@Test public void testNameExpansion() { Session session = TestingSession.testSessionBuilder() .setIdentity(new Identity("bob", Optional.empty())) .setSource("the-internet") .build(); QueryQueueDefinition definition = new QueryQueueDefinition("user.${USER}", 1, 1); assertEquals(definition.getExpandedTemplate(session), "user.bob"); definition = new QueryQueueDefinition("source.${SOURCE}", 1, 1); assertEquals(definition.getExpandedTemplate(session), "source.the-internet"); definition = new QueryQueueDefinition("${USER}.${SOURCE}", 1, 1); assertEquals(definition.getExpandedTemplate(session), "bob.the-internet"); definition = new QueryQueueDefinition("global", 1, 1); assertEquals(definition.getExpandedTemplate(session), "global"); }
public TestingConnectorSession( String user, TimeZoneKey timeZoneKey, Locale locale, long startTime, List<PropertyMetadata<?>> propertyMetadatas, Map<String, Object> propertyValues) { this.queryId = queryIdGenerator.createNextQueryId().toString(); this.identity = new Identity(requireNonNull(user, "user is null"), Optional.empty()); this.timeZoneKey = requireNonNull(timeZoneKey, "timeZoneKey is null"); this.locale = requireNonNull(locale, "locale is null"); this.startTime = startTime; this.properties = Maps.uniqueIndex(propertyMetadatas, PropertyMetadata::getName); this.propertyValues = ImmutableMap.copyOf(propertyValues); }
public FullConnectorSession( String queryId, Identity identity, TimeZoneKey timeZoneKey, Locale locale, long startTime) { this.queryId = requireNonNull(queryId, "queryId is null"); this.identity = requireNonNull(identity, "identity is null"); this.timeZoneKey = requireNonNull(timeZoneKey, "timeZoneKey is null"); this.locale = requireNonNull(locale, "locale is null"); this.startTime = startTime; this.properties = null; this.catalog = null; this.sessionPropertyManager = null; }
@Override public SystemAccessControl create(Map<String, String> config) { this.config = config; return new SystemAccessControl() { @Override public void checkCanSetUser(Principal principal, String userName) { checkedPrincipal = principal; checkedUserName = userName; } @Override public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { throw new UnsupportedOperationException(); } }; }
@Override public void checkCanDeleteFromTable(Identity identity, SchemaTableName tableName) { if (!checkTablePermission(identity, tableName, DELETE)) { denyDeleteTable(tableName.toString()); } }
@Override public void checkCanCreateViewWithSelectFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_VIEW_WITH_SELECT_TABLE)) { denySelectTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateViewWithSelectFromTable(transactionId, identity, tableName); } }
@Override public void checkCanCreateTable(Identity identity, SchemaTableName tableName) { if (!checkDatabasePermission(identity, tableName.getSchemaName(), OWNERSHIP)) { denyCreateTable(tableName.toString()); } }
@Override public void checkCanRenameTable(Identity identity, SchemaTableName tableName, SchemaTableName newTableName) { if (!allowRenameTable) { denyRenameTable(tableName.toString(), newTableName.toString()); } }
@Override public void checkCanCreateViewWithSelectFromTable(Identity identity, SchemaTableName tableName) { if (!checkTablePermission(identity, tableName, SELECT, GRANT)) { denySelectTable(tableName.toString()); } }
@Override public void checkCanRenameTable(Identity identity, SchemaTableName tableName, SchemaTableName newTableName) { if (!allowRenameTable || !checkTablePermission(identity, tableName, OWNERSHIP)) { denyRenameTable(tableName.toString(), newTableName.toString()); } }
@Override public void checkCanCreateView(Identity identity, SchemaTableName viewName) { if (!checkDatabasePermission(identity, viewName.getSchemaName(), OWNERSHIP)) { denyCreateView(viewName.toString()); } }
@Override public void checkCanSetCatalogSessionProperty(Identity identity, String catalogName, String propertyName) { if (shouldDenyPrivilege(identity.getUser(), catalogName + "." + propertyName, SET_SESSION)) { denySetCatalogSessionProperty(catalogName, propertyName); } if (denyPrivileges.isEmpty()) { super.checkCanSetCatalogSessionProperty(identity, catalogName, propertyName); } }
@Override public void checkCanDropTable(Identity identity, SchemaTableName tableName) { if (!allowDropTable) { denyDropTable(tableName.toString()); } }
@Override public void checkCanRenameColumn(Identity identity, SchemaTableName tableName) { if (!checkTablePermission(identity, tableName, OWNERSHIP)) { denyRenameColumn(tableName.toString()); } }
@Test public void testNoCatalogAccessControl() throws Exception { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.<String, String>of()); transaction(transactionManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromTable(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table")); }); }
protected ConnectorSession makeSessionWithTimeZone(String tzId) { return Session.builder(propManager) .setIdentity(new Identity("user", Optional.empty())) .setSource("source") .setCatalog("kinesis") .setSchema("default") .setTimeZoneKey(TimeZoneKey.getTimeZoneKey(tzId)) .setLocale(ENGLISH) .setQueryId(new QueryId("dummy")) .build().toConnectorSession(new ConnectorId("kinesis")); }
@Override public void checkCanDropTable(Identity identity, SchemaTableName tableName) { if (!allowDropTable || !checkTablePermission(identity, tableName, OWNERSHIP)) { denyDropTable(tableName.toString()); } }
@Override public void checkCanSelectFromTable(Identity identity, SchemaTableName tableName) { if (!checkTablePermission(identity, tableName, SELECT)) { denySelectTable(tableName.toString()); } }
@Override public void checkCanSetCatalogSessionProperty(Identity identity, String propertyName) { if (!metastore.getRoles(identity.getUser()).contains(ADMIN_ROLE_NAME)) { denySetCatalogSessionProperty(connectorId, propertyName); } }
@Override public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanCreateTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanRenameTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, QualifiedObjectName newTableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); requireNonNull(newTableName, "newTableName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanRenameTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName(), newTableName.asSchemaTableName())); } }
