@Override public String toString() { return toStringHelper(this) .add("queryId", queryId) .add("transactionId", transactionId) .add("user", getUser()) .add("principal", getIdentity().getPrincipal().orElse(null)) .add("source", source.orElse(null)) .add("catalog", catalog.orElse(null)) .add("schema", schema.orElse(null)) .add("path", path) .add("traceToken", traceToken.orElse(null)) .add("timeZoneKey", timeZoneKey) .add("locale", locale) .add("remoteUserAddress", remoteUserAddress.orElse(null)) .add("userAgent", userAgent.orElse(null)) .add("clientInfo", clientInfo.orElse(null)) .add("clientTags", clientTags) .add("clientCapabilities", clientCapabilities) .add("resourceEstimates", resourceEstimates) .add("startTime", startTime) .omitNullValues() .toString(); }
@Test public void testCurrentUser() throws Exception { assertOptimizedEquals("current_user", "'" + TEST_SESSION.getUser() + "'"); }
@Override public ListenableFuture<?> execute(CreateView statement, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine, List<Expression> parameters) { Session session = stateMachine.getSession(); QualifiedObjectName name = createQualifiedObjectName(session, statement, statement.getName()); accessControl.checkCanCreateView(session.getRequiredTransactionId(), session.getIdentity(), name); String sql = getFormattedSql(statement.getQuery(), sqlParser, Optional.of(parameters)); Analysis analysis = analyzeStatement(statement, session, metadata, accessControl, parameters, stateMachine.getWarningCollector()); List<ViewColumn> columns = analysis.getOutputDescriptor(statement.getQuery()) .getVisibleFields().stream() .map(field -> new ViewColumn(field.getName().get(), field.getType())) .collect(toImmutableList()); String data = codec.toJson(new ViewDefinition(sql, session.getCatalog(), session.getSchema(), columns, Optional.of(session.getUser()))); metadata.createView(session, name, data, statement.isReplace()); return immediateFuture(null); }
@Test public void testCurrentUser() { Session session = testSessionBuilder().setIdentity(new Identity("test_current_user", Optional.empty())).build(); try (QueryAssertions queryAssertions = new QueryAssertions(session)) { queryAssertions.assertQuery("SELECT CURRENT_USER", "SELECT CAST('" + session.getUser() + "' AS VARCHAR)"); } }
"SELECT * FROM test_view_access", "View owner 'test_view_access_owner' cannot create view that selects from .*.orders.*", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); viewOwnerSession, "SELECT * FROM test_view_access", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_view_access", privilege(getSession().getUser(), "orders", SELECT_COLUMN)); "SELECT * FROM test_nested_view_access", "View owner 'test_nested_view_access_owner' cannot create view that selects from .*.test_view_access.*", privilege(nestedViewOwnerSession.getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_nested_view_access", privilege(getSession().getUser(), "test_view_access", SELECT_COLUMN));
assertEquals(session.getUser(), "testUser"); assertEquals(session.getSource().get(), "testSource"); assertEquals(session.getCatalog().get(), "testCatalog");
@Test public void testNonQueryAccessControl() { skipTestUnless(supportsViews()); assertAccessDenied("SET SESSION " + QUERY_MAX_MEMORY + " = '10MB'", "Cannot set system session property " + QUERY_MAX_MEMORY, privilege(QUERY_MAX_MEMORY, SET_SESSION)); assertAccessDenied("CREATE TABLE foo (pk bigint)", "Cannot create table .*.foo.*", privilege("foo", CREATE_TABLE)); assertAccessDenied("DROP TABLE orders", "Cannot drop table .*.orders.*", privilege("orders", DROP_TABLE)); assertAccessDenied("ALTER TABLE orders RENAME TO foo", "Cannot rename table .*.orders.* to .*.foo.*", privilege("orders", RENAME_TABLE)); assertAccessDenied("ALTER TABLE orders ADD COLUMN foo bigint", "Cannot add a column to table .*.orders.*", privilege("orders", ADD_COLUMN)); assertAccessDenied("ALTER TABLE orders DROP COLUMN foo", "Cannot drop a column from table .*.orders.*", privilege("orders", DROP_COLUMN)); assertAccessDenied("ALTER TABLE orders RENAME COLUMN orderkey TO foo", "Cannot rename a column in table .*.orders.*", privilege("orders", RENAME_COLUMN)); assertAccessDenied("CREATE VIEW foo as SELECT * FROM orders", "Cannot create view .*.foo.*", privilege("foo", CREATE_VIEW)); // todo add DROP VIEW test... not all connectors have view support try { assertAccessDenied("SELECT 1", "Principal .* cannot become user " + getSession().getUser() + ".*", privilege(getSession().getUser(), SET_USER)); } catch (AssertionError e) { // There is no clean exception message for authorization failure. We simply get a 403 Assertions.assertContains(e.getMessage(), "statusCode=403"); } }
public class CreatorValidation implements ValidationCondition { public Optional<String> validate(final Post post, final Session session) { if (post.getCreator().equals(session.getUser()) { return Optional.empty(); } return Optional.of("You should be owner of the post"); } }
public String getExpandedTemplate(Session session) { String expanded = USER_PATTERN.matcher(template).replaceAll(session.getUser()); return SOURCE_PATTERN.matcher(expanded).replaceAll(session.getSource().orElse("")); }
