7ef3..6775dadb9100 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -46,6 +46,14 @@ public ClassLoaderSafeConnectorAccessControl(@ForClassLoaderSafe ConnectorAccess this.classLoader = requireNonNull(classLoader, "classLoader is null"); } + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { + delegate.checkCanCreateSchema(context, schemaName, properties); + } + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index ac867926d718..497e483393c7 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -32,6 +32,11 @@ public class AllowAllAccessControl implements ConnectorAccessControl { + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index 1672b5f480f3..77c8269f5905 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -136,6 +136,11 @@ public Set filterCatalogs(SystemSecurityContext context, Set cat return catalogs; } + @Override + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) + { + } + @Override public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index e86aa32f7534..b9861bf8943b 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -139,6 +139,12 @@ public FileBasedAccessControl(CatalogName catalogName, File configFile) this.anySchemaPermissionsRules = anySchemaPermissionsRules.build(); } + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + checkCanCreateSchema(context, schemaName); + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index cd0b81b56186..81ff9c5eb95d 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -456,6 +456,12 @@ public Set filterCatalogs(SystemSecurityContext context, Set cat return filteredCatalogs.build(); } + @Override + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) + { + checkCanCreateSchema(context, schema); + } + @Override public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 1b77c53cbd65..06ffd10bf400 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -49,6 +49,12 @@ protected ConnectorAccessControl delegate() protected abstract ConnectorAccessControl delegate(); + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + delegate().checkCanCreateSchema(context, schemaName, properties); + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 0f9fc4264932..7380b6e3e11a 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -139,6 +139,12 @@ public Set filterCatalogs(SystemSecurityContext context, Set cat return delegate().filterCatalogs(context, catalogs); } + @Override + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) + { + delegate().checkCanCreateSchema(context, schema, properties); + } + @Override public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java index ee676a5131df..7024a00ad55c 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java @@ -67,7 +67,7 @@ public void testEmptyFile() { ConnectorAccessControl accessControl = createAccessControl("empty.json"); - accessControl.checkCanCreateSchema(UNKNOWN, "unknown"); + accessControl.checkCanCreateSchema(UNKNOWN, "unknown", ImmutableMap.of()); accessControl.checkCanDropSchema(UNKNOWN, "unknown"); accessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown"); accessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(PrincipalType.ROLE, "some_role")); @@ -145,20 +145,21 @@ public void testSchemaRules() { ConnectorAccessControl accessControl = createAccessControl("schema.json"); - accessControl.checkCanCreateSchema(ADMIN, "bob"); - accessControl.checkCanCreateSchema(ADMIN, "staff"); - accessControl.checkCanCreateSchema(ADMIN, "authenticated"); - accessControl.checkCanCreateSchema(ADMIN, "test"); - - accessControl.checkCanCreateSchema(BOB, "bob"); - accessControl.checkCanCreateSchema(BOB, "staff"); - accessControl.checkCanCreateSchema(BOB, "authenticated"); - assertDenied(() -> accessControl.checkCanCreateSchema(BOB, "test")); - - assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "bob")); - assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "staff")); - accessControl.checkCanCreateSchema(CHARLIE, "authenticated"); - assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "test")); + Map properties = ImmutableMap.of(); + accessControl.checkCanCreateSchema(ADMIN, "bob", properties); + accessControl.checkCanCreateSchema(ADMIN, "staff", properties); + accessControl.checkCanCreateSchema(ADMIN, "authenticated", properties); + accessControl.checkCanCreateSchema(ADMIN, "test", properties); + + accessControl.checkCanCreateSchema(BOB, "bob", properties); + accessControl.checkCanCreateSchema(BOB, "staff", properties); + accessControl.checkCanCreateSchema(BOB, "authenticated", properties); + assertDenied(() -> accessControl.checkCanCreateSchema(BOB, "test", properties)); + + assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "bob", properties)); + assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "staff", properties)); + accessControl.checkCanCreateSchema(CHARLIE, "authenticated", properties); + assertDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, "test", properties)); accessControl.checkCanDropSchema(ADMIN, "bob"); accessControl.checkCanDropSchema(ADMIN, "staff"); diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedSystemAccessControl.java index eb9751c445ca..330eca5d67d5 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedSystemAccessControl.java @@ -137,7 +137,7 @@ public void testEmptyFile() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("empty.json"); - accessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown")); + accessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), ImmutableMap.of()); accessControl.checkCanDropSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown")); accessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown"); accessControl.checkCanSetSchemaAuthorization(UNKNOWN, @@ -205,20 +205,21 @@ public void testSchemaRulesForCheckCanCreateSchema() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json"); - accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob")); - accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff")); - accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated")); - accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test")); - - accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob")); - accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff")); - accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated")); - assertAccessDenied(() -> accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); - - accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated")); - assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); - assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); - assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test")), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); + Map properties = ImmutableMap.of(); + accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), properties); + accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), properties); + accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), properties); + accessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), properties); + + accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), properties); + accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), properties); + accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), properties); + assertAccessDenied(() -> accessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test"), properties), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); + + accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), properties); + assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), properties), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), properties), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), properties), CREATE_SCHEMA_ACCESS_DENIED_MESSAGE); } @Test diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index 40b83155653d..28850af4d8af 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -70,6 +70,11 @@ public LegacyAccessControl( allowRenameColumn = securityConfig.getAllowRenameColumn(); } + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) { diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index 099451b65e29..be5e75db8ce0 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -128,6 +128,12 @@ public SqlStandardAccessControl( this.metastore = requireNonNull(metastore, "metastore is null"); } + @Override + public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties) + { + checkCanCreateSchema(context, schemaName); + } + @Override public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName) {