io.trino.spi.security.SystemAccessControl Maven / Gradle / Ivy
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.trino.spi.security;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.eventlistener.EventListener;
import io.trino.spi.type.Type;
import java.security.Principal;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import static io.trino.spi.security.AccessDeniedException.denyAddColumn;
import static io.trino.spi.security.AccessDeniedException.denyCatalogAccess;
import static io.trino.spi.security.AccessDeniedException.denyCommentColumn;
import static io.trino.spi.security.AccessDeniedException.denyCommentTable;
import static io.trino.spi.security.AccessDeniedException.denyCreateSchema;
import static io.trino.spi.security.AccessDeniedException.denyCreateTable;
import static io.trino.spi.security.AccessDeniedException.denyCreateView;
import static io.trino.spi.security.AccessDeniedException.denyCreateViewWithSelect;
import static io.trino.spi.security.AccessDeniedException.denyDeleteTable;
import static io.trino.spi.security.AccessDeniedException.denyDropColumn;
import static io.trino.spi.security.AccessDeniedException.denyDropSchema;
import static io.trino.spi.security.AccessDeniedException.denyDropTable;
import static io.trino.spi.security.AccessDeniedException.denyDropView;
import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction;
import static io.trino.spi.security.AccessDeniedException.denyExecuteProcedure;
import static io.trino.spi.security.AccessDeniedException.denyExecuteQuery;
import static io.trino.spi.security.AccessDeniedException.denyGrantExecuteFunctionPrivilege;
import static io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege;
import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege;
import static io.trino.spi.security.AccessDeniedException.denyImpersonateUser;
import static io.trino.spi.security.AccessDeniedException.denyInsertTable;
import static io.trino.spi.security.AccessDeniedException.denyKillQuery;
import static io.trino.spi.security.AccessDeniedException.denyRenameColumn;
import static io.trino.spi.security.AccessDeniedException.denyRenameSchema;
import static io.trino.spi.security.AccessDeniedException.denyRenameTable;
import static io.trino.spi.security.AccessDeniedException.denyRevokeSchemaPrivilege;
import static io.trino.spi.security.AccessDeniedException.denyRevokeTablePrivilege;
import static io.trino.spi.security.AccessDeniedException.denySelectColumns;
import static io.trino.spi.security.AccessDeniedException.denySetCatalogSessionProperty;
import static io.trino.spi.security.AccessDeniedException.denySetSchemaAuthorization;
import static io.trino.spi.security.AccessDeniedException.denySetSystemSessionProperty;
import static io.trino.spi.security.AccessDeniedException.denySetTableAuthorization;
import static io.trino.spi.security.AccessDeniedException.denySetUser;
import static io.trino.spi.security.AccessDeniedException.denySetViewAuthorization;
import static io.trino.spi.security.AccessDeniedException.denyShowColumns;
import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema;
import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable;
import static io.trino.spi.security.AccessDeniedException.denyShowRoles;
import static io.trino.spi.security.AccessDeniedException.denyShowSchemas;
import static io.trino.spi.security.AccessDeniedException.denyShowTables;
import static io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns;
import static io.trino.spi.security.AccessDeniedException.denyViewQuery;
import static java.lang.String.format;
import static java.util.Collections.emptySet;
public interface SystemAccessControl
{
/**
* Check if the identity is allowed impersonate the specified user.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanImpersonateUser(SystemSecurityContext context, String userName)
{
denyImpersonateUser(context.getIdentity().getUser(), userName);
}
/**
* Check if the principal is allowed to be the specified user.
*
* @throws AccessDeniedException if not allowed
* @deprecated use user mapping and {@link #checkCanImpersonateUser} instead
*/
@Deprecated
default void checkCanSetUser(Optional principal, String userName)
{
denySetUser(principal, userName);
}
/**
* Checks if identity can execute a query.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanExecuteQuery(SystemSecurityContext context)
{
denyExecuteQuery();
}
/**
* Checks if identity can view a query owned by the specified user. The method
* will not be called when the current user is the query owner.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner)
{
denyViewQuery();
}
/**
* Filter the list of users to those the identity view query owned by the user. The method
* will not be called with the current user in the set.
