diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index a6b15823f733..eb4a2f078411 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -191,18 +191,6 @@ default void checkCanWriteSystemInformation(Identity identity) denyWriteSystemInformationAccess(); } - /** - * Check if identity is allowed to set the specified system property. - * - * @throws AccessDeniedException if not allowed - * @deprecated use {@link #checkCanSetSystemSessionProperty(Identity, QueryId, String)} - */ - @Deprecated - default void checkCanSetSystemSessionProperty(Identity identity, String propertyName) - { - denySetSystemSessionProperty(propertyName); - } - /** * Check if identity is allowed to set the specified system property. * @@ -210,7 +198,7 @@ default void checkCanSetSystemSessionProperty(Identity identity, String property */ default void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) { - checkCanSetSystemSessionProperty(identity, propertyName); + denySetSystemSessionProperty(propertyName); } /** diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index 2dd71d12d01f..df6c76e4ab75 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -95,9 +95,6 @@ public Collection filterViewQueryOwnedBy(Identity identity, Collection return queryOwners; } - @Override - public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {} - @Override public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) {} diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index 00fe5f58cb8d..032242c02790 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -380,7 +380,7 @@ private boolean checkCanSystemInformation(Identity identity, SystemInformationRu } @Override - public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) + public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) { boolean allowed = sessionPropertyRules.stream() .map(rule -> rule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), propertyName)) @@ -392,12 +392,6 @@ public void checkCanSetSystemSessionProperty(Identity identity, String propertyN } } - @Override - public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) - { - checkCanSetSystemSessionProperty(identity, propertyName); - } - @Override public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 9e1a62743408..8370b3b49ca9 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -107,12 +107,6 @@ public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) delegate().checkCanKillQueryOwnedBy(identity, queryOwner); } - @Override - public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) - { - delegate().checkCanSetSystemSessionProperty(identity, propertyName); - } - @Override public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) { diff --git a/plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaAccessControl.java b/plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaAccessControl.java index 5dfab1437655..a0b92afee640 100644 --- a/plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaAccessControl.java +++ b/plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaAccessControl.java @@ -157,7 +157,7 @@ public void checkCanWriteSystemInformation(Identity identity) } @Override - public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) + public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) { opaHighLevelClient.queryAndEnforce( buildQueryContext(identity), diff --git a/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControl.java b/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControl.java index e9cb83025908..ad046a8f3a25 100644 --- a/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControl.java +++ b/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControl.java @@ -243,7 +243,7 @@ private void testIdentityResourceActions( @Test public void testStringResourceAction() { - testStringResourceAction("SetSystemSessionProperty", "systemSessionProperty", (accessControl, systemSecurityContext, argument) -> accessControl.checkCanSetSystemSessionProperty(systemSecurityContext.getIdentity(), argument)); + testStringResourceAction("SetSystemSessionProperty", "systemSessionProperty", (accessControl, systemSecurityContext, argument) -> accessControl.checkCanSetSystemSessionProperty(systemSecurityContext.getIdentity(), TEST_QUERY_ID, argument)); testStringResourceAction("CreateCatalog", "catalog", OpaAccessControl::checkCanCreateCatalog); testStringResourceAction("DropCatalog", "catalog", OpaAccessControl::checkCanDropCatalog); testStringResourceAction("ShowSchemas", "catalog", OpaAccessControl::checkCanShowSchemas);