All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.trino.security.AccessControl Maven / Gradle / Ivy

There is a newer version: 465
Show newest version
/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.trino.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import io.trino.metadata.QualifiedObjectName;
import io.trino.spi.QueryId;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.ColumnSchema;
import io.trino.spi.connector.EntityKindAndName;
import io.trino.spi.connector.EntityPrivilege;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;

import java.security.Principal;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;

import static io.trino.spi.security.AccessDeniedException.denySetViewAuthorization;

public interface AccessControl
{
    /**
     * Check if the principal is allowed to be the specified user.
     *
     * @throws AccessDeniedException if not allowed
     * @deprecated replaced with user mapping during authentication and {@link #checkCanImpersonateUser}
     */
    @Deprecated
    void checkCanSetUser(Optional principal, String userName);

    /**
     * Check if the identity is allowed impersonate the specified user.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanImpersonateUser(Identity identity, String userName);

    /**
     * Check if identity is allowed to read system information such as statistics,
     * service registry, thread stacks, etc.  This is typically allowed for administrators
     * and management tools.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanReadSystemInformation(Identity identity);

    /**
     * Check if identity is allowed to write system information such as marking nodes
     * offline, or changing runtime flags.  This is typically allowed for administrators.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanWriteSystemInformation(Identity identity);

    /**
     * Checks if identity can execute a query.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanExecuteQuery(Identity identity, QueryId queryId);

    /**
     * Checks if identity can view a query owned by the specified user.  The method
     * will not be called when the current user is the query owner.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner);

    /**
     * Filter the list of users to those the identity view query owned by the user.  The method
     * will not be called with the current user in the set.
     */
    Collection filterQueriesOwnedBy(Identity identity, Collection queryOwners);

    /**
     * Checks if identity can kill a query owned by the specified user.  The method
     * will not be called when the current user is the query owner.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner);

    /**
     * Check if identity is allowed to create the specified catalog.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanCreateCatalog(SecurityContext context, String catalog);

    /**
     * Check if identity is allowed to drop the specified catalog.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanDropCatalog(SecurityContext context, String catalog);

    /**
     * Filter the list of catalogs to those visible to the identity.
     */
    Set filterCatalogs(SecurityContext context, Set catalogs);

    /**
     * Check if identity is allowed to create the specified schema.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map properties);

    /**
     * Check if identity is allowed to drop the specified schema.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanDropSchema(SecurityContext context, CatalogSchemaName schemaName);

    /**
     * Check if identity is allowed to rename the specified schema.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanRenameSchema(SecurityContext context, CatalogSchemaName schemaName, String newSchemaName);

    /**
     * Check if identity is allowed to change the specified schema's user/role.
     *
     * @throws AccessDeniedException if not allowed
     */
    void checkCanSetSchemaAuthorization(SecurityContext context, CatalogSchemaName schemaName, TrinoPrincipal principal);

    /**
     * Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
     * 

* NOTE: This method is only present to give users an error message when listing is not allowed. * The {@link #filterSchemas} method must filter all results for unauthorized users, * since there are multiple ways to list schemas. * * @throws AccessDeniedException if not allowed */ void checkCanShowSchemas(SecurityContext context, String catalogName); /** * Filter the list of schemas in a catalog to those visible to the identity. */ Set filterSchemas(SecurityContext context, String catalogName, Set schemaNames); /** * Check if identity is allowed to execute SHOW CREATE SCHEMA. * * @throws AccessDeniedException if not allowed */ void checkCanShowCreateSchema(SecurityContext context, CatalogSchemaName schemaName); /** * Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW * * @throws AccessDeniedException if not allowed */ void checkCanShowCreateTable(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to create the specified table with properties. * * @throws AccessDeniedException if not allowed */ void checkCanCreateTable(SecurityContext context, QualifiedObjectName tableName, Map properties); /** * Check if identity is allowed to drop the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanDropTable(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to rename the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanRenameTable(SecurityContext context, QualifiedObjectName tableName, QualifiedObjectName newTableName); /** * Check if identity is allowed to set properties to the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanSetTableProperties(SecurityContext context, QualifiedObjectName tableName, Map> properties); /** * Check if identity is allowed to comment the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanSetTableComment(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to comment the specified view. * * @throws AccessDeniedException if not allowed */ void checkCanSetViewComment(SecurityContext context, QualifiedObjectName viewName); /** * Check if identity is allowed to comment the specified column. * * @throws io.trino.spi.security.AccessDeniedException if not allowed */ void checkCanSetColumnComment(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to show tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog schema. *

* NOTE: This method is only present to give users an error message when listing is not allowed. * The {@link #filterTables} method must filter all results for unauthorized users, * since there are multiple ways to list tables. * * @throws AccessDeniedException if not allowed */ void checkCanShowTables(SecurityContext context, CatalogSchemaName schema); /** * Filter the list of tables, materialized views and views to those visible to the identity. */ Set filterTables(SecurityContext context, String catalogName, Set tableNames); /** * Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc. *

