Add generic SET AUTHORIZATION #21794
Conversation
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
19b0949 to
bbb067b
Compare
|
Would that help with this issue? |
No, I don't think this change will help. Materialized views must have owners when they are created. Perhaps you could post to the Trino #troubleshooting Slack channel about this. |
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
bbb067b to
a8153d8
Compare
|
I did that some time ago but got no response https://trinodb.slack.com/archives/CGB0QHWSW/p1712241258245569 |
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
a8153d8 to
5b3c06c
Compare
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
5b3c06c to
67040b4
Compare
|
This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua |
mosabua
added
stale-ignore
|
I assume you are still working on this @djsstarburst |
Yes, @mosabua. |
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
67040b4 to
0bb9bea
Compare
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
0bb9bea to
5ed9185
Compare
|
Hi @martint. We discussed this PR, and you took a quick look at it last spring. I just brought it up-to-date with tip master. Could you please take another look and see if it can be approved? Thanks! |
There was a problem hiding this comment.
I would like to take a different approach to this PR. Instead of retaining the existing set*Authorization we remove them entirelly. Then in the SPI we have default implementation of setEntityAuthorization we switch over the entities and call the exisitng methods. Then we mark the existing 3 methods as deprecated for removal. We would do the same thing for the security checks.
The main, notable, difference with the existing code would be that we no longer perform an existance check before doing the authorization assignment. I think that is ok. If we decide we want that later we can add a generic entitiy exists mehtod.
core/trino-main/src/main/java/io/trino/execution/SetAuthorizationTask.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/execution/SetAuthorizationTask.java
Outdated
Show resolved
Hide resolved
core/trino-parser/src/test/java/io/trino/sql/parser/TestSqlParser.java
Outdated
Show resolved
Hide resolved
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
2 times, most recently
from
9205917 to
a39beac
Compare
@dain - - I've tried to do what you suggested, and I've pushed out the result. But I'm not certain I've gotten the details right. Please take another quick look. |
There was a problem hiding this comment.
You are getting there. In all modules other than SPI, we should simply remove the methods. In the SPI we leave the methods, but mark them @Deprecated(forRemoval=ture). This means the nothing else in Trino is allowed to call this method. The new method will have a default implementation that calls through to the old deprecated implementations (likely needs the deprecation check suppressed for that method). This way existing implementations should still work, but it forces them to update. Then in a few months we remove the deprecated methods entirelly.
| @@ -858,4 +858,6 @@ default boolean isMaterializedView(Session session, QualifiedObjectName viewName | |||
| * Returns writer scaling options for the specified table. | |||
| */ | |||
| WriterScalingOptions getInsertWriterScalingOptions(Session session, TableHandle tableHandle); | |||
|
|
|||
| void setEntityAuthorization(Session session, String ownedKind, List<String> name, TrinoPrincipal principal); | |||
There was a problem hiding this comment.
Remove all other set*Authorization methods from this interface and implementations.
| @@ -2862,6 +2862,12 @@ public WriterScalingOptions getInsertWriterScalingOptions(Session session, Table | |||
| return metadata.getInsertWriterScalingOptions(session.toConnectorSession(tableHandle.catalogHandle()), tableHandle.connectorHandle()); | |||
| } | |||
|
|
|||
| @Override | |||
| public void setEntityAuthorization(Session session, String ownedKind, List<String> name, TrinoPrincipal principal) | |||
There was a problem hiding this comment.
Remove all other set*Authorization methods from this interface and implementations.
| */ | ||
| @Deprecated | ||
| void setSchemaOwner(Session session, CatalogSchemaName schema, TrinoPrincipal principal); |
There was a problem hiding this comment.
Sinces this is in the main module, we can remove these methods instead of deprecating them. The only place we would leave the existing methods is in the trino-spi module.
| @@ -238,4 +253,30 @@ default void validateEntityKindAndPrivileges(Session session, String entityKind, | |||
| * Column's NOT NULL constraint was dropped | |||
| */ | |||
| void columnNotNullConstraintDropped(Session session, CatalogSchemaTableName table, String column); | |||
|
|
|||
| default void setEntityOwner(Session session, String ownedKind, List<String> name, TrinoPrincipal principal) | |||
There was a problem hiding this comment.
This should just be an interface method
| */ | ||
| @Deprecated | ||
| void checkCanSetSchemaAuthorization(SecurityContext context, CatalogSchemaName schemaName, TrinoPrincipal principal); |
There was a problem hiding this comment.
These can be removed leaving only the new generic entity version
| @@ -1442,6 +1443,18 @@ public Map<ColumnSchema, ViewExpression> getColumnMasks(SecurityContext context, | |||
| } | |||
| } | |||
|
|
|||
| @Override | |||
| public void checkCanSetEntityAuthorization(SecurityContext context, String ownedKind, List<String> name, TrinoPrincipal principal) | |||
There was a problem hiding this comment.
Remove all other checkCanSet*Authorization methods from this interface and implementations.
| */ | ||
| @Deprecated |
There was a problem hiding this comment.
These should all be @Deprecated(forRemoval = true)
| */ | ||
| @Deprecated | ||
| default void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) | ||
| { | ||
| denySetSchemaAuthorization(schema.toString(), principal); |
There was a problem hiding this comment.
Let's switch all of these to denySetEntityAuthorization
| @@ -746,6 +748,21 @@ public static void denyShowCreateFunction(String functionName, String extraInfo) | |||
| throw new AccessDeniedException(format("Cannot show create function for %s%s", functionName, formatExtraInfo(extraInfo))); | |||
| } | |||
|
|
|||
| public static void denySetEntityAuthorization(String ownedKind, List<String> name) | |||
There was a problem hiding this comment.
Let's mark all of the old denySet*Authorization @Deprecated(forRemoval = true)
| @@ -359,6 +359,9 @@ public Map<ColumnSchema, ViewExpression> getColumnMasks(SystemSecurityContext co | |||
| return ImmutableMap.of(); | |||
| } | |||
|
|
|||
| @Override | |||
| public void checkCanSetEntityAuthorization(SystemSecurityContext context, String ownedKind, List<String> name, TrinoPrincipal principal) {} | |||
There was a problem hiding this comment.
We can remove the other checkCanSet*Authorization methods from this impleentation and all others, since the engine can never call the other versions (because they are marked for removal)
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
2 times, most recently
from
f1a9e92 to
7374ecc
Compare
This commit adds machinery to set the owner of arbitrary entities, by extending the syntax of ALTER (SCHEMA | TABLE | VIEW) qualifiedName SET AUTHORIZATION to support arbitrary owningKinds in place of SCHEMA, TABLE or VIEW. Checks that a specific SET AUTHORIZATION is legal is done by AccessControl.checkCanSetEntityAuthorization, also defined by SystemAccessControl. Setting the owner is done by Metadata.setEntityAuthorization and SystemSecurityMetadata.setEntityAuthorization.
djsstarburst
force-pushed
the
david.stryker/add-generic-set-authorization
branch
from
7374ecc to
35814ce
Compare
This commit adds machinery to set the owner of arbitrary entities, by extending the syntax of
ALTER (SCHEMA | TABLE | VIEW) qualifiedName SET AUTHORIZATION to support arbitrary owningKinds in place of SCHEMA, TABLE or VIEW. Checks that a specific SET AUTHORIZATION is legal is done by AccessControl.checkCanSetEntityAuthorization, also defined by SystemAccessControl. Setting the owner is done by Metadata.setEntityAuthorization and
SystemSecurityMetadata.setEntityAuthorization.
Description
Additional context and related issues
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text: