public void loadSystemAccessControl() throws Exception { if (ACCESS_CONTROL_CONFIGURATION.exists()) { Map<String, String> properties = new HashMap<>(loadProperties(ACCESS_CONTROL_CONFIGURATION)); String accessControlName = properties.remove(ACCESS_CONTROL_PROPERTY_NAME); checkArgument(!isNullOrEmpty(accessControlName), "Access control configuration %s does not contain %s", ACCESS_CONTROL_CONFIGURATION.getAbsoluteFile(), ACCESS_CONTROL_PROPERTY_NAME); setSystemAccessControl(accessControlName, properties); } else { setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of()); } }
private AccessControlManager newAccessControlManager(TransactionManager transactionManager, String resourceName) { AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName))); return accessControlManager; }
@Test public void testNoneSystemAccessControl() { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); accessControlManager.setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.empty(), USER_NAME); }
@Test public void testSetAccessControl() { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME); assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME); assertEquals(accessControlFactory.getCheckedPrincipal(), Optional.of(PRINCIPAL)); }
@Test public void testNoCatalogAccessControl() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column")); }); }
copy(new File(getResourcePath("catalog.json")), configFile); accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of( SECURITY_CONFIG_FILE, configFile.getAbsolutePath(), SECURITY_REFRESH_PERIOD, "1ms"));
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from columns \\[column\\] in table or view schema.table") public void testDenyCatalogAccessControl() { CatalogManager catalogManager = new CatalogManager(); TransactionManager transactionManager = createTestTransactionManager(catalogManager); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); ConnectorId connectorId = registerBogusConnector(catalogManager, transactionManager, accessControlManager, "catalog"); accessControlManager.addCatalogAccessControl(connectorId, new DenyConnectorAccessControl()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of("column")); }); }
AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME); accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from table secured_catalog.schema.table") public void testDenySystemAccessControl() { CatalogManager catalogManager = new CatalogManager(); TransactionManager transactionManager = createTestTransactionManager(catalogManager); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); registerBogusConnector(catalogManager, transactionManager, accessControlManager, "connector"); accessControlManager.addCatalogAccessControl(new ConnectorId("connector"), new DenyConnectorAccessControl()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("secured_catalog", "schema", "table"), ImmutableSet.of("column")); }); }
public void loadSystemAccessControl() throws Exception { if (ACCESS_CONTROL_CONFIGURATION.exists()) { Map<String, String> properties = new HashMap<>(loadProperties(ACCESS_CONTROL_CONFIGURATION)); String accessControlName = properties.remove(ACCESS_CONTROL_PROPERTY_NAME); checkArgument(!isNullOrEmpty(accessControlName), "Access control configuration %s does not contain %s", ACCESS_CONTROL_CONFIGURATION.getAbsoluteFile(), ACCESS_CONTROL_PROPERTY_NAME); setSystemAccessControl(accessControlName, properties); } else { setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.of()); } }
@Test public void testNoneSystemAccessControl() throws Exception { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); accessControlManager.setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.<String, String>of()); accessControlManager.checkCanSetUser(null, USER_NAME); }
@Test public void testSetAccessControl() throws Exception { AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager()); TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); accessControlManager.checkCanSetUser(PRINCIPAL, USER_NAME); assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME); assertEquals(accessControlFactory.getCheckedPrincipal(), PRINCIPAL); }
@Test public void testNoCatalogAccessControl() throws Exception { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.<String, String>of()); transaction(transactionManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromTable(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table")); }); }
@Test(expectedExceptions = PrestoException.class, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from table schema.table") public void testDenyCatalogAccessControl() throws Exception { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(ALLOW_ALL_ACCESS_CONTROL, ImmutableMap.<String, String>of()); registerBogusConnector(transactionManager, "connector"); accessControlManager.addCatalogAccessControl("connector", "catalog", new DenyConnectorAccessControl()); transaction(transactionManager) .execute(transactionId -> { accessControlManager.checkCanSelectFromTable(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new QualifiedObjectName("catalog", "schema", "table")); }); }