* NOTE: This method is only present to give users an error message when listing is not allowed. * The {@link #filterColumns} method must filter all results for unauthorized users, * since there are multiple ways to list columns. * * @throws AccessDeniedException if not allowed */ void checkCanShowColumns(SecurityContext context, CatalogSchemaTableName table); /** * Filter lists of columns of multiple tables to those visible to the identity. */ Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns); /** * Check if identity is allowed to add columns to the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanAddColumns(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to drop columns from the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanDropColumn(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to alter columns to the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanAlterColumn(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to change the specified table's user/role. * * @throws AccessDeniedException if not allowed */ void checkCanSetTableAuthorization(SecurityContext context, QualifiedObjectName tableName, TrinoPrincipal principal); /** * Check if identity is allowed to rename a column in the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanRenameColumn(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to insert into the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanInsertIntoTable(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to delete from the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanDeleteFromTable(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to truncate the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanTruncateTable(SecurityContext context, QualifiedObjectName tableName); /** * Check if identity is allowed to update the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanUpdateTableColumns(SecurityContext context, QualifiedObjectName tableName, Set updatedColumnNames); /** * Check if identity is allowed to create the specified view. * * @throws AccessDeniedException if not allowed */ void checkCanCreateView(SecurityContext context, QualifiedObjectName viewName); /** * Check if identity is allowed to rename the specified view. * * @throws AccessDeniedException if not allowed */ void checkCanRenameView(SecurityContext context, QualifiedObjectName viewName, QualifiedObjectName newViewName); /** * Check if identity is allowed to change the specified view's user/role. * * @throws AccessDeniedException if not allowed */ default void checkCanSetViewAuthorization(SecurityContext context, QualifiedObjectName view, TrinoPrincipal principal) { denySetViewAuthorization(view.toString(), principal); } /** * Check if identity is allowed to drop the specified view. * * @throws AccessDeniedException if not allowed */ void checkCanDropView(SecurityContext context, QualifiedObjectName viewName); /** * Check if identity is allowed to create a view that selects from the specified columns. * * @throws AccessDeniedException if not allowed */ void checkCanCreateViewWithSelectFromColumns(SecurityContext context, QualifiedObjectName tableName, Set columnNames); /** * Check if identity is allowed to create the specified materialized view. * * @throws AccessDeniedException if not allowed */ void checkCanCreateMaterializedView(SecurityContext context, QualifiedObjectName materializedViewName, Map properties); /** * Check if identity is allowed to refresh the specified materialized view. * * @throws AccessDeniedException if not allowed */ void checkCanRefreshMaterializedView(SecurityContext context, QualifiedObjectName materializedViewName); /** * Check if identity is allowed to drop the specified materialized view. * * @throws AccessDeniedException if not allowed */ void checkCanDropMaterializedView(SecurityContext context, QualifiedObjectName materializedViewName); /** * Check if identity is allowed to rename the specified materialized view. * * @throws AccessDeniedException if not allowed */ void checkCanRenameMaterializedView(SecurityContext context, QualifiedObjectName viewName, QualifiedObjectName newViewName); /** * Check if identity is allowed to set the properties of the specified materialized view. * * @throws AccessDeniedException if not allowed */ void checkCanSetMaterializedViewProperties(SecurityContext context, QualifiedObjectName materializedViewName, Map> properties); /** * Check if identity is allowed to grant a privilege to the grantee on the specified schema. * * @throws AccessDeniedException if not allowed */ void checkCanGrantSchemaPrivilege(SecurityContext context, Privilege privilege, CatalogSchemaName schemaName, TrinoPrincipal grantee, boolean grantOption); /** * Check if identity is allowed to deny a privilege to the grantee on the specified schema. * * @throws AccessDeniedException if not allowed */ void checkCanDenySchemaPrivilege(SecurityContext context, Privilege privilege, CatalogSchemaName schemaName, TrinoPrincipal grantee); /** * Check if identity is allowed to revoke a privilege from the revokee on the specified schema. * * @throws AccessDeniedException if not allowed */ void checkCanRevokeSchemaPrivilege(SecurityContext context, Privilege privilege, CatalogSchemaName schemaName, TrinoPrincipal revokee, boolean grantOption); /** * Check if identity is allowed to grant a privilege to the grantee on the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanGrantTablePrivilege(SecurityContext context, Privilege privilege, QualifiedObjectName tableName, TrinoPrincipal grantee, boolean grantOption); /** * Check if identity is allowed to deny a privilege to the grantee on the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanDenyTablePrivilege(SecurityContext context, Privilege privilege, QualifiedObjectName tableName, TrinoPrincipal grantee); /** * Check if identity is allowed to revoke a privilege from the