@Override public String toString() { return toStringHelper(this) .add("queryId", queryId) .add("transactionId", transactionId) .add("user", getUser()) .add("principal", getIdentity().getPrincipal().orElse(null)) .add("source", source.orElse(null)) .add("catalog", catalog.orElse(null)) .add("schema", schema.orElse(null)) .add("timeZoneKey", timeZoneKey) .add("locale", locale) .add("remoteUserAddress", remoteUserAddress.orElse(null)) .add("userAgent", userAgent.orElse(null)) .add("startTime", startTime) .omitNullValues() .toString(); }
/** * Returns list of queues to enter, or null if query does not match rule */ public List<QueryQueueDefinition> match(Session session) { if (userRegex != null && !userRegex.matcher(session.getUser()).matches()) { return null; } if (sourceRegex != null) { String source = session.getSource().orElse(""); if (!sourceRegex.matcher(source).matches()) { return null; } } for (Map.Entry<String, Pattern> entry : sessionPropertyRegexes.entrySet()) { String value = session.getSystemProperties().getOrDefault(entry.getKey(), ""); if (!entry.getValue().matcher(value).matches()) { return null; } } return queues; }
@Override public CompletableFuture<?> execute(CreateView statement, TransactionManager transactionManager, Metadata metadata, AccessControl accessControl, QueryStateMachine stateMachine) { Session session = stateMachine.getSession(); QualifiedObjectName name = createQualifiedObjectName(session, statement, statement.getName()); accessControl.checkCanCreateView(session.getRequiredTransactionId(), session.getIdentity(), name); String sql = getFormattedSql(statement); Analysis analysis = analyzeStatement(statement, session, metadata); List<ViewColumn> columns = analysis.getOutputDescriptor() .getVisibleFields().stream() .map(field -> new ViewColumn(field.getName().get(), field.getType())) .collect(toImmutableList()); String data = codec.toJson(new ViewDefinition(sql, session.getCatalog(), session.getSchema(), columns, Optional.of(session.getUser()))); metadata.createView(session, name, data, statement.isReplace()); return completedFuture(null); }
private TableMetadata createTableMetadata(QualifiedObjectName table, List<ColumnMetadata> columns, Map<String, Expression> propertyExpressions, boolean sampled) { String owner = session.getUser(); Map<String, Object> properties = metadata.getTablePropertyManager().getTableProperties( table.getCatalogName(), propertyExpressions, session, metadata); ConnectorTableMetadata metadata = new ConnectorTableMetadata(table.asSchemaTableName(), columns, properties, owner, sampled); // TODO: first argument should actually be connectorId return new TableMetadata(table.getCatalogName(), metadata); }
"SELECT * FROM test_view_access", "View owner 'test_view_access_owner' cannot create view that selects from .*.orders.*", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); viewOwnerSession, "SELECT * FROM test_view_access", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_view_access", privilege(getSession().getUser(), "orders", SELECT_COLUMN)); "SELECT * FROM test_nested_view_access", "View owner 'test_nested_view_access_owner' cannot create view that selects from .*.test_view_access.*", privilege(nestedViewOwnerSession.getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_nested_view_access", privilege(getSession().getUser(), "test_view_access", SELECT_COLUMN));
new ConnectorTableMetadata(tableName.asSchemaTableName(), columns, properties, session.getUser(), false));
@Test public void testNonQueryAccessControl() { skipTestUnless(supportsViews()); assertAccessDenied("SET SESSION " + QUERY_MAX_MEMORY + " = '10MB'", "Cannot set system session property " + QUERY_MAX_MEMORY, privilege(QUERY_MAX_MEMORY, SET_SESSION)); assertAccessDenied("CREATE TABLE foo (pk bigint)", "Cannot create table .*.foo.*", privilege("foo", CREATE_TABLE)); assertAccessDenied("DROP TABLE orders", "Cannot drop table .*.orders.*", privilege("orders", DROP_TABLE)); assertAccessDenied("ALTER TABLE orders RENAME TO foo", "Cannot rename table .*.orders.* to .*.foo.*", privilege("orders", RENAME_TABLE)); assertAccessDenied("ALTER TABLE orders ADD COLUMN foo bigint", "Cannot add a column to table .*.orders.*", privilege("orders", ADD_COLUMN)); assertAccessDenied("ALTER TABLE orders DROP COLUMN foo", "Cannot drop a column from table .*.orders.*", privilege("orders", DROP_COLUMN)); assertAccessDenied("ALTER TABLE orders RENAME COLUMN orderkey TO foo", "Cannot rename a column in table .*.orders.*", privilege("orders", RENAME_COLUMN)); assertAccessDenied("CREATE VIEW foo as SELECT * FROM orders", "Cannot create view .*.foo.*", privilege("foo", CREATE_VIEW)); // todo add DROP VIEW test... not all connectors have view support try { assertAccessDenied("SELECT 1", "Principal .* cannot become user " + getSession().getUser() + ".*", privilege(getSession().getUser(), SET_USER)); } catch (AssertionError e) { // There is no clean exception message for authorization failure. We simply get a 403 Assertions.assertContains(e.getMessage(), "statusCode=403"); } }
assertEquals(session.getUser(), "testUser"); assertEquals(session.getSource().get(), "testSource"); assertEquals(session.getCatalog().get(), "testCatalog");