Allow all for admin role

Admin user has all the available permissions for all the entities implicitly. So it may be considered as a database and table "owner" for all tables and databases. Also it has all the SELECT, INSERT, DELETE permissions implicitly. Extracted-From: prestodb/presto#10904
trinodb · Jan 29, 2019 · e5f2784 · e5f2784
1 parent d455185
commit e5f2784
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/presto-hive/src/main/java/io/prestosql/plugin/hive/security/SqlStandardAccessControl.java b/presto-hive/src/main/java/io/prestosql/plugin/hive/security/SqlStandardAccessControl.java
@@ -110,7 +110,7 @@ public void checkCanDropSchema(ConnectorTransactionHandle transaction, Connector
     @Override
     public void checkCanRenameSchema(ConnectorTransactionHandle transaction, ConnectorIdentity identity, String schemaName, String newSchemaName)
     {
-        if (!isAdmin(transaction, identity) || !isDatabaseOwner(transaction, identity, schemaName)) {
+        if (!isDatabaseOwner(transaction, identity, schemaName)) {
             denyRenameSchema(schemaName, newSchemaName);
         }
     }
@@ -354,6 +354,10 @@ private boolean isDatabaseOwner(ConnectorTransactionHandle transaction, Connecto
             return true;
         }
 
+        if (isAdmin(transaction, identity)) {
+            return true;
+        }
+
         SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction));
         Optional<Database> databaseMetadata = metastore.getDatabase(databaseName);
         if (!databaseMetadata.isPresent()) {
@@ -374,7 +378,11 @@ private boolean isDatabaseOwner(ConnectorTransactionHandle transaction, Connecto
 
     private boolean checkTablePermission(ConnectorTransactionHandle transaction, ConnectorIdentity identity, SchemaTableName tableName, HivePrivilege... requiredPrivileges)
     {
-        if (tableName.equals(ROLES) && !isAdmin(transaction, identity)) {
+        if (isAdmin(transaction, identity)) {
+            return true;
+        }
+
+        if (tableName.equals(ROLES)) {
             return false;
         }
 
@@ -396,6 +404,10 @@ private boolean checkTablePermission(ConnectorTransactionHandle transaction, Con
 
     private boolean hasGrantOptionForPrivilege(ConnectorTransactionHandle transaction, ConnectorIdentity identity, Privilege privilege, SchemaTableName tableName)
     {
+        if (isAdmin(transaction, identity)) {
+            return true;
+        }
+
         SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction));
         return listApplicableTablePrivileges(
                 metastore,
@@ -410,6 +422,7 @@ private boolean hasAdminOptionForRoles(ConnectorTransactionHandle transaction, C
         if (isAdmin(transaction, identity)) {
             return true;
         }
+
         SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction));
         Set<RoleGrant> grants = listApplicableRoles(new PrestoPrincipal(USER, identity.getUser()), metastore::listRoleGrants);
         Set<String> rolesWithGrantOption = grants.stream()