private boolean shouldDenyPrivilege(String userName, String entityName, TestingPrivilegeType type) { TestingPrivilege testPrivilege = privilege(userName, entityName, type); for (TestingPrivilege denyPrivilege : denyPrivileges) { if (denyPrivilege.matches(testPrivilege)) { return true; } } return false; }
@Test public void testAccessControl() { assertAccessDenied("INSERT INTO orders SELECT * FROM orders", "Cannot insert into table .*.orders.*", privilege("orders", INSERT_TABLE)); assertAccessDenied("DELETE FROM orders", "Cannot delete from table .*.orders.*", privilege("orders", DELETE_TABLE)); assertAccessDenied("CREATE TABLE foo AS SELECT * FROM orders", "Cannot create table .*.foo.*", privilege("foo", CREATE_TABLE)); assertAccessDenied("SELECT * FROM nation", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT * FROM (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT name FROM (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessAllowed("SELECT name FROM nation", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT n1.nationkey, n2.regionkey FROM nation n1, nation n2", "Cannot select from columns \\[nationkey, regionkey\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT count(name) as c FROM nation where comment > 'abc' GROUP BY regionkey having max(nationkey) > 10", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT 1 FROM region, nation where region.regionkey = nation.nationkey", "Cannot select from columns \\[nationkey\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT count(*) FROM nation", "Cannot select from columns \\[\\] in table .*.nation.*", privilege("nation", SELECT_COLUMN)); assertAccessDenied("WITH t1 AS (SELECT * FROM nation) SELECT * FROM t1", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessAllowed("SELECT name AS my_alias FROM nation", privilege("my_alias", SELECT_COLUMN)); assertAccessAllowed("SELECT my_alias from (SELECT name AS my_alias FROM nation)", privilege("my_alias", SELECT_COLUMN)); assertAccessDenied("SELECT name AS my_alias FROM nation", "Cannot select from columns \\[name\\] in table .*.nation.*", privilege("name", SELECT_COLUMN)); }
@Test public void testNonQueryAccessControl() { skipTestUnless(supportsViews()); assertAccessDenied("SET SESSION " + QUERY_MAX_MEMORY + " = '10MB'", "Cannot set system session property " + QUERY_MAX_MEMORY, privilege(QUERY_MAX_MEMORY, SET_SESSION)); assertAccessDenied("CREATE TABLE foo (pk bigint)", "Cannot create table .*.foo.*", privilege("foo", CREATE_TABLE)); assertAccessDenied("DROP TABLE orders", "Cannot drop table .*.orders.*", privilege("orders", DROP_TABLE)); assertAccessDenied("ALTER TABLE orders RENAME TO foo", "Cannot rename table .*.orders.* to .*.foo.*", privilege("orders", RENAME_TABLE)); assertAccessDenied("ALTER TABLE orders ADD COLUMN foo bigint", "Cannot add a column to table .*.orders.*", privilege("orders", ADD_COLUMN)); assertAccessDenied("ALTER TABLE orders DROP COLUMN foo", "Cannot drop a column from table .*.orders.*", privilege("orders", DROP_COLUMN)); assertAccessDenied("ALTER TABLE orders RENAME COLUMN orderkey TO foo", "Cannot rename a column in table .*.orders.*", privilege("orders", RENAME_COLUMN)); assertAccessDenied("CREATE VIEW foo as SELECT * FROM orders", "Cannot create view .*.foo.*", privilege("foo", CREATE_VIEW)); // todo add DROP VIEW test... not all connectors have view support try { assertAccessDenied("SELECT 1", "Principal .* cannot become user " + getSession().getUser() + ".*", privilege(getSession().getUser(), SET_USER)); } catch (AssertionError e) { // There is no clean exception message for authorization failure. We simply get a 403 Assertions.assertContains(e.getMessage(), "statusCode=403"); } }
viewOwnerSession, "CREATE VIEW test_view_access AS SELECT * FROM orders", privilege("orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); "SELECT * FROM test_view_access", "View owner 'test_view_access_owner' cannot create view that selects from .*.orders.*", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); viewOwnerSession, "SELECT * FROM test_view_access", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_view_access", privilege(getSession().getUser(), "orders", SELECT_COLUMN)); nestedViewOwnerSession, "CREATE VIEW test_nested_view_access AS SELECT * FROM test_view_access", privilege("test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); "SELECT * FROM test_nested_view_access", "View owner 'test_nested_view_access_owner' cannot create view that selects from .*.test_view_access.*", privilege(nestedViewOwnerSession.getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_nested_view_access", privilege(getSession().getUser(), "test_view_access", SELECT_COLUMN));
assertAccessDenied("DELETE FROM test_delete where orderkey < 12", "Cannot select from columns \\[orderkey\\] in table or view .*.test_delete.*", privilege("orderkey", SELECT_COLUMN)); assertAccessAllowed("DELETE FROM test_delete where orderkey < 12", privilege("orderdate", SELECT_COLUMN)); assertAccessAllowed("DELETE FROM test_delete", privilege("orders", SELECT_COLUMN));
private boolean shouldDenyPrivilege(String userName, String entityName, TestingPrivilegeType type) { TestingPrivilege testPrivilege = privilege(userName, entityName, type); for (TestingPrivilege denyPrivilege : denyPrivileges) { if (denyPrivilege.matches(testPrivilege)) { return true; } } return false; }
