@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from columns \\[column\\] in table or view schema.table") public void testDenyCatalogAccessControl() { CatalogManager catalogManager = new CatalogManager(); TransactionManager transactionManager = createTestTransactionManager(catalogManager); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); ConnectorId connectorId = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog"); accessControlManager.addCatalogAccessControl(connectorId, new DenyConnectorAccessControl()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column")); }); }
QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table"); TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME); accessControlManager.checkCanSetSystemSessionProperty(identity, "property"); accessControlManager.checkCanSetCatalogSessionProperty(transactionId, identity, "catalog", "property"); accessControlManager.checkCanShowSchemas(transactionId, identity, "catalog"); accessControlManager.checkCanShowTablesMetadata(transactionId, identity, new CatalogSchemaName("catalog", "schema")); accessControlManager.checkCanSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column")); accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, ImmutableSet.of("column")); Set<String> catalogs = ImmutableSet.of("catalog"); assertEquals(accessControlManager.filterCatalogs(identity, catalogs), catalogs); Set<String> schemas = ImmutableSet.of("schema"); assertEquals(accessControlManager.filterSchemas(transactionId, identity, "catalog", schemas), schemas); Set<SchemaTableName> tableNames = ImmutableSet.of(new SchemaTableName("schema", "table")); assertEquals(accessControlManager.filterTables(transactionId, identity, "catalog", tableNames), tableNames); }); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanInsertIntoTable(transactionId, identity, tableName); }); fail();
@Test public void testTableOperations() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json"); transaction(transactionManager, accessControlManager) .execute(transactionId -> { Set<SchemaTableName> aliceTables = ImmutableSet.of(new SchemaTableName("schema", "table")); assertEquals(accessControlManager.filterTables(transactionId, alice, "alice-catalog", aliceTables), aliceTables); assertEquals(accessControlManager.filterTables(transactionId, bob, "alice-catalog", aliceTables), ImmutableSet.of()); accessControlManager.checkCanCreateTable(transactionId, alice, aliceTable); accessControlManager.checkCanDropTable(transactionId, alice, aliceTable); accessControlManager.checkCanSelectFromColumns(transactionId, alice, aliceTable, ImmutableSet.of()); accessControlManager.checkCanInsertIntoTable(transactionId, alice, aliceTable); accessControlManager.checkCanDeleteFromTable(transactionId, alice, aliceTable); accessControlManager.checkCanAddColumns(transactionId, alice, aliceTable); accessControlManager.checkCanRenameColumn(transactionId, alice, aliceTable); }); assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> { accessControlManager.checkCanCreateTable(transactionId, bob, aliceTable); })); }
@Test public void testNoneSystemAccessControl() { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); accessControlManager.setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.empty(), USER_NAME); }
private AccessControlManager newAccessControlManager(TransactionManager transactionManager, String resourceName) { AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName))); return accessControlManager; }
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Presto server is still initializing") public void testInitializing() { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); accessControlManager.checkCanSetUser(Optional.empty(), "foo"); }
@Test public void testSetAccessControl() { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME); assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME); assertEquals(accessControlFactory.getCheckedPrincipal(), Optional.of(PRINCIPAL)); }
@Test public void testViewOperations() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json"); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanCreateView(transactionId, alice, aliceView); accessControlManager.checkCanDropView(transactionId, alice, aliceView); accessControlManager.checkCanSelectFromColumns(transactionId, alice, aliceView, ImmutableSet.of()); accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, alice, aliceTable, ImmutableSet.of()); accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, alice, aliceView, ImmutableSet.of()); accessControlManager.checkCanSetCatalogSessionProperty(transactionId, alice, "alice-catalog", "property"); accessControlManager.checkCanGrantTablePrivilege(transactionId, alice, SELECT, aliceTable, "grantee", true); accessControlManager.checkCanRevokeTablePrivilege(transactionId, alice, SELECT, aliceTable, "revokee", true); }); assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> { accessControlManager.checkCanCreateView(transactionId, bob, aliceView); })); }
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from table schema.table") public void testDenyCatalogAccessControl() throws Exception { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.<String, String>of()); registerBogusConnector(transactionManager, "connector"); accessControlManager.addCatalogAccessControl("connector", "catalog", new DenyConnectorAccessControl()); transaction(transactionManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromTable(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table")); }); }
AccessControlManager accessControlManager = new AccessControlManager(transactionManager); File configFile = newTemporaryFile(); configFile.deleteOnExit(); copy(new File(getResourcePath("catalog.json")), configFile); accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of( SECURITY_CONFIG_FILE, configFile.getAbsolutePath(), SECURITY_REFRESH_PERIOD, "1ms")); accessControlManager.checkCanCreateView(transactionId, alice, aliceView); accessControlManager.checkCanCreateView(transactionId, alice, aliceView); accessControlManager.checkCanCreateView(transactionId, alice, aliceView); }); accessControlManager.checkCanCreateView(transactionId, alice, aliceView); })) .isInstanceOf(IllegalArgumentException.class) accessControlManager.checkCanCreateView(transactionId, alice, aliceView); })) .isInstanceOf(IllegalArgumentException.class) accessControlManager.checkCanCreateView(transactionId, alice, aliceView); });
@Test public void testNoCatalogAccessControl() throws Exception { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.<String, String>of()); transaction(transactionManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromTable(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table")); }); }
@Override public void checkCanSetUser(Optional<Principal> principal, String userName) { if (shouldDenyPrivilege(userName, userName, SET_USER)) { denySetUser(principal, userName); } if (denyPrivileges.isEmpty()) { super.checkCanSetUser(principal, userName); } }
@Inject public AccessControlManager(TransactionManager transactionManager) { this.transactionManager = requireNonNull(transactionManager, "transactionManager is null"); addSystemAccessControlFactory(new AllowAllSystemAccessControl.Factory()); addSystemAccessControlFactory(new ReadOnlySystemAccessControl.Factory()); addSystemAccessControlFactory(new FileBasedSystemAccessControl.Factory()); }
private synchronized void addConnectorInternal(MaterializedConnector connector) { checkState(!stopped.get(), "ConnectorManager is stopped"); ConnectorId connectorId = connector.getConnectorId(); checkState(!connectors.containsKey(connectorId), "A connector %s already exists", connectorId); connectors.put(connectorId, connector); splitManager.addConnectorSplitManager(connectorId, connector.getSplitManager()); pageSourceManager.addConnectorPageSourceProvider(connectorId, connector.getPageSourceProvider()); connector.getPageSinkProvider() .ifPresent(pageSinkProvider -> pageSinkManager.addConnectorPageSinkProvider(connectorId, pageSinkProvider)); connector.getIndexProvider() .ifPresent(indexProvider -> indexManager.addIndexProvider(connectorId, indexProvider)); connector.getPartitioningProvider() .ifPresent(partitioningProvider -> nodePartitioningManager.addPartitioningProvider(connectorId, partitioningProvider)); metadataManager.getProcedureRegistry().addProcedures(connectorId, connector.getProcedures()); connector.getAccessControl() .ifPresent(accessControl -> accessControlManager.addCatalogAccessControl(connectorId, accessControl)); metadataManager.getTablePropertyManager().addProperties(connectorId, connector.getTableProperties()); metadataManager.getColumnPropertyManager().addProperties(connectorId, connector.getColumnProperties()); metadataManager.getSchemaPropertyManager().addProperties(connectorId, connector.getSchemaProperties()); metadataManager.getSessionPropertyManager().addConnectorSessionProperties(connectorId, connector.getSessionProperties()); }
public void loadSystemAccessControl() throws Exception { if (ACCESS_CONTROL_CONFIGURATION.exists()) { Map<String, String> properties = new HashMap<>(loadProperties(ACCESS_CONTROL_CONFIGURATION)); String accessControlName = properties.remove(ACCESS_CONTROL_PROPERTY_NAME); checkArgument(!isNullOrEmpty(accessControlName), "Access control configuration %s does not contain %s", ACCESS_CONTROL_CONFIGURATION.getAbsoluteFile(), ACCESS_CONTROL_PROPERTY_NAME); setSystemAccessControl(accessControlName, properties); } else { setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of()); } }
public void loadSystemAccessControl() throws Exception { if (ACCESS_CONTROL_CONFIGURATION.exists()) { Map<String, String> properties = new HashMap<>(loadProperties(ACCESS_CONTROL_CONFIGURATION)); String accessControlName = properties.remove(ACCESS_CONTROL_PROPERTY_NAME); checkArgument(!isNullOrEmpty(accessControlName), "Access control configuration %s does not contain %s", ACCESS_CONTROL_CONFIGURATION.getAbsoluteFile(), ACCESS_CONTROL_PROPERTY_NAME); setSystemAccessControl(accessControlName, properties); } else { setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.of()); } }
@Override public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_TABLE)) { denyCreateTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateTable(transactionId, identity, tableName); } }
@Override public void checkCanDropTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DROP_TABLE)) { denyDropTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDropTable(transactionId, identity, tableName); } }
@Override public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), ADD_COLUMN)) { denyAddColumn(tableName.toString()); } super.checkCanAddColumns(transactionId, identity, tableName); }
@Override public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DELETE_TABLE)) { denyDeleteTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDeleteFromTable(transactionId, identity, tableName); } }