Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify authorization access for SET AUTHORIZATION statements #16691

Merged
merged 3 commits into from
Jun 7, 2023
Merged

Verify authorization access for SET AUTHORIZATION statements #16691

merged 3 commits into from
Jun 7, 2023

Conversation

kokosing
Copy link
Member

@kokosing kokosing commented Mar 23, 2023
edited
Loading

With this pull request we are going to assume from all pluggable access control to make sure that SET AUTHORIZATION statements are secure to be performed. Previously it was not clear if it is engine or access control responsibility. Hence we had legacy.allow-set-view-authorization config property.

To accomplish that now:

  • hive.security=sql-standard requires admin role privilege to perform ALTER ... SET AUTHORIZATION... statements
  • File based access control have now new authorization rules that verify to whom AUTHORIZATION can be set.

Thanks to the above legacy.allow-set-view-authorization can be removed.

Release notes:
Hive

  • The hive.security=sql-standardsecurty requires admin role privilege to performALTER ... SET AUTHORIZATION...` statements

Security:

  • Introduce authorization rules to file based access controls to control ALTER ... SET AUTHORIZATION... to whom authorization can be set.
  • Remove legacy.allow-set-view-authorization configuration property

@cla-bot cla-bot bot added the cla-signed label Mar 23, 2023
@kokosing kokosing requested review from ksobolew and dain March 23, 2023 11:34
@github-actions github-actions bot added hive Hive connector tests:hive labels Mar 23, 2023
@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch from c4bb91a to 173f26e Compare March 23, 2023 13:47
ksobolew
ksobolew reviewed Mar 23, 2023
View reviewed changes
Copy link
Contributor

@ksobolew ksobolew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two concerns here:

  1. Whether impersonation is the right precondition for this

    • We discussed this when we worked on this last time, and this was one of the suggestions. I think it makes sense, but I'm no strongly sold on it yet.

  2. This requires all access control to implement this in a correct way, which is error prone.

    • I would suggest moving the logic to AccessControlManager and remove the checkCanSetViewAuthorization from the access control interface(s).

Bonus concern:

  1. The commit message seems malformed :) It should explain why impersonation is the correct thing to do, not just that it's delegated to the access control.

core/trino-main/src/main/java/io/trino/execution/SetViewAuthorizationTask.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java Outdated Show resolved Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java Outdated Show resolved Hide resolved
@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch from 173f26e to f4d4e3a Compare April 13, 2023 05:53
@kokosing
Copy link
Member Author

AC, PTAL

@github-actions github-actions bot added the docs label Apr 13, 2023
ksobolew
ksobolew reviewed Apr 13, 2023
View reviewed changes
Copy link
Contributor

@ksobolew ksobolew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So file-based access controls will have their own model for this? We were discussing things like checking for impersonation, does that mean this is not viable here or just undesirable?

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AuthorizationRule.java Outdated Show resolved Hide resolved
lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AuthorizationRule.java Outdated Show resolved Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java Outdated Show resolved Hide resolved
...plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java Outdated Show resolved Hide resolved
...n-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControlRules.java
@@ -83,6 +86,11 @@ public Optional<List<SystemInformationRule>> getSystemInformationRules()
return systemInformationRules;
}

public List<AuthorizationRule> getAuthorizationRules()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not return Optional like from all the others?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this one if it is not present is denied by default.

...oolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java Show resolved Hide resolved
plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java Outdated
if (!isTableOwner(context, viewName)) {
denySetViewAuthorization(viewName.toString(), principal);
}
denySetViewAuthorization(viewName.toString(), principal);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this warrant a separate commit?

...kit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java
@Test
public void testSchemaAuthorization()
{
ConnectorAccessControl accessControl = createAccessControl("authorization-no-roles.json");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why no roles in connector access control tests?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is also authorization.json, however file based connector access control does not support roles.

        checkArgument(!rules.hasRoleRules(), "File connector access control does not support role rules");

...kit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java Outdated Show resolved Hide resolved
...kit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java Outdated Show resolved Hide resolved
@kokosing kokosing mentioned this pull request May 19, 2023
Merged
@kokosing
Copy link
Member Author

AC, PTAL

@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch from f4d4e3a to f71b287 Compare May 29, 2023 15:54
martint
martint reviewed May 29, 2023
View reviewed changes
docs/src/main/sphinx/security/file-system-access-control.rst Outdated
@@ -678,7 +678,51 @@ as ``[email protected]``, you can use the following rules.
]
}

<<<<<<< HEAD
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unresolved merge conflict?

@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch from f71b287 to 94acb6e Compare May 30, 2023 13:29
dain
dain reviewed May 30, 2023
View reviewed changes
Copy link
Member

@dain dain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The message on the second commit should be rewritten as the new solution is to add a file based access control rule for set authorization checks. Also, I think the PR message and release notes will need a rewrite.

core/trino-main/src/main/java/io/trino/execution/SetViewAuthorizationTask.java Show resolved Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java Show resolved Hide resolved
@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch 4 times, most recently from 8edefc5 to 8083741 Compare June 4, 2023 20:55
@kokosing kokosing changed the title Require impersonation for VIEW SET AUTHORIZATION Verify authorization access for SET AUTHORIZATION statements Jun 5, 2023
@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch 2 times, most recently from ae08d58 to bcd8574 Compare June 5, 2023 14:21
@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch from bcd8574 to 1c98782 Compare June 6, 2023 14:28
kokosing added 2 commits June 6, 2023 21:41
@kokosing
Require admin privileges for SET AUTHORIZATION in SqlStandard
8ef6cfe
@kokosing
Introduce SET AUTHORIZATION rules to file based access controls
402898d 
Using new rules will allow to control who can grant AUTHORIZATION
(move ownership) to whom. In order to perform the SET AUTHORIZATION
statement one has also ownership access to referred entity.

So to be authorized to perform:
ALTER TABLE T SET AUTHORIZATION USER U;
one has to have access to
modify the table T and proper authorization rule to move ownership to
user U:
@kokosing
Remove legacy.allow-set-view-authorization
c04f7c2 
This property is no longer needed. It is required that plugin that
implements access control make sure that control for SET AUTHORIZATION
is implemented securely.
@kokosing kokosing force-pushed the origin/master/177_alter_view_authorization branch from 1c98782 to c04f7c2 Compare June 6, 2023 19:41
@kokosing kokosing merged commit 0c928ac into trinodb:master Jun 7, 2023
@kokosing kokosing deleted the origin/master/177_alter_view_authorization branch June 7, 2023 14:43
@github-actions github-actions bot added this to the 420 milestone Jun 7, 2023
@ksobolew ksobolew mentioned this pull request Jun 19, 2023
Closed
5 tasks
@colebow colebow mentioned this pull request Jun 21, 2023
Merged
@kokosing kokosing mentioned this pull request Oct 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martint martint martint left review comments

@ksobolew ksobolew ksobolew left review comments

@dain dain dain approved these changes

@Laonel Laonel Awaiting requested review from Laonel

@lukasz-walkiewicz lukasz-walkiewicz Awaiting requested review from lukasz-walkiewicz

Assignees
No one assigned
Labels
cla-signed docs hive Hive connector
Milestone
420
Development

Successfully merging this pull request may close these issues.
4 participants
@kokosing @martint @dain @ksobolew