Improve access control check for MV

core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java

@@ -2193,6 +2193,7 @@ protected Scope visitTable(Table table, Optional<Scope> scope)
             Optional<MaterializedViewDefinition> optionalMaterializedView = metadata.getMaterializedView(session, name);
             if (optionalMaterializedView.isPresent()) {
                 MaterializedViewDefinition materializedViewDefinition = optionalMaterializedView.get();
+                analysis.addEmptyColumnReferencesForTable(accessControl, session.getIdentity(), name);
                 if (isMaterializedViewSufficientlyFresh(session, name, materializedViewDefinition)) {
                     // If materialized view is sufficiently fresh with respect to its grace period, answer the query using the storage table
                     QualifiedName storageName = getMaterializedViewStorageTableName(materializedViewDefinition)

testing/trino-tests/src/test/java/io/trino/security/TestAccessControl.java

@@ -158,15 +158,15 @@ protected SystemAccessControl delegate()
                 })
                 .withGetViews((connectorSession, prefix) -> {
                     ConnectorViewDefinition definitionRunAsDefiner = new ConnectorViewDefinition(
-                            "select 1",
+                            "SELECT 1 AS test",
                             Optional.of("mock"),
                             Optional.of("default"),
                             ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BIGINT.getTypeId(), Optional.empty())),
                             Optional.of("comment"),
                             Optional.of("admin"),
                             false);
                     ConnectorViewDefinition definitionRunAsInvoker = new ConnectorViewDefinition(
-                            "select 1",
+                            "SELECT 1 AS test",
                             Optional.of("mock"),
                             Optional.of("default"),
                             ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BIGINT.getTypeId(), Optional.empty())),
@@ -182,7 +182,7 @@ protected SystemAccessControl delegate()
                     public Map<SchemaTableName, ConnectorMaterializedViewDefinition> apply(ConnectorSession session, SchemaTablePrefix schemaTablePrefix)
                     {
                         ConnectorMaterializedViewDefinition materializedViewDefinition = new ConnectorMaterializedViewDefinition(
-                                "select 1",
+                                "SELECT 1 AS test",
                                 Optional.empty(),
                                 Optional.empty(),
                                 Optional.empty(),
@@ -253,7 +253,27 @@ public void testAccessControl()
         assertAccessAllowed("SELECT name AS my_alias FROM nation", privilege("my_alias", SELECT_COLUMN));
         assertAccessAllowed("SELECT my_alias from (SELECT name AS my_alias FROM nation)", privilege("my_alias", SELECT_COLUMN));
         assertAccessDenied("SELECT name AS my_alias FROM nation", "Cannot select from columns \\[name] in table .*.nation.*", privilege("nation.name", SELECT_COLUMN));
-
+        assertAccessAllowed("SELECT 1 FROM mock.default.test_materialized_view");
+        assertAccessDenied("SELECT 1 FROM mock.default.test_materialized_view", "Cannot select from columns.*", privilege("test_materialized_view", SELECT_COLUMN));
+        assertAccessAllowed("SELECT * FROM mock.default.test_materialized_view");
+        assertAccessDenied("SELECT * FROM mock.default.test_materialized_view", "Cannot select from columns.*", privilege("test_materialized_view", SELECT_COLUMN));
+        assertAccessAllowed("SELECT 1 FROM mock.default.test_view_definer");
+        assertAccessDenied("SELECT 1 FROM mock.default.test_view_definer", "Cannot select from columns.*", privilege("test_view_definer", SELECT_COLUMN));
+        assertAccessAllowed("SELECT * FROM mock.default.test_view_definer");
+        assertAccessDenied("SELECT * FROM mock.default.test_view_definer", "Cannot select from columns.*", privilege("test_view_definer", SELECT_COLUMN));
+        assertAccessAllowed("SELECT 1 FROM mock.default.test_view_invoker");
+        assertAccessDenied("SELECT 1 FROM mock.default.test_view_invoker", "Cannot select from columns.*", privilege("test_view_invoker", SELECT_COLUMN));
+        assertAccessAllowed("SELECT * FROM mock.default.test_view_invoker");
+        assertAccessDenied("SELECT * FROM mock.default.test_view_invoker", "Cannot select from columns.*", privilege("test_view_invoker", SELECT_COLUMN));
+        // with current implementation this next block of checks is redundant to `SELECT 1 FROM ..`, but it is not obvious unless details of how
+        // semantics analyzer works are known
+        assertAccessAllowed("SELECT count(*) FROM mock.default.test_materialized_view");
+        assertAccessDenied("SELECT count(*) FROM mock.default.test_materialized_view", "Cannot select from columns.*", privilege("test_materialized_view", SELECT_COLUMN));
+        assertAccessAllowed("SELECT count(*) FROM mock.default.test_view_invoker");
+        assertAccessDenied("SELECT count(*) FROM mock.default.test_view_invoker", "Cannot select from columns.*", privilege("test_view_invoker", SELECT_COLUMN));
+        assertAccessAllowed("SELECT count(*) FROM mock.default.test_view_definer");
+        assertAccessDenied("SELECT count(*) FROM mock.default.test_view_definer", "Cannot select from columns.*", privilege("test_view_definer", SELECT_COLUMN));
+
         assertAccessDenied(
                 "SELECT orders.custkey, lineitem.quantity FROM orders JOIN lineitem USING (orderkey)",
                 "Cannot select from columns \\[orderkey, custkey] in table .*",