Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not pass default properties to access control checks #15202

Merged
merged 1 commit into from
Dec 7, 2022
Merged

Do not pass default properties to access control checks #15202

merged 1 commit into from
Dec 7, 2022

Conversation

kokosing
Copy link
Member

Do not pass default properties to access control checks

@cla-bot cla-bot bot added the cla-signed label Nov 25, 2022
findepi
findepi reviewed Nov 25, 2022
View reviewed changes
core/trino-main/src/main/java/io/trino/execution/CreateMaterializedViewTask.java
.map(property -> property.getName().getValue().toLowerCase(ENGLISH))
.collect(toImmutableSet());
Map<String, Object> explicitlySetProperties = properties.keySet().stream()
.filter(specifiedPropertyKeys::contains)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lowercase here when invoking contains

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is already lower cased in io.trino.metadata.PropertyUtil#evaluateProperties

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this class depend on that? maybe it should not, so that the code is "more obviously correct".
i.e. consisten with lowercase 3 lines up

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also io.trino.spi.session.PropertyMetadata#PropertyMetadata disallows to create a property with non lower cased property name.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also io.trino.spi.session.PropertyMetadata#PropertyMetadata disallows to create a property with non lower cased property name.

today.

if you rely on that other class guarantees, add a verify here (.peek(...))

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed as fixup

@kokosing kokosing force-pushed the origin/master/161_props branch from a02b42e to 2ec6720 Compare November 26, 2022 21:14
@martint
Copy link
Member

martint commented Nov 26, 2022

What’s the motivation for this change? If the values of default properties are not passed, how would the access control know what value they are supposed to take?

@kokosing
Copy link
Member Author

I am sorry, I was under impression that the change is straightforward so I gave very limited commit message.

The motivation is to make access control for table properties to be more practical and coherent with access for other objects.

If the values of default properties are not passed, how would the access control know what value they are supposed to take?

In my opinion access control does not need to know or control what engine is doing in order to fulfill user requests, but it is more about controlling what users are doing.

As example consider the below (that may happen with existing implementation):

CREATE TABLE t(i int);
ERROR: Access denied: cannot set location to 's3://bucket/data/schema/t'

In such situation, I believe users don't care about location of where data is stored. They may not even know that used catalog is a Hive connector. They just want to create a table. They have CREATE TABLE privilege and they ask engine to do whatever it needs, but please create a table for me. User didn't ask for any specific location.

Few more issues with existing implementation:

  • authorization services (like Ranger or file based ones) typically deny everything by default. In such case, if they would like provide access control for table properties, then admins need to control each table property. Even the hidden ones and ones that are even mentioned in any query by users of the system.
  • "Ok, but I can grant access to all table properties to bypass the above". Yes but if you would like to deny certain usage of table properties then you need to still enumerate all other table properties to grant access to them so user can CREATE TABLE.
  • Considering the above, whenever we add new properties admins will be forced to update they authorization policies to upgrade Trino.
  • Hive has 21 table properties now, it if access control requires network communication for each of resource access then it may require some time to do so.
  • if access control is tracking audit access log, then simple CREATE TABLE for Hive connector will produce 21 additional events. Which could be surprising because as nobody really used these table properties.
  • it leaks hidden table properties to access control (and possibly to audit services)

The logic behind proposed implementation:

  • if admin creates a catalog with certain defaults then they say it is ok to CREATE TABLES using these defaults. So anybody who has CREATE TABLE privilege can create them. However, admins can simply disallow to overriding defaults or control which table properties are allowed to be modified by users.
  • it does not expose mentioned issues with existing implementation for access control of table properties
  • proposed implementation is coherent with how we control session properties. We call access control only when somebody requests SET SESSION..., not when we populate a session.

@kokosing kokosing force-pushed the origin/master/161_props branch 2 times, most recently from 727e6ab to 1919863 Compare December 2, 2022 15:05
@kokosing
Copy link
Member Author

kokosing commented Dec 2, 2022

Updated tests a bit, to make sure not used properties do not leak.

@martint @findepi Any more comments?

@kokosing kokosing force-pushed the origin/master/161_props branch from 1e627b9 to 4f0d1a7 Compare December 6, 2022 13:51
@kokosing kokosing merged commit e96ed39 into trinodb:master Dec 7, 2022
@kokosing kokosing deleted the origin/master/161_props branch December 7, 2022 07:40
@github-actions github-actions bot added this to the 404 milestone Dec 7, 2022
@colebow colebow mentioned this pull request Dec 14, 2022
Merged
@colebow
Copy link
Member

colebow commented Dec 14, 2022

Does this need a release note? @kokosing

@kokosing kokosing added the no-release-notes This pull request does not require release notes entry label Dec 14, 2022
@kokosing
Copy link
Member Author

I don't think so.

@kokosing kokosing mentioned this pull request Dec 28, 2022
Merged
kokosing added a commit to kokosing/trino that referenced this pull request Dec 28, 2022
@kokosing
Do not pass default properties to CTAS access control check
d62de05 
This is follow-up trinodb#15202 where CTAS
was omitted by mistake.
kokosing added a commit that referenced this pull request Dec 28, 2022
@kokosing
Do not pass default properties to CTAS access control check
be1a185 
This is follow-up #15202 where CTAS
was omitted by mistake.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@findepi findepi findepi approved these changes

@losipiuk losipiuk Awaiting requested review from losipiuk

@Praveen2112 Praveen2112 Awaiting requested review from Praveen2112

Assignees
No one assigned
Labels
cla-signed no-release-notes This pull request does not require release notes entry
Milestone
405
Development

Successfully merging this pull request may close these issues.
4 participants
@kokosing @martint @colebow @findepi