Skip to content

Commit

Permalink
Remove access control checkCanShowTablesMetadata
Browse files Browse the repository at this point in the history
  • Loading branch information
kokosing committed Feb 24, 2020
1 parent 2fbe07f commit 2b85e5e
Show file tree
Hide file tree
Showing 21 changed files with 0 additions and 158 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,6 @@ public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTabl
}
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -179,11 +179,6 @@ public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTabl
}
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
11 changes: 0 additions & 11 deletions presto-main/src/main/java/io/prestosql/security/AccessControl.java
Original file line number Diff line number Diff line change
Expand Up @@ -151,17 +151,6 @@ public interface AccessControl
*/
void checkCanSetTableComment(SecurityContext context, QualifiedObjectName tableName);

/**
* Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
* <p>
* NOTE: This method is only present to give users an error message when listing is not allowed.
* The {@link #filterTables} method must filter all results for unauthorized users,
* since there are multiple ways to list tables.
*
* @throws io.prestosql.spi.security.AccessDeniedException if not allowed
*/
void checkCanShowTablesMetadata(SecurityContext context, CatalogSchemaName schema);

/**
* Filter the list of tables and views to those visible to the identity.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -384,19 +384,6 @@ public void checkCanSetTableComment(SecurityContext securityContext, QualifiedOb
catalogAuthorizationCheck(tableName.getCatalogName(), securityContext, (control, context) -> control.checkCanSetTableComment(context, tableName.asSchemaTableName()));
}

@Override
public void checkCanShowTablesMetadata(SecurityContext securityContext, CatalogSchemaName schema)
{
requireNonNull(securityContext, "securityContext is null");
requireNonNull(schema, "schema is null");

checkCanAccessCatalog(securityContext, schema.getCatalogName());

systemAuthorizationCheck(control -> control.checkCanShowTablesMetadata(securityContext.toSystemSecurityContext(), schema));

catalogAuthorizationCheck(schema.getCatalogName(), securityContext, (control, context) -> control.checkCanShowTablesMetadata(context, schema.getSchemaName()));
}

@Override
public Set<SchemaTableName> filterTables(SecurityContext securityContext, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,6 @@ public void checkCanSetTableComment(SecurityContext context, QualifiedObjectName
{
}

@Override
public void checkCanShowTablesMetadata(SecurityContext context, CatalogSchemaName schema)
{
}

@Override
public Set<SchemaTableName> filterTables(SecurityContext context, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@
import static io.prestosql.spi.security.AccessDeniedException.denyShowRoleGrants;
import static io.prestosql.spi.security.AccessDeniedException.denyShowRoles;
import static io.prestosql.spi.security.AccessDeniedException.denyShowSchemas;
import static io.prestosql.spi.security.AccessDeniedException.denyShowTablesMetadata;
import static io.prestosql.spi.security.AccessDeniedException.denyViewQuery;

public class DenyAllAccessControl
Expand Down Expand Up @@ -161,12 +160,6 @@ public void checkCanSetTableComment(SecurityContext context, QualifiedObjectName
denyCommentTable(tableName.toString());
}

@Override
public void checkCanShowTablesMetadata(SecurityContext context, CatalogSchemaName schema)
{
denyShowTablesMetadata(schema.toString());
}

@Override
public Set<SchemaTableName> filterTables(SecurityContext context, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -151,12 +151,6 @@ public void checkCanSetTableComment(SecurityContext context, QualifiedObjectName
delegate().checkCanSetTableComment(context, tableName);
}

@Override
public void checkCanShowTablesMetadata(SecurityContext context, CatalogSchemaName schema)
{
delegate().checkCanShowTablesMetadata(context, schema);
}

