Roles management #12383
Roles management #12383
Conversation
|
Why trinodb/trino#90 adds ~8000 lines while this PR only adds ~7800 lines ? :P |
There was a problem hiding this comment.
"Introduce CREATE ROLE and DROP ROLE statements"
Looks good.
There are some minor difference with trinodb/trino@d177e3b :
PUBLICis no longer added as reserved word.DateFormat.tokensis not shown in PrestoSQLTestSqlParserErrorHandling.javahas slightly different change.
There was a problem hiding this comment.
The following commits looks good by comparing with trinodb/trino#90
- "Move PrincipalType to presto-spi "
- "Expose Create/Drop/List roles methods in SPI"
- "Introduce .information_schema.roles table"
- "Assign admin role to subset of users in FileHiveMetastore"
There was a problem hiding this comment.
"Implement Create/Drop/List roles in Hive connector"
Looks good % minor difference with trinodb/trino@22de2d8:
- PrestoSQL's version also have some changes to
RecordingHiveMetastore.java - PrestoSQL's version also have some changes to 'TestRecordingHiveMetastore.java
andUnimplementedHiveMetastore.java`
There was a problem hiding this comment.
- "Introduce GRANT/REVOKE roles statements" - Looks good.
- "Add Grant/Revoke/List roles authorization to the SPI" - Looks good % PrestoSQL's version has some change to
ForwardingConnectorAccessControl.java: trinodb/trino@03101af
There was a problem hiding this comment.
-
"Introduce APPLICABLE_ROLES view" : Looks good
-
"Implement Grant/Revoke/ListApplicableRoles in Hive": Looks good % minor difference comparing with trinodb/trino@006216d:
- PrestoSQL's version has change to
RecordingHiveMetastore.java,TestRecordingHiveMetastore.javaandUnimplementedHiveMetastore.java - Changes to
TestRoles.javaare slightly different.
- PrestoSQL's version has change to
There was a problem hiding this comment.
- Refactor GRANT/REVOKE in Hive:
Looks good except familiar minor differences in trinodb/trino@35b85b4
RecordingHiveMetastore.java,TestRecordingHiveMetastore.java,UnimplementedHiveMetastore.java
There was a problem hiding this comment.
-
"Introduce access control for GRANT/REVOKE ROLE": Looks good. What the
RoleGrantin trinodb/trino@487fe85 ? -
"Prepare metastore interface to accept ROLE for GRANT/REVOKE" : Looks good except minor diff:
- I didn't see the removal to
HivePrincipal.javain trinodb/trino@f892c99 - the same
RecordingHiveMetastore.javachange ;)
- I didn't see the removal to
For some reason a test was duplicated in prestosql |
I picked that from the #11645, as literally cherry picking of 65 commits from the prestosql is too much of work. It is curious where the 150 additions were lost. We have 100 more removals. Maybe some difference because of rebasing / repackaging and slightly different base? |
There was a problem hiding this comment.
The first 6 commits (up to "Implement Create/Drop/List roles in Hive connector") looks good.
For "Implement Create/Drop/List roles in Hive connector": It looks like changes in TestRecordingHiveMetastore.java is missing (compared with trinodb/trino@22de2d8)
|
Looks like file |
presto-jdbc/src/main/java/com/facebook/presto/jdbc/PrestoConnection.java
Show resolved
Hide resolved
This change is missing in that commit in prestosql. Probably while rebasing the prestosql version they didn't compile every commit. |
In prestosql they removed SPI from the |
| @@ -327,11 +327,9 @@ public Session beginTransactionId(TransactionId transactionId, TransactionManage | |||
| for (Entry<String, SelectedRole> entry : identity.getRoles().entrySet()) { | |||
| String catalogName = entry.getKey(); | |||
| SelectedRole role = entry.getValue(); | |||
|
|
|||
There was a problem hiding this comment.
This commit seems doing nothing . But let's keep consistent with PrestoSQL ;)
There was a problem hiding this comment.
Found it: Store catalog selected roles in Identity. Let me drop it.
There was a problem hiding this comment.
I see. Sorry for forgetting to use "Add Review" mode...
| @@ -196,7 +196,7 @@ private synchronized void addCatalogConnector(String catalogName, ConnectorId co | |||
|
|
|||
| MaterializedConnector informationSchemaConnector = new MaterializedConnector( | |||
| createInformationSchemaConnectorId(connectorId), | |||
| new InformationSchemaConnector(catalogName, nodeManager, metadataManager, accessControlManager)); | |||
| new InformationSchemaConnector(catalogName, nodeManager, metadataManager, accessControlManager, transactionManager)); | |||
There was a problem hiding this comment.
This change and InformationSchemaConnector.java doesn't appear in trinodb/trino@7baabd1 :). Maybe again get dropped on PrestoSQL side.
|
|
||
| public InformationSchemaPageSourceProvider(Metadata metadata, AccessControl accessControl) | ||
| public InformationSchemaPageSourceProvider(Metadata metadata, AccessControl accessControl, TransactionManager transactionManager) |
There was a problem hiding this comment.