*/
default Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners)
{
return emptySet();
}
/**
* Checks if identity can kill a query owned by the specified user. The method
* will not be called when the current user is the query owner.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner)
{
denyKillQuery();
}
/**
* Check if identity is allowed to read system information such as statistics,
* service registry, thread stacks, etc. This is typically allowed for administrators
* and management tools.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanReadSystemInformation(SystemSecurityContext context)
{
AccessDeniedException.denyReadSystemInformationAccess();
}
/**
* Check if identity is allowed to write system information such as marking nodes
* offline, or changing runtime flags. This is typically allowed for administrators.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanWriteSystemInformation(SystemSecurityContext context)
{
AccessDeniedException.denyReadSystemInformationAccess();
}
/**
* Check if identity is allowed to set the specified system property.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName)
{
denySetSystemSessionProperty(propertyName);
}
/**
* Check if identity is allowed to access the specified catalog
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanAccessCatalog(SystemSecurityContext context, String catalogName)
{
denyCatalogAccess(catalogName);
}
/**
* Filter the list of catalogs to those visible to the identity.
*/
default Set filterCatalogs(SystemSecurityContext context, Set catalogs)
{
return emptySet();
}
/**
* Check if identity is allowed to create the specified schema in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema)
{
denyCreateSchema(schema.toString());
}
/**
* Check if identity is allowed to drop the specified schema in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema)
{
denyDropSchema(schema.toString());
}
/**
* Check if identity is allowed to rename the specified schema in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName)
{
denyRenameSchema(schema.toString(), newSchemaName);
}
/**
* Check if identity is allowed to change the specified schema's user/role.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal)
{
denySetSchemaAuthorization(schema.toString(), principal);
}
/**
* Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
*
* NOTE: This method is only present to give users an error message when listing is not allowed.
* The {@link #filterSchemas} method must filter all results for unauthorized users,
* since there are multiple ways to list schemas.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanShowSchemas(SystemSecurityContext context, String catalogName)
{
denyShowSchemas();
}
/**
* Filter the list of schemas in a catalog to those visible to the identity.
*/
default Set filterSchemas(SystemSecurityContext context, String catalogName, Set schemaNames)
{
return emptySet();
}
/**
* Check if identity is allowed to execute SHOW CREATE SCHEMA.
*
* @throws io.trino.spi.security.AccessDeniedException if not allowed
*/
default void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schemaName)
{
denyShowCreateSchema(schemaName.toString());
}
/**
* Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW
*
* @throws io.trino.spi.security.AccessDeniedException if not allowed
*/
default void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyShowCreateTable(table.toString());
}
/**
* Check if identity is allowed to create the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyCreateTable(table.toString());
}
/**
* Check if identity is allowed to drop the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyDropTable(table.toString());
}
/**
* Check if identity is allowed to rename the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable)
{
denyRenameTable(table.toString(), newTable.toString());
}
/**
* Check if identity is allowed to comment the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyCommentTable(table.toString());
}
/**
* Check if identity is allowed to set comment to column in the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetColumnComment(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyCommentColumn(table.toString());
}
/**
* Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
*
* NOTE: This method is only present to give users an error message when listing is not allowed.
* The {@link #filterTables} method must filter all results for unauthorized users,
* since there are multiple ways to list tables.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema)
{
denyShowTables(schema.toString());
}
/**
* Filter the list of tables and views to those visible to the identity.
*/
default Set filterTables(SystemSecurityContext context, String catalogName, Set tableNames)
{
return emptySet();
}
/**
* Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.
*
* NOTE: This method is only present to give users an error message when listing is not allowed.
* The {@link #filterColumns} method must filter all results for unauthorized users,
* since there are multiple ways to list columns.
*
* @throws io.trino.spi.security.AccessDeniedException if not allowed
*/
default void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyShowColumns(table.toString());
}
/**
* Filter the list of columns to those visible to the identity.
