Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update trino-plugin to be compatible with the latest Trino SPI (version 433) #4

Merged
merged 3 commits into from
Jan 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
Expand All @@ -49,6 +50,7 @@
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
Expand Down Expand Up @@ -158,20 +160,19 @@ private boolean isRowFilterEnabled(RangerAccessResult result) {
return result != null && result.isRowFilterEnabled();
}

@Override
public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
RangerTrinoAccessRequest request = createAccessRequest(createResource(tableName), context, TrinoAccessType.SELECT);
RangerAccessResult result = getRowFilterResult(request);

ViewExpression viewExpression = null;
if (isRowFilterEnabled(result)) {
String filter = result.getFilterExpr();
viewExpression = new ViewExpression(
context.getIdentity().getUser(),
Optional.of(tableName.getCatalogName()),
Optional.of(tableName.getSchemaTableName().getSchemaName()),
filter
);
viewExpression = ViewExpression.builder()
.identity(context.getIdentity().getUser())
.catalog(tableName.getCatalogName())
.schema(tableName.getSchemaTableName().getSchemaName())
.expression(filter)
.build();
}
return Optional.ofNullable(viewExpression);
}
Expand Down Expand Up @@ -215,12 +216,13 @@ public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, Cat
transformer = transformer.replace("{col}", columnName).replace("{type}", type.getDisplayName());
}

viewExpression = new ViewExpression(
context.getIdentity().getUser(),
Optional.of(tableName.getCatalogName()),
Optional.of(tableName.getSchemaTableName().getSchemaName()),
transformer
);
viewExpression = ViewExpression.builder()
.identity(context.getIdentity().getUser())
.catalog(tableName.getCatalogName())
.schema(tableName.getSchemaTableName().getSchemaName())
.expression(transformer)
.build();

if (LOG.isDebugEnabled()) {
LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s, transformer: %s");
}
Expand All @@ -230,11 +232,6 @@ public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, Cat
return Optional.ofNullable(viewExpression);
}

@Override
public List<ViewExpression> getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
return getColumnMask(context, tableName, columnName, type).map(ImmutableList::of).orElseGet(ImmutableList::of);
}

@Override
public Set<String> filterCatalogs(SystemSecurityContext context, Set<String> catalogs) {
LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")");
Expand Down Expand Up @@ -277,18 +274,18 @@ public Set<SchemaTableName> filterTables(SystemSecurityContext context, String c
/** SYSTEM **/

@Override
public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
if (!hasPermission(createSystemPropertyResource(propertyName), context, TrinoAccessType.ALTER)) {
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
if (!hasPermissionWithIdentity(createSystemPropertyResource(propertyName), identity, TrinoAccessType.ALTER)) {
LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
AccessDeniedException.denySetSystemSessionProperty(propertyName);
}
}

@Override
public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
if (!hasPermission(createUserResource(userName), context, TrinoAccessType.IMPERSONATE)) {
public void checkCanImpersonateUser(Identity identity, String userName) {
if (!hasPermissionWithIdentity(createUserResource(userName), identity, TrinoAccessType.IMPERSONATE)) {
LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied");
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName);
AccessDeniedException.denyImpersonateUser(identity.getUser(), userName);
}
}

Expand All @@ -301,7 +298,7 @@ public void checkCanSetUser(Optional<Principal> principal, String userName) {
@Override
public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, TrinoAccessType.ALTER)) {
LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied");
LOG.debug("RangerSystemAccessControl.checkCanSetCatalogSessionProperty(" + catalogName + ") denied");
AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName);
}
}
Expand All @@ -322,11 +319,8 @@ public void checkCanShowRoleGrants(SystemSecurityContext context) {
}

@Override
public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
if (!hasPermission(createResource(catalogName), context, TrinoAccessType.USE)) {
LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied");
AccessDeniedException.denyCatalogAccess(catalogName);
}
public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) {
return hasPermission(createResource(catalogName), context, TrinoAccessType.USE);
}

