diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControl.java b/core/trino-main/src/main/java/io/trino/security/AccessControl.java index 204ceb28f611..3902ca444c9b 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; @@ -530,7 +531,7 @@ void checkCanRevokeRoles(SecurityContext context, * * @throws AccessDeniedException if not allowed */ - void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName); + void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName); /** * Check if identity is allowed to execute given table procedure on given table diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index 786b103a94af..0a3ef6ac96fe 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -35,6 +35,7 @@ import io.trino.spi.connector.ConnectorAccessControl; import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.PrincipalType; import io.trino.spi.security.Privilege; @@ -1135,19 +1136,23 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext securityContext, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext securityContext, FunctionKind functionKind, QualifiedObjectName functionName) { requireNonNull(securityContext, "securityContext is null"); + requireNonNull(functionKind, "functionKind is null"); requireNonNull(functionName, "functionName is null"); checkCanAccessCatalog(securityContext, functionName.getCatalogName()); - systemAuthorizationCheck(control -> control.checkCanExecuteFunction(securityContext.toSystemSecurityContext(), functionName.asCatalogSchemaRoutineName())); + systemAuthorizationCheck(control -> control.checkCanExecuteFunction( + securityContext.toSystemSecurityContext(), + functionKind, + functionName.asCatalogSchemaRoutineName())); catalogAuthorizationCheck( functionName.getCatalogName(), securityContext, - (control, context) -> control.checkCanExecuteFunction(context, functionName.asSchemaRoutineName())); + (control, context) -> control.checkCanExecuteFunction(context, functionKind, functionName.asSchemaRoutineName())); } @Override diff --git a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java index 5b2c8ec9a33e..a9e86932d0b8 100644 --- a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -366,7 +367,7 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) { } diff --git a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java index a6482ec826e3..3e9d71cce596 100644 --- a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -492,7 +493,7 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) { denyExecuteFunction(functionName.toString()); } diff --git a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java index e6a2c277f546..6fea169c4b63 100644 --- a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -449,9 +450,9 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) { - delegate().checkCanExecuteFunction(context, functionName); + delegate().checkCanExecuteFunction(context, functionKind, functionName); } @Override diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index 2732b9db26a2..ec885716b153 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -22,6 +22,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -447,10 +448,10 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { checkArgument(context == null, "context must be null"); - accessControl.checkCanExecuteFunction(securityContext, new QualifiedObjectName(catalogName, function.getSchemaName(), function.getRoutineName())); + accessControl.checkCanExecuteFunction(securityContext, functionKind, new QualifiedObjectName(catalogName, function.getSchemaName(), function.getRoutineName())); } @Override diff --git a/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java b/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java index 4990e0afe708..d147b43db908 100644 --- a/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java +++ b/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java @@ -1481,7 +1481,7 @@ protected Scope visitTableFunctionInvocation(TableFunctionInvocation node, Optio CatalogName catalogName = tableFunctionMetadata.getCatalogName(); QualifiedObjectName functionName = new QualifiedObjectName(catalogName.getCatalogName(), function.getSchema(), function.getName()); - accessControl.checkCanExecuteFunction(SecurityContext.of(session), functionName); + accessControl.checkCanExecuteFunction(SecurityContext.of(session), FunctionKind.TABLE, functionName); Map passedArguments = analyzeArguments(node, function.getArguments(), node.getArguments()); diff --git a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java index c0cd458f75dc..cc72964b556c 100644 --- a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -243,7 +244,7 @@ public void checkCanExecuteProcedure(SecurityContext context, QualifiedObjectNam public void checkCanExecuteFunction(SecurityContext context, String functionName) {} @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) {} + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) {} @Override public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) {} diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 2d0ff5b36c31..d115bf640db1 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.spi.connector; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -598,11 +599,11 @@ default void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sch } /** - * Check if identity is allowed to execute function. + * Check if identity is allowed to execute function * * @throws io.trino.spi.security.AccessDeniedException if not allowed */ - default void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + default void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { denyExecuteFunction(function.toString()); } diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index ac2c5e836c51..4717fce8b7f5 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.type.Type; import java.security.Principal; @@ -813,7 +814,7 @@ default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext * * @throws AccessDeniedException if not allowed */ - default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { denyExecuteFunction(functionName.toString()); } diff --git a/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java b/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java index 1e1c25d95f7a..621564708489 100644 --- a/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java +++ b/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java @@ -64,7 +64,9 @@ public class TestSpiBackwardCompatibility "Method: public java.lang.String io.trino.spi.ptf.ConnectorTableFunction.getName()", "Method: public java.lang.String io.trino.spi.ptf.ConnectorTableFunction.getSchema()")) .put("383", ImmutableSet.of( - "Method: public abstract java.lang.String io.trino.spi.function.AggregationState.value()")) + "Method: public abstract java.lang.String io.trino.spi.function.AggregationState.value()", + "Method: public default void io.trino.spi.security.SystemAccessControl.checkCanExecuteFunction(io.trino.spi.security.SystemSecurityContext,io.trino.spi.connector.CatalogSchemaRoutineName)", + "Method: public default void io.trino.spi.connector.ConnectorAccessControl.checkCanExecuteFunction(io.trino.spi.connector.ConnectorSecurityContext,io.trino.spi.connector.SchemaRoutineName)")) .buildOrThrow(); @Test diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index 4eff31b04ae4..618d013aa767 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -494,10 +495,10 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { - delegate.checkCanExecuteFunction(context, function); + delegate.checkCanExecuteFunction(context, functionKind, function); } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index 859d48b496fd..b9e05c45b1c8 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -318,7 +319,7 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index d4dd5a144c6f..274491deb200 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -426,7 +427,7 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index 056537a323bf..0fbc4b525fb4 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -21,6 +21,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.ConnectorIdentity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -44,6 +45,7 @@ import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.SELECT; import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE; import static io.trino.plugin.base.util.JsonUtils.parseJson; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentTable; @@ -62,6 +64,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; import static io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege; import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege; @@ -592,8 +595,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { + if (functionKind == TABLE) { + denyExecuteFunction(function.toString()); + } } @Override diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index db58f0080a33..81726582b9e6 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -27,6 +27,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -60,6 +61,7 @@ import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE; import static io.trino.plugin.base.util.JsonUtils.parseJson; import static io.trino.spi.StandardErrorCode.CONFIGURATION_INVALID; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCatalogAccess; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; @@ -79,6 +81,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; import static io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege; import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege; @@ -939,8 +942,11 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { + if (functionKind == TABLE) { + denyExecuteFunction(functionName.toString()); + } } @Override diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 8bf3cf665241..a7c80840f2d2 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -387,9 +388,9 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { - delegate().checkCanExecuteFunction(context, function); + delegate().checkCanExecuteFunction(context, functionKind, function); } @Override diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 00f0cefbbba9..c117804eac6e 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -469,9 +470,9 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { - delegate().checkCanExecuteFunction(systemSecurityContext, functionName); + delegate().checkCanExecuteFunction(systemSecurityContext, functionKind, functionName); } @Override diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index 3ef90ed7ed0b..8d1a0b5886d1 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -31,11 +32,13 @@ import java.util.Optional; import java.util.Set; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentTable; import static io.trino.spi.security.AccessDeniedException.denyDropColumn; import static io.trino.spi.security.AccessDeniedException.denyDropTable; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyRenameColumn; import static io.trino.spi.security.AccessDeniedException.denyRenameTable; import static java.lang.String.format; @@ -389,8 +392,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { + if (functionKind == TABLE) { + denyExecuteFunction(function.toString()); + } } @Override diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index e6c0b9bd65fe..8a712b734e7a 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -24,6 +24,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.ConnectorIdentity; import io.trino.spi.security.Privilege; @@ -54,6 +55,7 @@ import static io.trino.plugin.hive.metastore.thrift.ThriftMetastoreUtil.listApplicableRoles; import static io.trino.plugin.hive.metastore.thrift.ThriftMetastoreUtil.listEnabledPrincipals; import static io.trino.spi.StandardErrorCode.NOT_SUPPORTED; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentTable; @@ -70,6 +72,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyExecuteTableProcedure; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege; @@ -570,8 +573,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { + if (functionKind == TABLE && !isAdmin(context)) { + denyExecuteFunction(function.toString()); + } } @Override