-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could you explain why Trino decided to always skip access control on inline and built-in functions..? #19912
Comments
related PR: #19160 |
the reason why in-built functions are always allowed is because they are considered "safe". Can you explain which functions you want to disallow and why? |
@hashhar @dain I have deployed multiple UDFS, that I don't want to expose to everyone, but this issue is allowing all users to access all functions...the functions block is basically pointless if there are no checks being done... Trino upgrades are basically blocked for me and my teams across all environments due to this vulnerability |
but UDFs are not built-in functions and those should be controlled via access control. Do you observe otherwise? Can you enable debug log for the |
Yes exactly, @hashhar I have around 5-10 UDFs and if I don't put any function rule block, then they should all be by default not accessible right? I am seeing that those UDFs are not being controlled and everyone can access all functions including the (UDFS) even when I am not adding the block for functions rule. Using file based access controller. Will enable the debug logging and share logs. |
@hashhar even debug logs didn't show anything useful...I am still not able to have control over who can access what function |
Inline functions are provided by the user as part of the query, so it doesn't make much sense to check permissions based on their name -- the user could easily bypass the check by changing the function name. Built in functions (in the synthetic |
@martint thank you for the explanation, I am unable to find any reference to your explanation in the Trino docs or in any release notes. I also believe a critical point of access control is not just "safety" per se, but having control over who can use what and where for whatever usecase/scenario...due to certain users misfiring queries, we had removed user access to functions like distinct and some regex functions, not because distinct is unsafe, but such is the use case in that environment. Not to mention the fact that now, after putting in significant time in the Trino upgrade process, we have to now pull in lateral dev teams and ask for changes in their UDFs without any documentation. Can we have a flag that we can opt for, which can enable us to also control access over the in-line functions? |
We currently use Apache Ranger for access control on Trino queries, and manage policies to control special privileges to use in-line functions such as some sensitive unhash-like functions. (I know, Ranger is not the officially supported plugin for Trino)
This access control on the in-line functions was working well until
v412
(current version of our production cluster), but it's not working anymore on the latest release of Trino(v433
) with some breaking changes on the redesigning of access control codes.I found the reason on the code like below.
It's easy to fix these code lines on our forked repository of Trino,
but I wonder why Trino decided to remove access control on inline function at all.
How about adding option like
access-control-on-inline-function-enabled
(by defaultfalse
) ..?I found
FeatureConfig
can be injected toFunctionResolver
throughPlannerContext
withinLocalQueryRunner
. (But it looks ugly to transfer configuration like this..)The text was updated successfully, but these errors were encountered: