Allow fetching file based access provider rules via http(s) url

[arkadiuszbalcerek]

Description

This is actually replacement for #11491
The changes are integrated with the newest trino code
New fork created as we don't have write permission to https://github.com/clemensvonschwerin/presto/tree/file-system-based-access-provider-via-rest
Would like to move it forward and finally get merged to official trino codebase

Is this change a fix, improvement, new feature, refactoring, or other?

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)

How would you describe this change to a non-technical end user or system administrator?

Related issues, pull requests, and links

Documentation

( ) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

( ) No release notes entries required.
(x) Release notes entries required with the following suggested text:

# Security
* Allow fetching access control rules via http(s) url

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[arkadiuszbalcerek]

Hi @kokosing,
This PR is replacement for #11491
It is integrated with the newest trino and some adjustments are done. Could you please trigger the checks and review it?

[kokosing]

@Praveen2112 Would you like to do a review?

[Praveen2112]

Will take a look at it

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[arkadiuszbalcerek]

Hi @kokosing @Praveen2112 I fixed some tests so all checks except plugin/trino-elasticsearch succeeded. plugin/trino-elasticsearch got cancelled (due to exceeding the timeout I guess) but I don't think it is related to changes in this PR (previous run succeeded). Please review and give us some feedback what else should be improved to get this merged

[Praveen2112]

Instead of reusing FileBasedAccessControl - can we have a generic Connector/System Access Control based on JsonRules and have different ways of injecting rules from a file or from a URI (with a specific start point).

[Praveen2112]

Can we have a different AccessControl implementation if they are fetched from REST APIs or maybe we could have a generic JsonBasedAccessControl and rules can be injected from a file or a remote hosted file or using some endpoints. WDYT ?

[arkadiuszbalcerek]

refactored

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[Praveen2112]

Can you squash the commits. We could have one for preparatory changes and one with the actual set of changes.

[Praveen2112]

Can we rename it as JsonAccessControl or something ?

cc: @kokosing Any good names we can use here ?

[arkadiuszbalcerek]

You mean rename the file/class? We have a few classes starting with FileBasedAccessControl? Do you want to rename all of them?

[Praveen2112]

Since we inject the AccessControlRules I guess FileBasedAccessControl makes less sense here. WDYT ?

[arkadiuszbalcerek]

refactored - renamed to RulesBasedAccessControl

[Praveen2112]

requireNonNull check for supplier ? Any specific reason for supplier ? Can we inject AccessControlRules directly ?

[Praveen2112]

ditto

[arkadiuszbalcerek]

refactored

[Praveen2112]

Can we have it as a part of preparatory commit ?

[arkadiuszbalcerek]

I squashed to two commits. Unfortunately this one went to the second one. I won't be able now to extract it and squash other way. If this is a problem I can create another PR with this one as initial commit

[Praveen2112]

Instead of checking if it a file or a REST url ? Can we have have some enum which could be configured so we could have dedicated set of properties for each type.

[arkadiuszbalcerek]

refactored

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[AdrianSkierniewski]

Hi Guys,

The work on this PR has been dragging on for several months. We already invested quite some time and resources to constantly rebase. We're following the same pattern that it's already used in other places when you can configure refresh via HTTP request. An example bellow:

The configuration JSON can either be retrieved from a file or REST-endpoint specified via hive.s3.security-mapping.config-file.

https://trino.io/docs/current/connector/hive-s3.html?highlight=iam#s3-security-mapping

We're really grateful Trino community for a such amazing piece of software, so please don't get me wrong. It feels really unproductive on our side to constantly invest more time on the PR and engage in endless discussions.

@Praveen2112 @kokosing could you help us with merging this one?

[Praveen2112]

Sorry for the delay. Thanks for working on this and we really appreciate your effort this PR, we do have a minor concerns which we have specified. Do let us know if there are any issues in applying them.

[Praveen2112]

Why do we have to exclude them ? Can we provide a comment here - does the versions conflict ?

[arkadiuszbalcerek]

io.airlift.node is needed only for tests. If not excluded here dependency-scope-maven-plugin will complain

[Praveen2112]

Where do we use them in tests ?

[Praveen2112]

Instead of excluding this - Can we add node as a rutime dependency

        <!-- used by tests but also needed transitively -->
        <dependency>
            <groupId>io.airlift</groupId>
            <artifactId>node</artifactId>
            <scope>runtime</scope>
        </dependency>
        

[Praveen2112]

Since we inject the AccessControlRules I guess FileBasedAccessControl makes less sense here. WDYT ?

[Praveen2112]

ditto

[Praveen2112]

Any specific reason for setting this configuration to 10s. We could also cofigure them via http-client config if required ?

Mentioned here - #6210 (comment)

[Praveen2112]

Instead of a static method, can we have something like a parser (S3SecurityMappingsParser)

[arkadiuszbalcerek]

refactored - this util doesn't exist any more

[Praveen2112]

Can we inject this Supplier instead of specifying a Provider implementation ?

[Praveen2112]

In this case we don't have to build the configuration here

[arkadiuszbalcerek]

refactored

[Praveen2112]

Can we move this validation part of the config like public Optional<@MinDuration("1ms") Duration>.

[Praveen2112]

We can use Optional too. Maybe it could go as a preparatory commit. WDYT ?

[arkadiuszbalcerek]

refactored - actually it was dead code - refreshperiod validation are based on annotations and included in config class

[Praveen2112]

Do we need this jsonPointer for LocalFileBasedImpl since in the docs it has been restricted.

[arkadiuszbalcerek]

jsonPointer is only for rest based config now

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[Praveen2112]

Can you please squash the commits.

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[arkadiuszbalcerek]

@Praveen2112 please trigger the checks. Actually the code was refactored quite a lot so most of the comment shouldn't be relevant any more. Please review.

[arkadiuszbalcerek]

@Praveen2112 I applied the comments. Please review

[Praveen2112]

Instead of getting instance of TestingHttpServer - can we fetch HttpServerInfo and get the Url based on it ? So we don't specify a class name with package.

[arkadiuszbalcerek]

done

[Praveen2112]

We need to specify the scope as Singleton

[arkadiuszbalcerek]

done

[Praveen2112]

JsonUtils has a method to read input from file - can we use that implementation

[arkadiuszbalcerek]

refactored

[Praveen2112]

Can we use lambda here ?

[arkadiuszbalcerek]

done

[Praveen2112]

We can use lambda here.

[arkadiuszbalcerek]

done

[Praveen2112]

can we something like this - return configFile.startsWith("https://") || configFile.startsWith("http://"))

[arkadiuszbalcerek]

done

[Praveen2112]

We don't have to add non-null check here - Can we move it to the end of class ?

[arkadiuszbalcerek]

hmm not sure if we don't need non-null check here. We have NotNull validation for configFile field. You shouldn't relay on order of validations, If I remove this non-null check we might (and will in this case) end up with NPE instead of NotNull validation failure

[Praveen2112]

Custom validation happens after the getter/setter validation happens - so NotNull will be checked already. I think this non-null check would be redundant

[Praveen2112]

ditto

[arkadiuszbalcerek]

done

[Praveen2112]

Can make it to be in-sync with FileBasedConnectorAccessControl implementation - Like we can we have a prep commit - which would introduce this a new FileBasedSystemAccessControlModule() which would inject a SystemAccessControl (wrapped with refresh option if required) and here we could configure the injector - to get an instance of the SystemAccessControl - this would make the design uniform and simple. WDYT ?

[arkadiuszbalcerek]

added prep commit with this refactoring before applying any new changes

[arkadiuszbalcerek]

Hi @Praveen2112 I applied the comments. please review

[Praveen2112]

Minor changes

[Praveen2112]

@singleton annotation is missing.

[Praveen2112]

Can we rename the commit message as Extract new module for FileBasedSystemAccessControl

[arkadiuszbalcerek]

done

[Praveen2112]

Do we need this change in this commit ?

[Praveen2112]

Try to keep the commit message less than 75 character length.

[Praveen2112]

nit : Can we rename it as RestBasedAccessControlRulesProvider

[arkadiuszbalcerek]

HttpBasedAccessControlRulesProvider? to stick to the convention and avoid rest?

[arkadiuszbalcerek]

done

[Praveen2112]

Can we inline body

[arkadiuszbalcerek]

done

[Praveen2112]

Custom validation happens after the getter/setter validation happens - so NotNull will be checked already. I think this non-null check would be redundant

[Praveen2112]

Can we inline this string

[arkadiuszbalcerek]

done

[Praveen2112]

test for non-existing file ?

[arkadiuszbalcerek]

it was already added in testValidationWithLocalFile

[arkadiuszbalcerek]

@Praveen2112 Regarding this one #14008 (comment) we need to change the test in this commit. After refactoring FileBasedSystemAccessControl they failed (different exception thrown)

[arkadiuszbalcerek]

@Praveen2112 comments applied

[arkadiuszbalcerek]

Hi @mosabua could you please have a look at docs change?

[Praveen2112]

Merged !! Thanks for working on this

[arkadiuszbalcerek]

Thanks!!