@Test public void testAccessControl() { assertAccessDenied("INSERT INTO orders SELECT * FROM orders", "Cannot insert into table .*.orders.*", privilege("orders", INSERT_TABLE)); assertAccessDenied("DELETE FROM orders", "Cannot delete from table .*.orders.*", privilege("orders", DELETE_TABLE)); assertAccessDenied("CREATE TABLE foo AS SELECT * FROM orders", "Cannot create table .*.foo.*", privilege("foo", CREATE_TABLE)); assertAccessDenied("SELECT * FROM nation", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT * FROM (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT name FROM (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessAllowed("SELECT name FROM nation", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT n1.nationkey, n2.regionkey FROM nation n1, nation n2", "Cannot select from columns \\[nationkey, regionkey\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT count(name) as c FROM nation where comment > 'abc' GROUP BY regionkey having max(nationkey) > 10", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT 1 FROM region, nation where region.regionkey = nation.nationkey", "Cannot select from columns \\[nationkey\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessDenied("SELECT count(*) FROM nation", "Cannot select from columns \\[\\] in table .*.nation.*", privilege("nation", SELECT_COLUMN)); assertAccessDenied("WITH t1 AS (SELECT * FROM nation) SELECT * FROM t1", "Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table .*.nation.*", privilege("nationkey", SELECT_COLUMN)); assertAccessAllowed("SELECT name AS my_alias FROM nation", privilege("my_alias", SELECT_COLUMN)); assertAccessAllowed("SELECT my_alias from (SELECT name AS my_alias FROM nation)", privilege("my_alias", SELECT_COLUMN)); assertAccessDenied("SELECT name AS my_alias FROM nation", "Cannot select from columns \\[name\\] in table .*.nation.*", privilege("name", SELECT_COLUMN)); }
@Test public void testNonQueryAccessControl() { skipTestUnless(supportsViews()); assertAccessDenied("SET SESSION " + QUERY_MAX_MEMORY + " = '10MB'", "Cannot set system session property " + QUERY_MAX_MEMORY, privilege(QUERY_MAX_MEMORY, SET_SESSION)); assertAccessDenied("CREATE TABLE foo (pk bigint)", "Cannot create table .*.foo.*", privilege("foo", CREATE_TABLE)); assertAccessDenied("DROP TABLE orders", "Cannot drop table .*.orders.*", privilege("orders", DROP_TABLE)); assertAccessDenied("ALTER TABLE orders RENAME TO foo", "Cannot rename table .*.orders.* to .*.foo.*", privilege("orders", RENAME_TABLE)); assertAccessDenied("ALTER TABLE orders ADD COLUMN foo bigint", "Cannot add a column to table .*.orders.*", privilege("orders", ADD_COLUMN)); assertAccessDenied("ALTER TABLE orders DROP COLUMN foo", "Cannot drop a column from table .*.orders.*", privilege("orders", DROP_COLUMN)); assertAccessDenied("ALTER TABLE orders RENAME COLUMN orderkey TO foo", "Cannot rename a column in table .*.orders.*", privilege("orders", RENAME_COLUMN)); assertAccessDenied("CREATE VIEW foo as SELECT * FROM orders", "Cannot create view .*.foo.*", privilege("foo", CREATE_VIEW)); // todo add DROP VIEW test... not all connectors have view support try { assertAccessDenied("SELECT 1", "Principal .* cannot become user " + getSession().getUser() + ".*", privilege(getSession().getUser(), SET_USER)); } catch (AssertionError e) { // There is no clean exception message for authorization failure. We simply get a 403 Assertions.assertContains(e.getMessage(), "statusCode=403"); } }
viewOwnerSession, "CREATE VIEW test_view_access AS SELECT * FROM orders", privilege("orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); "SELECT * FROM test_view_access", "View owner 'test_view_access_owner' cannot create view that selects from .*.orders.*", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); viewOwnerSession, "SELECT * FROM test_view_access", privilege(viewOwnerSession.getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "orders", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_view_access", privilege(getSession().getUser(), "orders", SELECT_COLUMN)); nestedViewOwnerSession, "CREATE VIEW test_nested_view_access AS SELECT * FROM test_view_access", privilege("test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); "SELECT * FROM test_nested_view_access", "View owner 'test_nested_view_access_owner' cannot create view that selects from .*.test_view_access.*", privilege(nestedViewOwnerSession.getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); privilege(getSession().getUser(), "test_view_access", CREATE_VIEW_WITH_SELECT_COLUMNS)); assertAccessAllowed( "SELECT * FROM test_nested_view_access", privilege(getSession().getUser(), "test_view_access", SELECT_COLUMN));
assertAccessDenied("DELETE FROM test_delete where orderkey < 12", "Cannot select from columns \\[orderkey\\] in table or view .*.test_delete.*", privilege("orderkey", SELECT_COLUMN)); assertAccessAllowed("DELETE FROM test_delete where orderkey < 12", privilege("orderdate", SELECT_COLUMN)); assertAccessAllowed("DELETE FROM test_delete", privilege("orders", SELECT_COLUMN));