@Test public void testCatalogOperations() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json"); transaction(transactionManager, accessControlManager) .execute(transactionId -> { assertEquals(accessControlManager.filterCatalogs(admin, allCatalogs), allCatalogs); Set<String> aliceCatalogs = ImmutableSet.of("open-to-all", "alice-catalog", "all-allowed"); assertEquals(accessControlManager.filterCatalogs(alice, allCatalogs), aliceCatalogs); Set<String> bobCatalogs = ImmutableSet.of("open-to-all", "all-allowed"); assertEquals(accessControlManager.filterCatalogs(bob, allCatalogs), bobCatalogs); Set<String> nonAsciiUserCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "\u0200\u0200\u0200"); assertEquals(accessControlManager.filterCatalogs(nonAsciiUser, allCatalogs), nonAsciiUserCatalogs); }); }
@Test public void testSchemaOperations() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json"); transaction(transactionManager, accessControlManager) .execute(transactionId -> { Set<String> aliceSchemas = ImmutableSet.of("schema"); assertEquals(accessControlManager.filterSchemas(transactionId, alice, "alice-catalog", aliceSchemas), aliceSchemas); assertEquals(accessControlManager.filterSchemas(transactionId, bob, "alice-catalog", aliceSchemas), ImmutableSet.of()); accessControlManager.checkCanCreateSchema(transactionId, alice, aliceSchema); accessControlManager.checkCanDropSchema(transactionId, alice, aliceSchema); accessControlManager.checkCanRenameSchema(transactionId, alice, aliceSchema, "new-schema"); accessControlManager.checkCanShowSchemas(transactionId, alice, "alice-catalog"); }); assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> { accessControlManager.checkCanCreateSchema(transactionId, bob, aliceSchema); })); }
@Test public void testTableOperations() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json"); transaction(transactionManager, accessControlManager) .execute(transactionId -> { Set<SchemaTableName> aliceTables = ImmutableSet.of(new SchemaTableName("schema", "table")); assertEquals(accessControlManager.filterTables(transactionId, alice, "alice-catalog", aliceTables), aliceTables); assertEquals(accessControlManager.filterTables(transactionId, bob, "alice-catalog", aliceTables), ImmutableSet.of()); accessControlManager.checkCanCreateTable(transactionId, alice, aliceTable); accessControlManager.checkCanDropTable(transactionId, alice, aliceTable); accessControlManager.checkCanSelectFromColumns(transactionId, alice, aliceTable, ImmutableSet.of()); accessControlManager.checkCanInsertIntoTable(transactionId, alice, aliceTable); accessControlManager.checkCanDeleteFromTable(transactionId, alice, aliceTable); accessControlManager.checkCanAddColumns(transactionId, alice, aliceTable); accessControlManager.checkCanRenameColumn(transactionId, alice, aliceTable); }); assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> { accessControlManager.checkCanCreateTable(transactionId, bob, aliceTable); })); }
@Test public void testViewOperations() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog.json"); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanCreateView(transactionId, alice, aliceView); accessControlManager.checkCanDropView(transactionId, alice, aliceView); accessControlManager.checkCanSelectFromColumns(transactionId, alice, aliceView, ImmutableSet.of()); accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, alice, aliceTable, ImmutableSet.of()); accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, alice, aliceView, ImmutableSet.of()); accessControlManager.checkCanSetCatalogSessionProperty(transactionId, alice, "alice-catalog", "property"); accessControlManager.checkCanGrantTablePrivilege(transactionId, alice, SELECT, aliceTable, "grantee", true); accessControlManager.checkCanRevokeTablePrivilege(transactionId, alice, SELECT, aliceTable, "revokee", true); }); assertThrows(AccessDeniedException.class, () -> transaction(transactionManager, accessControlManager).execute(transactionId -> { accessControlManager.checkCanCreateView(transactionId, bob, aliceView); })); }
AccessControlManager accessControlManager = newAccessControlManager(transactionManager, "catalog_principal.json"); AccessControlManager accessControlManagerNoPatterns = newAccessControlManager(transactionManager, "catalog.json"); accessControlManagerNoPatterns.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());