@Override public void checkCanGrantTablePrivilege(TransactionId transactionId, Identity identity, Privilege privilege, QualifiedObjectName tableName, String grantee, boolean withGrantOption) { denyGrantTablePrivilege(privilege.name(), tableName.toString()); }
private static Privilege parsePrivilege(Revoke statement, String privilegeString) { for (Privilege privilege : Privilege.values()) { if (privilege.name().equalsIgnoreCase(privilegeString)) { return privilege; } } throw new SemanticException(INVALID_PRIVILEGE, statement, "Unknown privilege: '%s'", privilegeString); } }
/** * Check if identity is allowed to revoke the specified privilege on the specified table from any user. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanRevokeTablePrivilege(ConnectorTransactionHandle transactionHandle, Identity identity, Privilege privilege, SchemaTableName tableName, String revokee, boolean grantOptionFor) { denyRevokeTablePrivilege(privilege.toString(), tableName.toString()); } }
public Set<PrivilegeInfo> toPrivilegeInfo() { switch (getHivePrivilege()) { case SELECT: return ImmutableSet.of(new PrivilegeInfo(Privilege.SELECT, isGrantOption())); case INSERT: return ImmutableSet.of(new PrivilegeInfo(Privilege.INSERT, isGrantOption())); case DELETE: return ImmutableSet.of(new PrivilegeInfo(Privilege.DELETE, isGrantOption())); case UPDATE: return ImmutableSet.of(new PrivilegeInfo(Privilege.UPDATE, isGrantOption())); case OWNERSHIP: return Arrays.asList(Privilege.values()).stream() .map(privilege -> new PrivilegeInfo(privilege, Boolean.TRUE)) .collect(Collectors.toSet()); } return null; }
@Override public CompletableFuture<?> execute(Grant statement, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine) { Session session = stateMachine.getSession(); QualifiedObjectName tableName = createQualifiedObjectName(session, statement, statement.getTableName()); Optional<TableHandle> tableHandle = metadata.getTableHandle(session, tableName); if (!tableHandle.isPresent()) { throw new SemanticException(MISSING_TABLE, statement, "Table '%s' does not exist", tableName); } Set<Privilege> privileges; if (statement.getPrivileges().isPresent()) { privileges = statement.getPrivileges().get().stream() .map(privilege -> parsePrivilege(statement, privilege)) .collect(toImmutableSet()); } else { // All privileges privileges = ImmutableSet.copyOf(Privilege.values()); } // verify current identity has permissions to grant permissions for (Privilege privilege : privileges) { accessControl.checkCanGrantTablePrivilege(session.getIdentity(), privilege, tableName); } metadata.grantTablePrivileges(session, tableName, privileges, statement.getGrantee(), statement.isWithGrantOption()); return completedFuture(null); }
@Override public void checkCanRevokeTablePrivilege(TransactionId transactionId, Identity identity, Privilege privilege, QualifiedObjectName tableName, String revokee, boolean grantOptionFor) { denyRevokeTablePrivilege(privilege.name(), tableName.toString()); }
private static Privilege parsePrivilege(Grant statement, String privilegeString) { for (Privilege privilege : Privilege.values()) { if (privilege.name().equalsIgnoreCase(privilegeString)) { return privilege; } } throw new SemanticException(INVALID_PRIVILEGE, statement, "Unknown privilege: '%s'", privilegeString); } }
/** * Check if identity is allowed to grant to any other user the specified privilege on the specified table. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanGrantTablePrivilege(ConnectorTransactionHandle transactionHandle, Identity identity, Privilege privilege, SchemaTableName tableName, String grantee, boolean withGrantOption) { denyGrantTablePrivilege(privilege.toString(), tableName.toString()); }
@Override public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName, String revokee, boolean grantOptionFor) { denyRevokeTablePrivilege(privilege.name(), tableName.toString()); } }
private static Privilege parsePrivilege(Grant statement, String privilegeString) { for (Privilege privilege : Privilege.values()) { if (privilege.name().equalsIgnoreCase(privilegeString)) { return privilege; } } throw new SemanticException(INVALID_PRIVILEGE, statement, "Unknown privilege: '%s'", privilegeString); } }
/** * Check if identity is allowed to grant the specified privilege to the grantee on the specified table. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanGrantTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName table, String grantee, boolean withGrantOption) { denyGrantTablePrivilege(privilege.toString(), table.toString()); }
@Override public void checkCanGrantTablePrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName, String grantee, boolean withGrantOption) { denyGrantTablePrivilege(privilege.name(), tableName.toString()); }
/** * Check if identity is allowed to revoke the specified privilege on the specified table from the revokee. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanRevokeTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName table, String revokee, boolean grantOptionFor) { denyRevokeTablePrivilege(privilege.toString(), table.toString()); } }
@Override public void checkCanGrantTablePrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName, String grantee, boolean withGrantOption) { if (!checkTablePermission(identity, tableName, OWNERSHIP)) { denyGrantTablePrivilege(privilege.name(), tableName.toString()); } }
/** * Check if identity is allowed to revoke the specified privilege on the specified table from the revokee. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanRevokeTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName table, String revokee, boolean grantOptionFor) { denyRevokeTablePrivilege(privilege.toString(), table.toString()); } }
@Override public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName, String revokee, boolean grantOptionFor) { if (!checkTablePermission(identity, tableName, OWNERSHIP)) { denyRevokeTablePrivilege(privilege.name(), tableName.toString()); } }
/** * Check if identity is allowed to grant the specified privilege to the grantee on the specified table. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanGrantTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName table, String grantee, boolean withGrantOption) { denyGrantTablePrivilege(privilege.toString(), table.toString()); }
@Override public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName, String revokee, boolean grantOptionFor) { if (checkTablePermission(transaction, identity, tableName, OWNERSHIP)) { return; } HivePrivilege hivePrivilege = toHivePrivilege(privilege); if (hivePrivilege == null || !getGrantOptionForPrivilege(transaction, identity, privilege, tableName)) { denyRevokeTablePrivilege(privilege.name(), tableName.toString()); } }
/** * Check if identity is allowed to grant to any other user the specified privilege on the specified table. * * @throws com.facebook.presto.spi.security.AccessDeniedException if not allowed */ default void checkCanGrantTablePrivilege(ConnectorTransactionHandle transactionHandle, Identity identity, Privilege privilege, SchemaTableName tableName, String grantee, boolean withGrantOption) { denyGrantTablePrivilege(privilege.toString(), tableName.toString()); }
@Override public void checkCanGrantTablePrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName, String grantee, boolean withGrantOption) { if (checkTablePermission(transaction, identity, tableName, OWNERSHIP)) { return; } HivePrivilege hivePrivilege = toHivePrivilege(privilege); if (hivePrivilege == null || !getGrantOptionForPrivilege(transaction, identity, privilege, tableName)) { denyGrantTablePrivilege(privilege.name(), tableName.toString()); } }