Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove deprecated access control functions #23244

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -127,26 +127,14 @@ default void checkCanSetUser(Optional<Principal> principal, String userName)
denySetUser(principal, userName);
}

/**
* Checks if identity can execute a query.
*
* @throws AccessDeniedException if not allowed
* @deprecated use {@link #checkCanExecuteQuery(Identity, QueryId)}
*/
@Deprecated
default void checkCanExecuteQuery(Identity identity)
{
denyExecuteQuery();
}

/**
* Checks if identity can execute a query.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanExecuteQuery(Identity identity, QueryId queryId)
{
checkCanExecuteQuery(identity);
denyExecuteQuery();
}

/**
Expand Down Expand Up @@ -203,26 +191,14 @@ default void checkCanWriteSystemInformation(Identity identity)
denyWriteSystemInformationAccess();
}

/**
* Check if identity is allowed to set the specified system property.
*
* @throws AccessDeniedException if not allowed
* @deprecated use {@link #checkCanSetSystemSessionProperty(Identity, QueryId, String)}
*/
@Deprecated
default void checkCanSetSystemSessionProperty(Identity identity, String propertyName)
{
denySetSystemSessionProperty(propertyName);
}

/**
* Check if identity is allowed to set the specified system property.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName)
{
checkCanSetSystemSessionProperty(identity, propertyName);
denySetSystemSessionProperty(propertyName);
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,6 @@ public void checkCanReadSystemInformation(Identity identity) {}
@Override
public void checkCanWriteSystemInformation(Identity identity) {}

@Override
public void checkCanExecuteQuery(Identity identity) {}

@Override
public void checkCanExecuteQuery(Identity identity, QueryId queryId) {}

Expand All @@ -98,9 +95,6 @@ public Collection<Identity> filterViewQueryOwnedBy(Identity identity, Collection
return queryOwners;
}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) {}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -304,19 +304,13 @@ public void checkCanSetUser(Optional<Principal> principal, String userName)
}

@Override
public void checkCanExecuteQuery(Identity identity)
public void checkCanExecuteQuery(Identity identity, QueryId queryId)
{
if (!canAccessQuery(identity, Optional.empty(), QueryAccessRule.AccessMode.EXECUTE)) {
denyExecuteQuery();
}
}

@Override
public void checkCanExecuteQuery(Identity identity, QueryId queryId)
{
checkCanExecuteQuery(identity);
}

@Override
public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner)
{
Expand Down Expand Up @@ -386,7 +380,7 @@ private boolean checkCanSystemInformation(Identity identity, SystemInformationRu
}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName)
public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName)
{
boolean allowed = sessionPropertyRules.stream()
.map(rule -> rule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), propertyName))
Expand All @@ -398,12 +392,6 @@ public void checkCanSetSystemSessionProperty(Identity identity, String propertyN
}
}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName)
{
checkCanSetSystemSessionProperty(identity, propertyName);
}

@Override
public boolean canAccessCatalog(SystemSecurityContext context, String catalogName)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -83,12 +83,6 @@ public void checkCanWriteSystemInformation(Identity identity)
delegate().checkCanWriteSystemInformation(identity);
}

@Override
public void checkCanExecuteQuery(Identity identity)
{
delegate().checkCanExecuteQuery(identity);
}

@Override
public void checkCanExecuteQuery(Identity identity, QueryId queryId)
{
Expand All @@ -113,12 +107,6 @@ public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner)
delegate().checkCanKillQueryOwnedBy(identity, queryOwner);
}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName)
{
delegate().checkCanSetSystemSessionProperty(identity, propertyName);
}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import io.trino.plugin.opa.schema.TrinoSchema;
import io.trino.plugin.opa.schema.TrinoTable;
import io.trino.plugin.opa.schema.TrinoUser;
import io.trino.spi.QueryId;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
Expand Down Expand Up @@ -115,7 +116,7 @@ public void checkCanSetUser(Optional<Principal> principal, String userName)
{}

@Override
public void checkCanExecuteQuery(Identity identity)
public void checkCanExecuteQuery(Identity identity, QueryId queryId)
{
opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "ExecuteQuery", AccessDeniedException::denyExecuteQuery);
}
Expand Down Expand Up @@ -156,7 +157,7 @@ public void checkCanWriteSystemInformation(Identity identity)
}

@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName)
public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName)
{
opaHighLevelClient.queryAndEnforce(
buildQueryContext(identity),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import io.opentelemetry.api.OpenTelemetry;
import io.opentelemetry.api.trace.Tracer;
import io.trino.execution.QueryIdGenerator;
import io.trino.spi.QueryId;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SystemAccessControlFactory;
Expand Down Expand Up @@ -59,6 +60,7 @@ private TestConstants() {}
public static final URI OPA_ROW_FILTERING_URI = URI.create("http://my-row-filtering-uri/");
public static final URI OPA_COLUMN_MASKING_URI = URI.create("http://my-column-masking-uri/");
public static final Identity TEST_IDENTITY = Identity.forUser("source-user").withGroups(ImmutableSet.of("some-group")).build();
public static final QueryId TEST_QUERY_ID = QueryId.valueOf("abcde");
public static final SystemSecurityContext TEST_SECURITY_CONTEXT = new SystemSecurityContext(TEST_IDENTITY, new QueryIdGenerator().createNextQueryId(), Instant.now());
public static final CatalogSchemaTableName TEST_COLUMN_MASKING_TABLE_NAME = new CatalogSchemaTableName("some_catalog", "some_schema", "some_table");

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
import static io.trino.plugin.opa.TestConstants.SERVER_ERROR_RESPONSE;
import static io.trino.plugin.opa.TestConstants.TEST_COLUMN_MASKING_TABLE_NAME;
import static io.trino.plugin.opa.TestConstants.TEST_IDENTITY;
import static io.trino.plugin.opa.TestConstants.TEST_QUERY_ID;
import static io.trino.plugin.opa.TestConstants.TEST_SECURITY_CONTEXT;
import static io.trino.plugin.opa.TestConstants.UNDEFINED_RESPONSE;
import static io.trino.plugin.opa.TestConstants.columnMaskingOpaConfig;
Expand Down Expand Up @@ -93,13 +94,13 @@ public void testResponseHasExtraFields()
}\
"""));
OpaAccessControl authorizer = createOpaAuthorizer(simpleOpaConfig(), mockClient);
authorizer.checkCanExecuteQuery(TEST_IDENTITY);
authorizer.checkCanExecuteQuery(TEST_IDENTITY, TEST_QUERY_ID);
}

@Test
public void testNoResourceAction()
{
testNoResourceAction("ExecuteQuery", OpaAccessControl::checkCanExecuteQuery);
testNoResourceAction("ExecuteQuery", (opaAccessControl, identity) -> opaAccessControl.checkCanExecuteQuery(identity, TEST_QUERY_ID));
testNoResourceAction("ReadSystemInformation", OpaAccessControl::checkCanReadSystemInformation);
testNoResourceAction("WriteSystemInformation", OpaAccessControl::checkCanWriteSystemInformation);
}
Expand Down Expand Up @@ -242,7 +243,7 @@ private void testIdentityResourceActions(
@Test
public void testStringResourceAction()
{
testStringResourceAction("SetSystemSessionProperty", "systemSessionProperty", (accessControl, systemSecurityContext, argument) -> accessControl.checkCanSetSystemSessionProperty(systemSecurityContext.getIdentity(), argument));
testStringResourceAction("SetSystemSessionProperty", "systemSessionProperty", (accessControl, systemSecurityContext, argument) -> accessControl.checkCanSetSystemSessionProperty(systemSecurityContext.getIdentity(), TEST_QUERY_ID, argument));
testStringResourceAction("CreateCatalog", "catalog", OpaAccessControl::checkCanCreateCatalog);
testStringResourceAction("DropCatalog", "catalog", OpaAccessControl::checkCanDropCatalog);
testStringResourceAction("ShowSchemas", "catalog", OpaAccessControl::checkCanShowSchemas);
Expand Down Expand Up @@ -665,7 +666,7 @@ private void testRequestContextContentsForGivenTrinoVersion(Optional<SystemAcces
accessControlContext);
Identity sampleIdentityWithGroups = Identity.forUser("test_user").withGroups(ImmutableSet.of("some_group")).build();

authorizer.checkCanExecuteQuery(sampleIdentityWithGroups);
authorizer.checkCanExecuteQuery(sampleIdentityWithGroups, TEST_QUERY_ID);

String expectedRequest =
"""
Expand Down
Loading