@Override public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanAddColumn(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanRenameColumn(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanRenameColumn(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanInsertIntoTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanInsertIntoTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanCreateView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { requireNonNull(identity, "identity is null"); requireNonNull(viewName, "viewName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(viewName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanCreateView(entry.getTransactionHandle(transactionId), identity, viewName.asSchemaTableName())); } }
@Override public void checkCanSelectFromView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { requireNonNull(identity, "identity is null"); requireNonNull(viewName, "viewName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(viewName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanSelectFromView(entry.getTransactionHandle(transactionId), identity, viewName.asSchemaTableName())); } }
@Override public void checkCanCreateViewWithSelectFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanCreateViewWithSelectFromTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanCreateViewWithSelectFromView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { requireNonNull(identity, "identity is null"); requireNonNull(viewName, "viewName is null"); CatalogAccessControlEntry entry = catalogAccessControl.get(viewName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanCreateViewWithSelectFromView(entry.getTransactionHandle(transactionId), identity, viewName.asSchemaTableName())); } }
@Override public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { requireNonNull(identity, "identity is null"); requireNonNull(propertyName, "propertyName is null"); authorizationCheck(() -> systemAccessControl.get().checkCanSetSystemSessionProperty(identity, propertyName)); }
public Session( QueryId queryId, Optional<TransactionId> transactionId, boolean clientTransactionSupport, Identity identity, Optional<String> source, Optional<String> catalog, Optional<String> schema, TimeZoneKey timeZoneKey, Locale locale, Optional<String> remoteUserAddress, Optional<String> userAgent, long startTime, Map<String, String> systemProperties, Map<String, Map<String, String>> catalogProperties, SessionPropertyManager sessionPropertyManager) { this.queryId = requireNonNull(queryId, "queryId is null"); this.transactionId = requireNonNull(transactionId, "transactionId is null"); this.clientTransactionSupport = clientTransactionSupport; this.identity = identity; this.source = requireNonNull(source, "source is null"); this.catalog = requireNonNull(catalog, "catalog is null"); this.schema = requireNonNull(schema, "schema is null"); this.timeZoneKey = requireNonNull(timeZoneKey, "timeZoneKey is null"); this.locale = requireNonNull(locale, "locale is null"); this.remoteUserAddress = requireNonNull(remoteUserAddress, "remoteUserAddress is null"); this.userAgent = requireNonNull(userAgent, "userAgent is null"); this.startTime = startTime; this.systemProperties = ImmutableMap.copyOf(requireNonNull(systemProperties, "systemProperties is null")); this.sessionPropertyManager = requireNonNull(sessionPropertyManager, "sessionPropertyManager is null"); ImmutableMap.Builder<String, Map<String, String>> catalogPropertiesBuilder = ImmutableMap.<String, Map<String, String>>builder(); catalogProperties.entrySet().stream() .map(entry -> Maps.immutableEntry(entry.getKey(), ImmutableMap.copyOf(entry.getValue()))) .forEach(catalogPropertiesBuilder::put); this.catalogProperties = catalogPropertiesBuilder.build(); checkArgument(catalog.isPresent() || !schema.isPresent(), "schema is set but catalog is not"); }
@Override public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_TABLE)) { denyCreateTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateTable(transactionId, identity, tableName); } }
@Override public void checkCanDropTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DROP_TABLE)) { denyDropTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDropTable(transactionId, identity, tableName); } }
@Override public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), ADD_COLUMN)) { denyAddColumn(tableName.toString()); } super.checkCanAddColumns(transactionId, identity, tableName); }
@Override public void checkCanSelectFromView(Identity identity, SchemaTableName viewName) { if (!checkTablePermission(identity, viewName, SELECT)) { denySelectView(viewName.toString()); } }
@Override public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DELETE_TABLE)) { denyDeleteTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDeleteFromTable(transactionId, identity, tableName); } }
@Override public void checkCanCreateView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), CREATE_VIEW)) { denyCreateView(viewName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateView(transactionId, identity, viewName); } }
@Override public void checkCanDropView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), DROP_VIEW)) { denyDropView(viewName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDropView(transactionId, identity, viewName); } }
@Override public void checkCanSelectFromView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), SELECT_VIEW)) { denySelectView(viewName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanSelectFromView(transactionId, identity, viewName); } }
@Override public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { if (shouldDenyPrivilege(identity.getUser(), propertyName, SET_SESSION)) { denySetSystemSessionProperty(propertyName); } if (denyPrivileges.isEmpty()) { super.checkCanSetSystemSessionProperty(identity, propertyName); } }
@Override public void checkCanSelectFromTable(Identity identity, SchemaTableName tableName) { }