revokee on the specified table. * * @throws AccessDeniedException if not allowed */ void checkCanRevokeTablePrivilege(SecurityContext context, Privilege privilege, QualifiedObjectName tableName, TrinoPrincipal revokee, boolean grantOption); /** * Check if identity is allowed to grant the specified privilege to the grantee on the specified entity. * * @throws AccessDeniedException if not allowed */ void checkCanGrantEntityPrivilege(SecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal grantee, boolean grantOption); /** * Check if identity is allowed to deny the specified privilege to the grantee on the specified entity. * * @throws AccessDeniedException if not allowed */ void checkCanDenyEntityPrivilege(SecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal grantee); /** * Check if identity is allowed to revoke the specified privilege on the specified entity from the revokee. * * @throws AccessDeniedException if not allowed */ void checkCanRevokeEntityPrivilege(SecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal revokee, boolean grantOption); /** * Check if identity is allowed to set the specified system property. * * @throws AccessDeniedException if not allowed */ void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName); /** * Check if identity is allowed to set the specified catalog property. * * @throws AccessDeniedException if not allowed */ void checkCanSetCatalogSessionProperty(SecurityContext context, String catalogName, String propertyName); /** * Check if identity is allowed to select from the specified columns. The column set can be empty. * * @throws AccessDeniedException if not allowed */ void checkCanSelectFromColumns(SecurityContext context, QualifiedObjectName tableName, Set columnNames); /** * Check if identity is allowed to create the specified role. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanCreateRole(SecurityContext context, String role, Optional grantor, Optional catalogName); /** * Check if identity is allowed to drop the specified role. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanDropRole(SecurityContext context, String role, Optional catalogName); /** * Check if identity is allowed to grant the specified roles to the specified principals. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanGrantRoles(SecurityContext context, Set roles, Set grantees, boolean adminOption, Optional grantor, Optional catalogName); /** * Check if identity is allowed to revoke the specified roles from the specified principals. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanRevokeRoles(SecurityContext context, Set roles, Set grantees, boolean adminOption, Optional grantor, Optional catalogName); /** * Check if identity is allowed to set role for specified catalog. * * @param catalogName the role catalog * @throws AccessDeniedException if not allowed */ void checkCanSetCatalogRole(SecurityContext context, String role, String catalogName); /** * Check if identity is allowed to show roles on the specified catalog. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanShowRoles(SecurityContext context, Optional catalogName); /** * Check if identity is allowed to show current roles on the specified catalog. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanShowCurrentRoles(SecurityContext context, Optional catalogName); /** * Check if identity is allowed to show its own role grants on the specified catalog. * * @param catalogName if present, the role catalog; otherwise the role is a system role * @throws AccessDeniedException if not allowed */ void checkCanShowRoleGrants(SecurityContext context, Optional catalogName); /** * Check if identity is allowed to execute procedure * * @throws AccessDeniedException if not allowed */ void checkCanExecuteProcedure(SecurityContext context, QualifiedObjectName procedureName); /** * Is the identity allowed to execute function? */ boolean canExecuteFunction(SecurityContext context, QualifiedObjectName functionName); /** * Is the identity allowed to create a view that executes the specified function? */ boolean canCreateViewWithExecuteFunction(SecurityContext context, QualifiedObjectName functionName); /** * Check if identity is allowed to execute given table procedure on given table * * @throws AccessDeniedException if not allowed */ void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName); /** * Check if identity is allowed to show functions by executing SHOW FUNCTIONS in a catalog schema. *

* NOTE: This method is only present to give users an error message when listing is not allowed. * The {@link #filterFunctions} method must filter all results for unauthorized users, * since there are multiple ways to list functions. * * @throws AccessDeniedException if not allowed */ void checkCanShowFunctions(SecurityContext context, CatalogSchemaName schema); /** * Filter the list of functions to those visible to the identity. */ Set filterFunctions(SecurityContext context, String catalogName, Set functionNames); /** * Check if identity is allowed to create the specified function. * * @throws AccessDeniedException if not allowed */ void checkCanCreateFunction(SecurityContext context, QualifiedObjectName functionName); /** * Check if identity is allowed to drop the specified function. * * @throws AccessDeniedException if not allowed */ void checkCanDropFunction(SecurityContext context, QualifiedObjectName functionName); /** * Check if identity is allowed to execute SHOW CREATE FUNCTION. * * @throws AccessDeniedException if not allowed */ void checkCanShowCreateFunction(SecurityContext context, QualifiedObjectName functionName); default List getRowFilters(SecurityContext context, QualifiedObjectName tableName) { return ImmutableList.of(); } default Map getColumnMasks(SecurityContext context, QualifiedObjectName tableName, List columns) { return ImmutableMap.of(); } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy