io.trino.plugin.hive.security.LegacyAccessControl Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of trino-hive Show documentation
Show all versions of trino-hive Show documentation
This is a Databricks build of Trino's Hive plugin which includes support for HTTP based transport
for it's Hive metastore thrift interface.
The newest version!
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.trino.plugin.hive.security;
import com.google.common.collect.ImmutableList;
import io.trino.plugin.hive.metastore.Table;
import io.trino.spi.connector.ConnectorAccessControl;
import io.trino.spi.connector.ConnectorSecurityContext;
import io.trino.spi.connector.SchemaRoutineName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.FunctionKind;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import javax.inject.Inject;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import static io.trino.spi.security.AccessDeniedException.denyAddColumn;
import static io.trino.spi.security.AccessDeniedException.denyCommentColumn;
import static io.trino.spi.security.AccessDeniedException.denyCommentTable;
import static io.trino.spi.security.AccessDeniedException.denyDropColumn;
import static io.trino.spi.security.AccessDeniedException.denyDropTable;
import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction;
import static io.trino.spi.security.AccessDeniedException.denyRenameColumn;
import static io.trino.spi.security.AccessDeniedException.denyRenameTable;
import static java.lang.String.format;
import static java.util.Objects.requireNonNull;
public class LegacyAccessControl
implements ConnectorAccessControl
{
private final LegacyAccessControlMetastore accessControlMetastore;
private final boolean allowDropTable;
private final boolean allowRenameTable;
private final boolean allowCommentTable;
private final boolean allowCommentColumn;
private final boolean allowAddColumn;
private final boolean allowDropColumn;
private final boolean allowRenameColumn;
@Inject
public LegacyAccessControl(
LegacyAccessControlMetastore accessControlMetastore,
LegacySecurityConfig securityConfig)
{
this.accessControlMetastore = requireNonNull(accessControlMetastore, "accessControlMetastore is null");
allowDropTable = securityConfig.getAllowDropTable();
allowRenameTable = securityConfig.getAllowRenameTable();
allowCommentTable = securityConfig.getAllowCommentTable();
allowCommentColumn = securityConfig.getAllowCommentColumn();
allowAddColumn = securityConfig.getAllowAddColumn();
allowDropColumn = securityConfig.getAllowDropColumn();
allowRenameColumn = securityConfig.getAllowRenameColumn();
}
@Override
public void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName, Map properties)
{
}
@Override
public void checkCanDropSchema(ConnectorSecurityContext context, String schemaName)
{
}
@Override
public void checkCanRenameSchema(ConnectorSecurityContext context, String schemaName, String newSchemaName)
{
}
@Override
public void checkCanSetSchemaAuthorization(ConnectorSecurityContext context, String schemaName, TrinoPrincipal principal)
{
}
@Override
public void checkCanShowSchemas(ConnectorSecurityContext context)
{
}
@Override
public Set filterSchemas(ConnectorSecurityContext context, Set schemaNames)
{
return schemaNames;
}
@Override
public void checkCanShowCreateSchema(ConnectorSecurityContext context, String schemaName)
{
}
@Override
public void checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)
{
}
@Override
public void checkCanCreateTable(ConnectorSecurityContext context, SchemaTableName tableName, Map properties)
{
}
@Override
public void checkCanDropTable(ConnectorSecurityContext context, SchemaTableName tableName)
{
if (!allowDropTable) {
denyDropTable(tableName.toString());
}
Optional target = accessControlMetastore.getTable(context, tableName.getSchemaName(), tableName.getTableName());
if (target.isEmpty()) {
denyDropTable(tableName.toString(), "Table not found");
}
String tableOwner = target.get().getOwner().orElse(null);
if (!context.getIdentity().getUser().equals(tableOwner)) {
denyDropTable(tableName.toString(), format("Owner of the table ('%s') is different from session user ('%s')", tableOwner, context.getIdentity().getUser()));
}
}
@Override
public void checkCanTruncateTable(ConnectorSecurityContext context, SchemaTableName tableName)
{
}
@Override
public void checkCanRenameTable(ConnectorSecurityContext context, SchemaTableName tableName, SchemaTableName newTableName)
{
if (!allowRenameTable) {
denyRenameTable(tableName.toString(), newTableName.toString());
}
}
@Override
public void checkCanSetTableProperties(ConnectorSecurityContext context, SchemaTableName tableName, Map> properties)
{
}
@Override
public void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTableName tableName)
{
if (!allowCommentTable) {
denyCommentTable(tableName.toString());
}
}
@Override
public void checkCanSetViewComment(ConnectorSecurityContext context, SchemaTableName viewName)
{
}
@Override
public void checkCanSetColumnComment(ConnectorSecurityContext context, SchemaTableName tableName)
{
if (!allowCommentColumn) {
denyCommentColumn(tableName.toString());
}
}
@Override
public void checkCanShowTables(ConnectorSecurityContext context, String schemaName)
{
}
@Override
public Set filterTables(ConnectorSecurityContext context, Set tableNames)
{
return tableNames;
}
@Override
public void checkCanShowColumns(ConnectorSecurityContext context, SchemaTableName tableName)
{
}
@Override
public Set filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set columns)
{
return columns;
}
@Override
public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName)
{
if (!allowAddColumn) {
denyAddColumn(tableName.toString());
}
}
@Override
public void checkCanDropColumn(ConnectorSecurityContext context, SchemaTableName tableName)
{
if (!allowDropColumn) {
denyDropColumn(tableName.toString());
}
}
@Override
public void checkCanRenameColumn(ConnectorSecurityContext context, SchemaTableName tableName)
{
if (!allowRenameColumn) {
denyRenameColumn(tableName.toString());
}
}
@Override
public void checkCanAlterColumn(ConnectorSecurityContext context, SchemaTableName tableName)
{
}
@Override
public void checkCanSetTableAuthorization(ConnectorSecurityContext context, SchemaTableName tableName, TrinoPrincipal principal)
{
}
@Override
public void checkCanSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set columnNames)
{
}
@Override
public void checkCanInsertIntoTable(ConnectorSecurityContext context, SchemaTableName tableName)
{
}
@Override
public void checkCanDeleteFromTable(ConnectorSecurityContext context, SchemaTableName tableName)
{
}
@Override
public void checkCanUpdateTableColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set updatedColumns)
{
}
@Override
public void checkCanCreateView(ConnectorSecurityContext context, SchemaTableName viewName)
{
}
@Override
public void checkCanRenameView(ConnectorSecurityContext context, SchemaTableName viewName, SchemaTableName newViewName)
{
}
@Override
public void checkCanSetViewAuthorization(ConnectorSecurityContext context, SchemaTableName viewName, TrinoPrincipal principal)
{
}
@Override
public void checkCanDropView(ConnectorSecurityContext context, SchemaTableName viewName)
{
}
@Override
public void checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set columnNames)
{
}
@Override
public void checkCanCreateMaterializedView(ConnectorSecurityContext context, SchemaTableName materializedViewName, Map properties)
{
}
@Override
public void checkCanRefreshMaterializedView(ConnectorSecurityContext context, SchemaTableName materializedViewName)
{
}
@Override
public void checkCanDropMaterializedView(ConnectorSecurityContext context, SchemaTableName materializedViewName)
{
}
@Override
public void checkCanRenameMaterializedView(ConnectorSecurityContext context, SchemaTableName viewName, SchemaTableName newViewName)
{
}
@Override
public void checkCanGrantExecuteFunctionPrivilege(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName functionName, TrinoPrincipal grantee, boolean grantOption)
{
}
@Override
public void checkCanSetMaterializedViewProperties(ConnectorSecurityContext context, SchemaTableName materializedViewName, Map> properties)
{
}
@Override
public void checkCanSetCatalogSessionProperty(ConnectorSecurityContext context, String propertyName)
{
}
@Override
public void checkCanGrantSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, TrinoPrincipal grantee, boolean grantOption)
{
}
@Override
public void checkCanDenySchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, TrinoPrincipal grantee)
{
}
@Override
public void checkCanRevokeSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, TrinoPrincipal revokee, boolean grantOption)
{
}
@Override
public void checkCanGrantTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, TrinoPrincipal grantee, boolean grantOption)
{
}
@Override
public void checkCanDenyTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, TrinoPrincipal grantee)
{
}
@Override
public void checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, TrinoPrincipal revokee, boolean grantOption)
{
}
@Override
public void checkCanCreateRole(ConnectorSecurityContext context, String role, Optional grantor)
{
}
@Override
public void checkCanDropRole(ConnectorSecurityContext context, String role)
{
}
@Override
public void checkCanGrantRoles(ConnectorSecurityContext context,
Set roles,
Set grantees,
boolean adminOption,
Optional grantor)
{
}
@Override
public void checkCanRevokeRoles(ConnectorSecurityContext context,
Set roles,
Set grantees,
boolean adminOption,
Optional grantor)
{
}
@Override
public void checkCanSetRole(ConnectorSecurityContext context, String role)
{
}
@Override
public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
{
}
@Override
public void checkCanShowRoles(ConnectorSecurityContext context)
{
}
@Override
public void checkCanShowCurrentRoles(ConnectorSecurityContext context)
{
}
@Override
public void checkCanShowRoleGrants(ConnectorSecurityContext context)
{
}
@Override
public void checkCanExecuteProcedure(ConnectorSecurityContext context, SchemaRoutineName procedure)
{
}
@Override
public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, SchemaTableName tableName, String procedure)
{
}
@Override
public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function)
{
switch (functionKind) {
case SCALAR, AGGREGATE, WINDOW:
return;
case TABLE:
denyExecuteFunction(function.toString());
}
throw new UnsupportedOperationException("Unsupported function kind: " + functionKind);
}
@Override
public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
{
return ImmutableList.of();
}
@Override
public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
{
return Optional.empty();
}
@Override
public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
{
return ImmutableList.of();
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy