Catalog access control for roles

Extracted-From: prestodb/presto#10904
trinodb · Jan 29, 2019 · 21ceed6 · 21ceed6
1 parent f5fe03d
commit 21ceed6
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/presto-main/src/main/java/io/prestosql/security/AccessControlManager.java b/presto-main/src/main/java/io/prestosql/security/AccessControlManager.java
@@ -550,6 +550,8 @@ public void checkCanCreateRole(TransactionId transactionId, Identity identity, S
         requireNonNull(grantor, "grantor is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authorizationCheck(() -> entry.getAccessControl().checkCanCreateRole(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), role, grantor));
@@ -563,6 +565,8 @@ public void checkCanDropRole(TransactionId transactionId, Identity identity, Str
         requireNonNull(role, "role is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authorizationCheck(() -> entry.getAccessControl().checkCanDropRole(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), role));
@@ -578,6 +582,8 @@ public void checkCanGrantRoles(TransactionId transactionId, Identity identity, S
         requireNonNull(grantor, "grantor is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authorizationCheck(() -> entry.getAccessControl().checkCanGrantRoles(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), roles, grantees, withAdminOption, grantor, catalogName));
@@ -593,6 +599,8 @@ public void checkCanRevokeRoles(TransactionId transactionId, Identity identity,
         requireNonNull(grantor, "grantor is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authorizationCheck(() -> entry.getAccessControl().checkCanRevokeRoles(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), roles, grantees, adminOptionFor, grantor, catalogName));
@@ -605,6 +613,9 @@ public void checkCanSetRole(TransactionId transactionId, Identity identity, Stri
         requireNonNull(identity, "identity is null");
         requireNonNull(role, "role is null");
         requireNonNull(catalogName, "catalog is null");
+
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authorizationCheck(() -> entry.getAccessControl().checkCanSetRole(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), role, catalogName));
@@ -617,6 +628,8 @@ public void checkCanShowRoles(TransactionId transactionId, Identity identity, St
         requireNonNull(identity, "identity is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authenticationCheck(() -> entry.getAccessControl().checkCanShowRoles(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), catalogName));
@@ -629,6 +642,8 @@ public void checkCanShowCurrentRoles(TransactionId transactionId, Identity ident
         requireNonNull(identity, "identity is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authenticationCheck(() -> entry.getAccessControl().checkCanShowCurrentRoles(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), catalogName));
@@ -641,6 +656,8 @@ public void checkCanShowRoleGrants(TransactionId transactionId, Identity identit
         requireNonNull(identity, "identity is null");
         requireNonNull(catalogName, "catalogName is null");
 
+        authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName));
+
         CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName);
         if (entry != null) {
             authenticationCheck(() -> entry.getAccessControl().checkCanShowRoleGrants(entry.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogName), catalogName));