@Override
public Set<SchemaTableName> filterTables(SecurityContext context, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,6 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.SortedMap;

import static com.google.common.base.Strings.nullToEmpty;
Expand All @@ -93,7 +92,6 @@
import static io.prestosql.connector.informationschema.InformationSchemaTable.TABLES;
import static io.prestosql.connector.informationschema.InformationSchemaTable.TABLE_PRIVILEGES;
import static io.prestosql.metadata.MetadataListing.listCatalogs;
import static io.prestosql.metadata.MetadataListing.listSchemas;
import static io.prestosql.metadata.MetadataUtil.createCatalogSchemaName;
import static io.prestosql.metadata.MetadataUtil.createQualifiedObjectName;
import static io.prestosql.spi.StandardErrorCode.CATALOG_NOT_FOUND;
Expand Down Expand Up @@ -185,8 +183,6 @@ protected Node visitShowTables(ShowTables showTables, Void context)
{
CatalogSchemaName schema = createCatalogSchemaName(session, showTables, showTables.getSchema());

accessControl.checkCanShowTablesMetadata(session.toSecurityContext(), schema);

if (!metadata.catalogExists(session, schema.getCatalogName())) {
throw semanticException(CATALOG_NOT_FOUND, showTables, "Catalog '%s' does not exist", schema.getCatalogName());
}
Expand Down Expand Up @@ -230,10 +226,6 @@ protected Node visitShowGrants(ShowGrants showGrants, Void context)

catalogName = qualifiedTableName.getCatalogName();

accessControl.checkCanShowTablesMetadata(
session.toSecurityContext(),
new CatalogSchemaName(catalogName, qualifiedTableName.getSchemaName()));

predicate = Optional.of(combineConjuncts(
metadata,
equal(identifier("table_schema"), new StringLiteral(qualifiedTableName.getSchemaName())),
Expand All @@ -243,11 +235,6 @@ protected Node visitShowGrants(ShowGrants showGrants, Void context)
if (catalogName == null) {
throw semanticException(MISSING_CATALOG_NAME, showGrants, "Catalog must be specified when session catalog is not set");
}

Set<String> allowedSchemas = listSchemas(session, metadata, accessControl, catalogName);
for (String schema : allowedSchemas) {
accessControl.checkCanShowTablesMetadata(session.toSecurityContext(), new CatalogSchemaName(catalogName, schema));
}
}

return simpleQuery(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@
import io.prestosql.plugin.base.security.ReadOnlySystemAccessControl;
import io.prestosql.plugin.tpch.TpchConnectorFactory;
import io.prestosql.spi.PrestoException;
import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.Connector;
import io.prestosql.spi.connector.ConnectorAccessControl;
Expand Down Expand Up @@ -99,7 +98,6 @@ public void testReadOnlySystemAccessControl()
SecurityContext context = new SecurityContext(transactionId, identity);
accessControlManager.checkCanSetCatalogSessionProperty(context, "catalog", "property");
accessControlManager.checkCanShowSchemas(context, "catalog");
accessControlManager.checkCanShowTablesMetadata(context, new CatalogSchemaName("catalog", "schema"));
accessControlManager.checkCanSelectFromColumns(context, tableName, ImmutableSet.of("column"));
accessControlManager.checkCanCreateViewWithSelectFromColumns(context, tableName, ImmutableSet.of("column"));
Set<String> catalogs = ImmutableSet.of("catalog");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,14 +122,6 @@ public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTabl
}
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) {
delegate.checkCanShowTablesMetadata(context, schemaName);
}
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,6 @@ public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTabl
{
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,6 @@ public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchema
{
}

@Override
public void checkCanShowTablesMetadata(SystemSecurityContext context, CatalogSchemaName schema)
{
}

@Override
public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -135,11 +135,6 @@ public void checkCanDropTable(ConnectorSecurityContext context, SchemaTableName
}
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -393,11 +393,6 @@ public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchema
}
}

@Override
public void checkCanShowTablesMetadata(SystemSecurityContext context, CatalogSchemaName schema)
{
}

@Override
public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,6 @@ public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTabl
delegate().checkCanSetTableComment(context, tableName);
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
delegate().checkCanShowTablesMetadata(context, schemaName);
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -162,12 +162,6 @@ public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchema
delegate().checkCanSetTableComment(context, table);
}

@Override
public void checkCanShowTablesMetadata(SystemSecurityContext context, CatalogSchemaName schema)
{
delegate().checkCanShowTablesMetadata(context, schema);
}

@Override
public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -93,11 +93,6 @@ public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTabl
denyCommentTable(tableName.toString());
}

@Override
public void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
}

@Override
public Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
*/
package io.prestosql.plugin.base.security;

import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.SchemaTableName;
Expand Down Expand Up @@ -140,11 +139,6 @@ public void checkCanShowSchemas(SystemSecurityContext context, String catalogNam
{
}

@Override
public void checkCanShowTablesMetadata(SystemSecurityContext context, CatalogSchemaName schema)
{
}

@Override
public void checkCanShowRoles(SystemSecurityContext context, String catalogName)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@
import static io.prestosql.spi.security.AccessDeniedException.denyShowRoleGrants;
import static io.prestosql.spi.security.AccessDeniedException.denyShowRoles;
import static io.prestosql.spi.security.AccessDeniedException.denyShowSchemas;
import static io.prestosql.spi.security.AccessDeniedException.denyShowTablesMetadata;
import static java.util.Collections.emptySet;

public interface ConnectorAccessControl
Expand Down Expand Up @@ -155,20 +154,6 @@ default void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTab
denyCommentTable(tableName.toString());
}

/**
* Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
* <p>
* NOTE: This method is only present to give users an error message when listing is not allowed.
* The {@link #filterTables} method must filter all results for unauthorized users,
* since there are multiple ways to list tables.
*
* @throws io.prestosql.spi.security.AccessDeniedException if not allowed
*/
default void checkCanShowTablesMetadata(ConnectorSecurityContext context, String schemaName)
{
denyShowTablesMetadata(schemaName);
}

/**
* Filter the list of tables and views to those visible to the identity.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -181,16 +181,6 @@ public static void denyCommentTable(String tableName, String extraInfo)
throw new AccessDeniedException(format("Cannot comment table to %s%s", tableName, formatExtraInfo(extraInfo)));
}

public static void denyShowTablesMetadata(String schemaName)
{
denyShowTablesMetadata(schemaName, null);
}

public static void denyShowTablesMetadata(String schemaName, String extraInfo)
{
throw new AccessDeniedException(format("Cannot show metadata of tables in %s%s", schemaName, formatExtraInfo(extraInfo)));
}

public static void denyShowColumnsMetadata(String tableName)
{
throw new AccessDeniedException(format("Cannot show columns of table %s", tableName));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@
import static io.prestosql.spi.security.AccessDeniedException.denyShowCreateTable;
import static io.prestosql.spi.security.AccessDeniedException.denyShowRoles;
import static io.prestosql.spi.security.AccessDeniedException.denyShowSchemas;
import static io.prestosql.spi.security.AccessDeniedException.denyShowTablesMetadata;
import static io.prestosql.spi.security.AccessDeniedException.denyViewQuery;

public interface SystemAccessControl
Expand Down Expand Up @@ -247,20 +246,6 @@ default void checkCanSetTableComment(SystemSecurityContext context, CatalogSchem
denyCommentTable(table.toString());
}

/**
* Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
* <p>
* NOTE: This method is only present to give users an error message when listing is not allowed.
* The {@link #filterTables} method must filter all results for unauthorized users,
* since there are multiple ways to list tables.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanShowTablesMetadata(SystemSecurityContext context, CatalogSchemaName schema)
{
denyShowTablesMetadata(schema.toString());
}

/**
* Filter the list of tables and views to those visible to the identity.
*/
Expand Down

0 comments on commit 2b85e5e

Please sign in to comment.