*/
default Set filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns)
{
return emptySet();
}
/**
* Check if identity is allowed to add columns to the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyAddColumn(table.toString());
}
/**
* Check if identity is allowed to drop columns from the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyDropColumn(table.toString());
}
/**
* Check if identity is allowed to change the specified table's user/role.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetTableAuthorization(SystemSecurityContext context, CatalogSchemaTableName table, TrinoPrincipal principal)
{
denySetTableAuthorization(table.toString(), principal);
}
/**
* Check if identity is allowed to rename a column in the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyRenameColumn(table.toString());
}
/**
* Check if identity is allowed to select from the specified columns in a relation. The column set can be empty.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns)
{
denySelectColumns(table.toString(), columns);
}
/**
* Check if identity is allowed to insert into the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyInsertTable(table.toString());
}
/**
* Check if identity is allowed to delete from the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table)
{
denyDeleteTable(table.toString());
}
/**
* Check if identity is allowed to update the supplied columns in the specified table in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanUpdateTableColumns(SystemSecurityContext securityContext, CatalogSchemaTableName table, Set updatedColumnNames)
{
denyUpdateTableColumns(table.toString(), updatedColumnNames);
}
/**
* Check if identity is allowed to create the specified view in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view)
{
denyCreateView(view.toString());
}
/**
* Check if identity is allowed to rename the specified view in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView)
{
denyRenameTable(view.toString(), newView.toString());
}
/**
* Check if identity is allowed to change the specified view's user/role.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetViewAuthorization(SystemSecurityContext context, CatalogSchemaTableName view, TrinoPrincipal principal)
{
denySetViewAuthorization(view.toString(), principal);
}
/**
* Check if identity is allowed to drop the specified view in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view)
{
denyDropView(view.toString());
}
/**
* Check if identity is allowed to create a view that selects from the specified columns in a relation.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns)
{
denyCreateViewWithSelect(table.toString(), context.getIdentity());
}
/**
* Check if identity is allowed to grant an access to the function execution to grantee.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, TrinoPrincipal grantee, boolean grantOption)
{
String granteeAsString = format("%s '%s'", grantee.getType().name().toLowerCase(Locale.ENGLISH), grantee.getName());
denyGrantExecuteFunctionPrivilege(functionName, context.getIdentity(), granteeAsString);
}
/**
* Check if identity is allowed to set the specified property in a catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName)
{
denySetCatalogSessionProperty(propertyName);
}
/**
* Check if identity is allowed to grant the specified privilege to the grantee on the specified schema.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanGrantSchemaPrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaName schema, TrinoPrincipal grantee, boolean grantOption)
{
denyGrantSchemaPrivilege(privilege.toString(), schema.toString());
}
/**
* Check if identity is allowed to revoke the specified privilege on the specified schema from the revokee.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanRevokeSchemaPrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaName schema, TrinoPrincipal revokee, boolean grantOption)
{
denyRevokeSchemaPrivilege(privilege.toString(), schema.toString());
}
/**
* Check if identity is allowed to grant the specified privilege to the grantee on the specified table.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal grantee, boolean grantOption)
{
denyGrantTablePrivilege(privilege.toString(), table.toString());
}
/**
* Check if identity is allowed to revoke the specified privilege on the specified table from the revokee.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal revokee, boolean grantOption)
{
denyRevokeTablePrivilege(privilege.toString(), table.toString());
}
/**
* Check if identity is allowed to show roles on the specified catalog.
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanShowRoles(SystemSecurityContext context, String catalogName)
{
denyShowRoles(catalogName);
}
/**
* Check if identity is allowed to execute the specified procedure
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName procedure)
{
denyExecuteProcedure(procedure.toString());
}
/**
* Check if identity is allowed to execute the specified function
*
* @throws AccessDeniedException if not allowed
*/
default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName)
{
denyExecuteFunction(functionName);
}
/**
* Get a row filter associated with the given table and identity.
*
* The filter must be a scalar SQL expression of boolean type over the columns in the table.
*
* @return the filter, or {@link Optional#empty()} if not applicable
*/
default Optional getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName)
{
return Optional.empty();
}
/**
* Get a column mask associated with the given table, column and identity.
*
* The mask must be a scalar SQL expression of a type coercible to the type of the column being masked. The expression
* must be written in terms of columns in the table.
*
* @return the mask, or {@link Optional#empty()} if not applicable
*/
default Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type)
{
return Optional.empty();
}
/**
* @return the event listeners provided by this system access control
*/
default Iterable getEventListeners()
{
return emptySet();
}
}