diff --git a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java index c440bf394b..6e0b8263a9 100644 --- a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java +++ b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java @@ -23,6 +23,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.security.AccessDeniedException; +import io.trino.spi.security.Identity; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -49,6 +50,7 @@ import java.security.Principal; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; @@ -158,7 +160,6 @@ private boolean isRowFilterEnabled(RangerAccessResult result) { return result != null && result.isRowFilterEnabled(); } - @Override public Optional getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) { RangerTrinoAccessRequest request = createAccessRequest(createResource(tableName), context, TrinoAccessType.SELECT); RangerAccessResult result = getRowFilterResult(request); @@ -166,12 +167,12 @@ public Optional getRowFilter(SystemSecurityContext context, Cata ViewExpression viewExpression = null; if (isRowFilterEnabled(result)) { String filter = result.getFilterExpr(); - viewExpression = new ViewExpression( - context.getIdentity().getUser(), - Optional.of(tableName.getCatalogName()), - Optional.of(tableName.getSchemaTableName().getSchemaName()), - filter - ); + viewExpression = ViewExpression.builder() + .identity(context.getIdentity().getUser()) + .catalog(tableName.getCatalogName()) + .schema(tableName.getSchemaTableName().getSchemaName()) + .expression(filter) + .build(); } return Optional.ofNullable(viewExpression); } @@ -215,12 +216,13 @@ public Optional getColumnMask(SystemSecurityContext context, Cat transformer = transformer.replace("{col}", columnName).replace("{type}", type.getDisplayName()); } - viewExpression = new ViewExpression( - context.getIdentity().getUser(), - Optional.of(tableName.getCatalogName()), - Optional.of(tableName.getSchemaTableName().getSchemaName()), - transformer - ); + viewExpression = ViewExpression.builder() + .identity(context.getIdentity().getUser()) + .catalog(tableName.getCatalogName()) + .schema(tableName.getSchemaTableName().getSchemaName()) + .expression(transformer) + .build(); + if (LOG.isDebugEnabled()) { LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s, transformer: %s"); } @@ -230,11 +232,6 @@ public Optional getColumnMask(SystemSecurityContext context, Cat return Optional.ofNullable(viewExpression); } - @Override - public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { - return getColumnMask(context, tableName, columnName, type).map(ImmutableList::of).orElseGet(ImmutableList::of); - } - @Override public Set filterCatalogs(SystemSecurityContext context, Set catalogs) { LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")"); @@ -277,18 +274,18 @@ public Set filterTables(SystemSecurityContext context, String c /** SYSTEM **/ @Override - public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) { - if (!hasPermission(createSystemPropertyResource(propertyName), context, TrinoAccessType.ALTER)) { + public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { + if (!hasPermissionWithIdentity(createSystemPropertyResource(propertyName), identity, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied"); AccessDeniedException.denySetSystemSessionProperty(propertyName); } } @Override - public void checkCanImpersonateUser(SystemSecurityContext context, String userName) { - if (!hasPermission(createUserResource(userName), context, TrinoAccessType.IMPERSONATE)) { + public void checkCanImpersonateUser(Identity identity, String userName) { + if (!hasPermissionWithIdentity(createUserResource(userName), identity, TrinoAccessType.IMPERSONATE)) { LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied"); - AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName); + AccessDeniedException.denyImpersonateUser(identity.getUser(), userName); } } @@ -301,7 +298,7 @@ public void checkCanSetUser(Optional principal, String userName) { @Override public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) { if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, TrinoAccessType.ALTER)) { - LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied"); + LOG.debug("RangerSystemAccessControl.checkCanSetCatalogSessionProperty(" + catalogName + ") denied"); AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName); } } @@ -322,11 +319,8 @@ public void checkCanShowRoleGrants(SystemSecurityContext context) { } @Override - public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) { - if (!hasPermission(createResource(catalogName), context, TrinoAccessType.USE)) { - LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied"); - AccessDeniedException.denyCatalogAccess(catalogName); - } + public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) { + return hasPermission(createResource(catalogName), context, TrinoAccessType.USE); } @Override @@ -360,7 +354,7 @@ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchem * to create a schema when you have create rights on the catalog level */ @Override - public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) { if (!hasPermission(createResource(schema.getCatalogName()), context, TrinoAccessType.CREATE)) { LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied"); AccessDeniedException.denyCreateSchema(schema.getSchemaName()); @@ -645,17 +639,16 @@ public Set filterColumns(SystemSecurityContext context, CatalogSchemaTab /** * This is a NOOP. Everyone can execute a query - * @param context */ @Override - public void checkCanExecuteQuery(SystemSecurityContext context) { + public void checkCanExecuteQuery(Identity identity) { } @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) { - if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) { - LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied"); - AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner); + public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) { + if (!hasPermissionWithIdentity(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) { + LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner.getUser() + ") denied"); + AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser()); } } @@ -663,40 +656,29 @@ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String query * This is a NOOP, no filtering is applied */ @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) { + public Collection filterViewQueryOwnedBy(Identity identity, Collection queryOwners) { return queryOwners; } @Override - public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) { - if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) { - LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied"); - AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner); + public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) { + if (!hasPermissionWithIdentity(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) { + LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner.getUser() + ") denied"); + AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser()); } } /** FUNCTIONS **/ @Override - public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String function, TrinoPrincipal grantee, boolean grantOption) { - if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.GRANT)) { - LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + function + ") denied"); - AccessDeniedException.denyGrantExecuteFunctionPrivilege(function, context.getIdentity(), grantee.getName()); - } - } - - @Override - public void checkCanExecuteFunction(SystemSecurityContext context, String function) { - if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.EXECUTE)) { - LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + function + ") denied"); - AccessDeniedException.denyExecuteFunction(function); - } + public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) { + return hasPermission(createFunctionResource(functionName.getRoutineName()), systemSecurityContext, TrinoAccessType.EXECUTE); } /** PROCEDURES **/ @Override public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchemaRoutineName procedure) { if (!hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE)) { - LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied"); + LOG.debug("RangerSystemAccessControl.checkCanExecuteProcedure(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied"); AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName()); } } @@ -705,7 +687,7 @@ public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchem public void checkCanExecuteTableProcedure(SystemSecurityContext context, CatalogSchemaTableName catalogSchemaTableName, String procedure) { if (!hasPermission(createResource(catalogSchemaTableName), context, TrinoAccessType.ALTER)) { - LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure + ") denied"); + LOG.debug("RangerSystemAccessControl.checkCanExecuteTableProcedure(" + procedure + ") denied"); AccessDeniedException.denyExecuteTableProcedure(catalogSchemaTableName.toString(),procedure); } } @@ -713,10 +695,14 @@ public void checkCanExecuteTableProcedure(SystemSecurityContext context, Catalog /** HELPER FUNCTIONS **/ private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) { + return createAccessRequestWithIdentity(resource, context.getIdentity(), accessType); + } + + private RangerTrinoAccessRequest createAccessRequestWithIdentity(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) { Set userGroups = null; if (useUgi) { - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser()); + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(identity.getUser()); String[] groups = ugi != null ? ugi.getGroupNames() : null; @@ -724,12 +710,12 @@ private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resourc userGroups = new HashSet<>(Arrays.asList(groups)); } } else { - userGroups = context.getIdentity().getGroups(); + userGroups = identity.getGroups(); } RangerTrinoAccessRequest request = new RangerTrinoAccessRequest( resource, - context.getIdentity().getUser(), + identity.getUser(), userGroups, accessType ); @@ -750,6 +736,19 @@ private boolean hasPermission(RangerTrinoResource resource, SystemSecurityContex return ret; } + private boolean hasPermissionWithIdentity(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) { + boolean ret = false; + + RangerTrinoAccessRequest request = createAccessRequestWithIdentity(resource, identity, accessType); + + RangerAccessResult result = rangerPlugin.isAccessAllowed(request); + if (result != null && result.getIsAllowed()) { + ret = true; + } + + return ret; + } + private static RangerTrinoResource createUserResource(String userName) { RangerTrinoResource res = new RangerTrinoResource(); res.setValue(RangerTrinoResource.KEY_USER, userName); diff --git a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java index eda87db4ea..d7373ae70b 100644 --- a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java +++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java @@ -18,6 +18,7 @@ package org.apache.ranger.authorization.trino.authorizer; import com.google.common.collect.ImmutableSet; +import io.trino.spi.QueryId; import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaRoutineName; import io.trino.spi.connector.CatalogSchemaTableName; @@ -37,11 +38,13 @@ import org.junit.Test; import javax.security.auth.kerberos.KerberosPrincipal; +import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; +import java.time.Instant; public class RangerSystemAccessControlTest { static RangerSystemAccessControl accessControlManager = null; @@ -56,14 +59,17 @@ public class RangerSystemAccessControlTest { //private static final Identity nonAsciiUser = Identity.ofUser("\u0194\u0194\u0194"); private static final Set allCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "alice-catalog"); - private static final Set queryOwners = ImmutableSet.of("bob", "alice", "frank"); + private static final Collection queryOwners = ImmutableSet.of(Identity.ofUser("bob"), Identity.ofUser("alice"), Identity.ofUser("frank")); private static final String aliceCatalog = "alice-catalog"; private static final CatalogSchemaName aliceSchema = new CatalogSchemaName("alice-catalog", "schema"); private static final CatalogSchemaTableName aliceTable = new CatalogSchemaTableName("alice-catalog", "schema","table"); private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema","view"); private static final CatalogSchemaRoutineName aliceProcedure = new CatalogSchemaRoutineName("alice-catalog", "schema", "procedure"); - private static final String functionName = new String("function"); + private static final CatalogSchemaRoutineName bobFunction = new CatalogSchemaRoutineName("alice-catalog", "default", "function"); + + private static final QueryId queryId = new QueryId("test_query"); + private static final Instant queryStart = Instant.now(); @BeforeClass public static void setUpBeforeClass() throws Exception { @@ -75,16 +81,16 @@ public static void setUpBeforeClass() throws Exception { @SuppressWarnings("PMD") public void testCanSetUserOperations() { try { - accessControlManager.checkCanImpersonateUser(context(alice), bob.getUser()); + accessControlManager.checkCanImpersonateUser(context(alice).getIdentity(), bob.getUser()); throw new AssertionError("expected AccessDeniedExeption"); } catch (AccessDeniedException expected) { } - accessControlManager.checkCanImpersonateUser(context(admin), bob.getUser()); + accessControlManager.checkCanImpersonateUser(context(admin).getIdentity(), bob.getUser()); try { - accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice), bob.getUser()); + accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice).getIdentity(), bob.getUser()); throw new AssertionError("expected AccessDeniedExeption"); } catch (AccessDeniedException expected) { @@ -111,13 +117,13 @@ public void testSchemaOperations() assertEquals(accessControlManager.filterSchemas(context(alice), aliceCatalog, aliceSchemas), aliceSchemas); assertEquals(accessControlManager.filterSchemas(context(bob), "alice-catalog", aliceSchemas), ImmutableSet.of()); - accessControlManager.checkCanCreateSchema(context(alice), aliceSchema); + accessControlManager.checkCanCreateSchema(context(alice), aliceSchema, Map.of()); accessControlManager.checkCanDropSchema(context(alice), aliceSchema); accessControlManager.checkCanRenameSchema(context(alice), aliceSchema, "new-schema"); accessControlManager.checkCanShowSchemas(context(alice), aliceCatalog); try { - accessControlManager.checkCanCreateSchema(context(bob), aliceSchema); + accessControlManager.checkCanCreateSchema(context(bob), aliceSchema, Map.of()); } catch (AccessDeniedException expected) { } @@ -133,7 +139,7 @@ public void testTableOperations() assertEquals(accessControlManager.filterTables(context(alice), aliceCatalog, aliceTables), aliceTables); assertEquals(accessControlManager.filterTables(context(bob), "alice-catalog", aliceTables), ImmutableSet.of()); - accessControlManager.checkCanCreateTable(context(alice), aliceTable,Map.of()); + accessControlManager.checkCanCreateTable(context(alice), aliceTable, Map.of()); accessControlManager.checkCanDropTable(context(alice), aliceTable); accessControlManager.checkCanSelectFromColumns(context(alice), aliceTable, ImmutableSet.of()); accessControlManager.checkCanInsertIntoTable(context(alice), aliceTable); @@ -142,7 +148,7 @@ public void testTableOperations() try { - accessControlManager.checkCanCreateTable(context(bob), aliceTable,Map.of()); + accessControlManager.checkCanCreateTable(context(bob), aliceTable, Map.of()); } catch (AccessDeniedException expected) { } } @@ -170,34 +176,28 @@ public void testViewOperations() @SuppressWarnings("PMD") public void testMisc() { - assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice), queryOwners), queryOwners); + assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice).getIdentity(), queryOwners), queryOwners); // check {type} / {col} replacement final VarcharType varcharType = VarcharType.createVarcharType(20); Optional ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType); - List retArray = accessControlManager.getColumnMasks(context(alice), aliceTable, "cast_me", varcharType); assertNotNull(ret.get()); assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)"); - assertEquals(1, retArray.size()); - assertEquals("cast cast_me as varchar(20)", retArray.get(0).getExpression()); ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType); - retArray = accessControlManager.getColumnMasks(context(alice), aliceTable,"do-not-cast-me", varcharType); assertFalse(ret.isPresent()); - assertTrue(retArray.isEmpty()); ret = accessControlManager.getRowFilter(context(alice), aliceTable); - retArray = accessControlManager.getRowFilters(context(alice), aliceTable); + List retArray = accessControlManager.getRowFilters(context(alice), aliceTable); assertFalse(ret.isPresent()); assertTrue(retArray.isEmpty()); - accessControlManager.checkCanExecuteFunction(context(alice), functionName); - accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true); + accessControlManager.canExecuteFunction(context(alice), bobFunction); accessControlManager.checkCanExecuteProcedure(context(alice), aliceProcedure); } private SystemSecurityContext context(Identity id) { - return new SystemSecurityContext(id, Optional.empty()); + return new SystemSecurityContext(id, queryId, queryStart); } -} \ No newline at end of file +} diff --git a/pom.xml b/pom.xml index 0c12c914ca..9d034f7110 100644 --- a/pom.xml +++ b/pom.xml @@ -181,7 +181,7 @@ 20211018.2 2.3 333 - 377 + 433 5.2.2 UTF-8 3.19.3 diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java index 10418dabb6..218a556323 100644 --- a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java +++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.CatalogSchemaRoutineName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.security.Identity; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -27,6 +28,7 @@ import javax.inject.Inject; import java.security.Principal; +import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -72,20 +74,20 @@ public RangerSystemAccessControl(RangerConfig config) { } @Override - public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) { + public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName); + systemAccessControlImpl.checkCanSetSystemSessionProperty(identity, propertyName); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) { + public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanAccessCatalog(context, catalogName); + return systemAccessControlImpl.canAccessCatalog(context, catalogName); } finally { deactivatePluginClassLoader(); } @@ -104,10 +106,10 @@ public Set filterCatalogs(SystemSecurityContext context, Set cat } @Override - public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanCreateSchema(context, schema); + systemAccessControlImpl.checkCanCreateSchema(context, schema, properties); } finally { deactivatePluginClassLoader(); } @@ -343,41 +345,41 @@ public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, Str } @Override - public void checkCanImpersonateUser(SystemSecurityContext context, String userName) { + public void checkCanImpersonateUser(Identity identity, String userName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanImpersonateUser(context, userName); + systemAccessControlImpl.checkCanImpersonateUser(identity, userName); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanExecuteQuery(SystemSecurityContext context) { + public void checkCanExecuteQuery(Identity identity) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanExecuteQuery(context); + systemAccessControlImpl.checkCanExecuteQuery(identity); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) { + public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner); + systemAccessControlImpl.checkCanViewQueryOwnedBy(identity, queryOwner); } finally { deactivatePluginClassLoader(); } } @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) { - Set filteredQueryOwners; + public Collection filterViewQueryOwnedBy(Identity identity, Collection queryOwners) { + Collection filteredQueryOwners; try { activatePluginClassLoader(); - filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners); + filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(identity, queryOwners); } finally { deactivatePluginClassLoader(); } @@ -385,10 +387,10 @@ public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) { - Optional viewExpression; - try { - activatePluginClassLoader(); - viewExpression = systemAccessControlImpl.getRowFilter(context, tableName); - } finally { - deactivatePluginClassLoader(); - } - return viewExpression; - } - @Override public List getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) { List viewExpressionList; @@ -553,18 +543,6 @@ public Optional getColumnMask(SystemSecurityContext context, Cat return viewExpression; } - @Override - public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { - List viewExpressionList; - try { - activatePluginClassLoader(); - viewExpressionList = systemAccessControlImpl.getColumnMasks(context, tableName, columnName, type); - } finally { - deactivatePluginClassLoader(); - } - return viewExpressionList; - } - @Override public void checkCanSetUser(Optional principal, String userName) { try { @@ -575,16 +553,6 @@ public void checkCanSetUser(Optional principal, String userName) { } } - @Override - public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, TrinoPrincipal grantee, boolean grantOption) { - try { - activatePluginClassLoader(); - systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption); - } finally { - deactivatePluginClassLoader(); - } - } - @Override public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) { try { @@ -627,10 +595,10 @@ public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityCo } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) { + public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName); + return systemAccessControlImpl.canExecuteFunction(systemSecurityContext, functionName); } finally { deactivatePluginClassLoader(); }