This change does't appear in trinodb/trino@7baabd1 . -- also doesn't seem useful?
| @@ -198,7 +198,7 @@ private static ConnectorId registerBogusConnector(CatalogManager catalogManager, | |||
| connectorId, | |||
| connector, | |||
| createInformationSchemaConnectorId(connectorId), | |||
| new InformationSchemaConnector(catalogName, nodeManager, metadata, accessControl), | |||
| new InformationSchemaConnector(catalogName, nodeManager, metadata, accessControl, transactionManager), | |||
There was a problem hiding this comment.
Looks like trinodb/trino@7baabd1 removed all the transactionManager related stuff.
There was a problem hiding this comment.
"Add access control checks for SHOW ROLES" : minor diff with trinodb/trino@e2a2ff0
Also looks like changes to ReadOnlyAccessControl.java doesn't show up in this PR.
| } | ||
|
|
||
| @Override | ||
| public Set<String> filterRoles(Identity identity, String catalogName, Set<String> roles) |
There was a problem hiding this comment.
This method was dropped in trinodb/trino@e2a2ff0
| /** | ||
| * Filter the list of roles to those visible to the identity in the given catalog. | ||
| */ | ||
| default Set<String> filterRoles(Identity identity, String catalogName, Set<String> roles) |
There was a problem hiding this comment.
dropped in trinodb/trino@e2a2ff0
There was a problem hiding this comment.
"Access control for SHOW ROLE GRANTS and SHOW CURRENT ROLES". Minor diff against trinodb/trino@4f4b268#diff-cc0689ca452d7c2209c27e411d80c45aR177
| @@ -187,15 +187,4 @@ public void checkCanGrantTablePrivilege(Identity identity, Privilege privilege, | |||
| public void checkCanRevokeTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) | |||
| { | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Doesn't see this change in trinodb/trino@4f4b268 . Maybe they already implement in different commit?
There was a problem hiding this comment.
Recovered in Add access control checks for SHOW ROLES
| @@ -110,15 +110,4 @@ public void checkCanShowSchemas(Identity identity, String catalogName) | |||
| public void checkCanShowTablesMetadata(Identity identity, CatalogSchemaName schema) | |||
| { | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Recovered in Add access control checks for SHOW ROLES
| @@ -205,4 +205,22 @@ public void checkCanSetRole(ConnectorTransactionHandle transactionHandle, Connec | |||
| { | |||
| delegate().checkCanSetRole(transactionHandle, identity, role, catalogName); | |||
| } | |||
|
|
|||
| @Override | |||
| public void checkCanShowRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, String catalogName) | |||
There was a problem hiding this comment.
trinodb/trino@4f4b268#diff-cc0689ca452d7c2209c27e411d80c45aR177 also adds checkCanSetRole
There was a problem hiding this comment.
Actually that is mistake. This method has to be moved to the Add access control checks for SHOW ROLES
| @@ -302,22 +301,4 @@ default void checkCanRevokeTablePrivilege(Identity identity, Privilege privilege | |||
| { | |||
| denyRevokeTablePrivilege(privilege.toString(), table.toString()); | |||
| } | |||
|
|
|||
| /** | |||
There was a problem hiding this comment.
Restored in Add access control checks for SHOW ROLES
|
Finish "human diff" the following commits:
|
There was a problem hiding this comment.
"Add grantor_type and grantee_type columns to table_privileges"
minor diff to trinodb/trino@6735d23
| } | ||
| catch (Exception e) { | ||
| Logger.get(getClass()).warn(e, "failed to drop table/view"); | ||
| } | ||
| } | ||
|
|
||
| private void cleanupRoles() |
There was a problem hiding this comment.
trinodb/trino@6735d23 adds annotation @Test(groups = {AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
There was a problem hiding this comment.
"More product tests for SET ROLE":
one line different with trinodb/trino@aec0671
| @@ -563,6 +564,119 @@ public void testShowRoleGrants() | |||
| row("role1")); | |||
| } | |||
|
|
|||
| @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS}) | |||
There was a problem hiding this comment.
trinodb/trino@aec0671 also renamed testAccessControl to testCreateDropRoleAccessControl . Although seems unrelated.
There was a problem hiding this comment.
Yeah. Let's keep the name.
|
Finish "human diff" the following commits against trinodb/trino#90
|
Admin user has all the available permissions for all the entities implicitly. So it may be considered as a database and table "owner" for all tables and databases. Also it has all the SELECT, INSERT, DELETE permissions implicitly.
hasGrantOptionForPrivilege cannot be used in security checks for createView because it doesn't consider the session role.
Verify that role set with `SET ROLE` is considering during the access check.
Previously when SqlStandardAccessControl was checking if given role is enabled, it listed all role grants and check if that role is is among all listed role grants. Now it list all role grants until it finds that role.
That way roles are enumerated lazily.
This way table privileges are enumerated lazily.
Currently Presto shows that the owner of a table has ALL privileges, even after some privileges are revoked. This commit fixes this issue by listing only privileges actually present in the metastore.
Presto currently lists only privilges of the tables owned by the current user, even after the admin role is set. This commit fixes this and lists all privileges for admins.
When tables of the same name exist across different schemas, Presto lists privileges of the table from all schemas instead of the single schema mentioned in the SHOW GRANTS query. This commit fixes the issue.
`equals()` did not compare some fields (like `roles`). Also, it compared `principal` even though `Identity#equals` does not do that. To avoid any ambiguity, `equals()` gets disabled, along with `hashCode`.
Cherry picked from