@Override
Expand Down Expand Up @@ -360,7 +354,7 @@ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchem
* to create a schema when you have create rights on the catalog level
*/
@Override
public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map<String, Object> properties) {
if (!hasPermission(createResource(schema.getCatalogName()), context, TrinoAccessType.CREATE)) {
LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied");
AccessDeniedException.denyCreateSchema(schema.getSchemaName());
Expand Down Expand Up @@ -645,58 +639,46 @@ public Set<String> filterColumns(SystemSecurityContext context, CatalogSchemaTab

/**
* This is a NOOP. Everyone can execute a query
* @param context
*/
@Override
public void checkCanExecuteQuery(SystemSecurityContext context) {
public void checkCanExecuteQuery(Identity identity) {
}

@Override
public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) {
LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied");
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) {
if (!hasPermissionWithIdentity(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner.getUser() + ") denied");
AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser());
}
}

/**
* This is a NOOP, no filtering is applied
*/
@Override
public Set<String> filterViewQueryOwnedBy(SystemSecurityContext context, Set<String> queryOwners) {
public Collection<Identity> filterViewQueryOwnedBy(Identity identity, Collection<Identity> queryOwners) {
return queryOwners;
}

@Override
public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) {
LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied");
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) {
if (!hasPermissionWithIdentity(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner.getUser() + ") denied");
AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser());
}
}

/** FUNCTIONS **/
@Override
public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String function, TrinoPrincipal grantee, boolean grantOption) {
if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.GRANT)) {
LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + function + ") denied");
AccessDeniedException.denyGrantExecuteFunctionPrivilege(function, context.getIdentity(), grantee.getName());
}
}

@Override
public void checkCanExecuteFunction(SystemSecurityContext context, String function) {
if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.EXECUTE)) {
LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + function + ") denied");
AccessDeniedException.denyExecuteFunction(function);
}
public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) {
return hasPermission(createFunctionResource(functionName.getRoutineName()), systemSecurityContext, TrinoAccessType.EXECUTE);
}

/** PROCEDURES **/
@Override
public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchemaRoutineName procedure) {
if (!hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE)) {
LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied");
LOG.debug("RangerSystemAccessControl.checkCanExecuteProcedure(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied");
AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName());
}
}
Expand All @@ -705,31 +687,35 @@ public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchem
public void checkCanExecuteTableProcedure(SystemSecurityContext context, CatalogSchemaTableName catalogSchemaTableName, String procedure)
{
if (!hasPermission(createResource(catalogSchemaTableName), context, TrinoAccessType.ALTER)) {
LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure + ") denied");
LOG.debug("RangerSystemAccessControl.checkCanExecuteTableProcedure(" + procedure + ") denied");
AccessDeniedException.denyExecuteTableProcedure(catalogSchemaTableName.toString(),procedure);
}
}

/** HELPER FUNCTIONS **/

private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) {
return createAccessRequestWithIdentity(resource, context.getIdentity(), accessType);
}

private RangerTrinoAccessRequest createAccessRequestWithIdentity(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) {
Set<String> userGroups = null;

if (useUgi) {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(identity.getUser());

String[] groups = ugi != null ? ugi.getGroupNames() : null;

if (groups != null && groups.length > 0) {
userGroups = new HashSet<>(Arrays.asList(groups));
}
} else {
userGroups = context.getIdentity().getGroups();
userGroups = identity.getGroups();
}

RangerTrinoAccessRequest request = new RangerTrinoAccessRequest(
resource,
context.getIdentity().getUser(),
identity.getUser(),
userGroups,
accessType
);
Expand All @@ -750,6 +736,19 @@ private boolean hasPermission(RangerTrinoResource resource, SystemSecurityContex
return ret;
}

private boolean hasPermissionWithIdentity(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) {
boolean ret = false;

RangerTrinoAccessRequest request = createAccessRequestWithIdentity(resource, identity, accessType);

RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
if (result != null && result.getIsAllowed()) {
ret = true;
}

return ret;
}

private static RangerTrinoResource createUserResource(String userName) {
RangerTrinoResource res = new RangerTrinoResource();
res.setValue(RangerTrinoResource.KEY_USER, userName);
Expand Down
Loading