@Override public void checkCanSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, Set<String> columnNames) { delegate.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, columnNames); }
@Inject public AccessControlManager(TransactionManager transactionManager) { this.transactionManager = requireNonNull(transactionManager, "transactionManager is null"); addSystemAccessControlFactory(new AllowAllSystemAccessControl.Factory()); addSystemAccessControlFactory(new ReadOnlySystemAccessControl.Factory()); addSystemAccessControlFactory(new FileBasedSystemAccessControl.Factory()); }
@Override public Set<SchemaTableName> filterTables(Identity identity, String catalogName, Set<SchemaTableName> tableNames) { if (!canAccessCatalog(identity, catalogName)) { return ImmutableSet.of(); } return tableNames; }
@Override public void checkCanShowSchemas(TransactionId transactionId, Identity identity, String catalogName) { requireNonNull(identity, "identity is null"); requireNonNull(catalogName, "catalogName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName)); authorizationCheck(() -> systemAccessControl.get().checkCanShowSchemas(identity, catalogName)); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanShowSchemas(entry.getTransactionHandle(transactionId), identity)); } }
private AccessControlManager newAccessControlManager(TransactionManager transactionManager, String resourceName) { AccessControlManager accessControlManager = new AccessControlManager(transactionManager); accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName))); return accessControlManager; }
private SystemAccessControl create(String configFileName) { FileBasedSystemAccessControlRules rules = parseJson(Paths.get(configFileName), FileBasedSystemAccessControlRules.class); ImmutableList.Builder<CatalogAccessControlRule> catalogRulesBuilder = ImmutableList.builder(); catalogRulesBuilder.addAll(rules.getCatalogRules()); // Hack to allow Presto Admin to access the "system" catalog for retrieving server status. // todo Change userRegex from ".*" to one particular user that Presto Admin will be restricted to run as catalogRulesBuilder.add(new CatalogAccessControlRule( true, Optional.of(Pattern.compile(".*")), Optional.of(Pattern.compile("system")))); return new FileBasedSystemAccessControl(catalogRulesBuilder.build(), rules.getPrincipalUserMatchRules()); } }
private SystemAccessControl parse(String path) { return new FileBasedSystemAccessControl.Factory().create(ImmutableMap.of(SECURITY_CONFIG_FILE, path)); } }
private boolean canAccessCatalog(Identity identity, String catalogName) { for (CatalogAccessControlRule rule : catalogRules) { Optional<Boolean> allowed = rule.match(identity.getUser(), catalogName); if (allowed.isPresent()) { return allowed.get(); } } return false; }
@Override public void checkCanSetCatalogSessionProperty(TransactionId transactionId, Identity identity, String catalogName, String propertyName) { requireNonNull(identity, "identity is null"); requireNonNull(catalogName, "catalogName is null"); requireNonNull(propertyName, "propertyName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, catalogName)); authorizationCheck(() -> systemAccessControl.get().checkCanSetCatalogSessionProperty(identity, catalogName, propertyName)); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, catalogName); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanSetCatalogSessionProperty(entry.getTransactionHandle(transactionId), identity, propertyName)); } }
@Override public Set<String> filterSchemas(Identity identity, String catalogName, Set<String> schemaNames) { if (!canAccessCatalog(identity, catalogName)) { return ImmutableSet.of(); } return schemaNames; }
@Override public void checkCanCreateViewWithSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, Set<String> columnNames) { delegate.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, columnNames); } }
@Override public void checkCanCreateSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName) { requireNonNull(identity, "identity is null"); requireNonNull(schemaName, "schemaName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, schemaName.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanCreateSchema(identity, schemaName)); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, schemaName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanCreateSchema(entry.getTransactionHandle(transactionId), identity, schemaName.getSchemaName())); } }
@Override public Set<String> filterCatalogs(Identity identity, Set<String> catalogs) { ImmutableSet.Builder<String> filteredCatalogs = ImmutableSet.builder(); for (String catalog : catalogs) { if (canAccessCatalog(identity, catalog)) { filteredCatalogs.add(catalog); } } return filteredCatalogs.build(); }
@Override public void checkCanShowTablesMetadata(TransactionId transactionId, Identity identity, CatalogSchemaName schema) { requireNonNull(identity, "identity is null"); requireNonNull(schema, "schema is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, schema.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanShowTablesMetadata(identity, schema)); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, schema.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanShowTablesMetadata(entry.getTransactionHandle(transactionId), identity, schema.getSchemaName())); } }
@Override public void checkCanAccessCatalog(Identity identity, String catalogName) { if (!canAccessCatalog(identity, catalogName)) { denyCatalogAccess(catalogName); } }
@Override public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, tableName.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanAddColumn(identity, tableName.asCatalogSchemaTableName())); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanAddColumn(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, tableName.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanDeleteFromTable(identity, tableName.asCatalogSchemaTableName())); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanDeleteFromTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, tableName.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanCreateTable(identity, tableName.asCatalogSchemaTableName())); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanCreateTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanInsertIntoTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { requireNonNull(identity, "identity is null"); requireNonNull(tableName, "tableName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, tableName.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanInsertIntoTable(identity, tableName.asCatalogSchemaTableName())); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, tableName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanInsertIntoTable(entry.getTransactionHandle(transactionId), identity, tableName.asSchemaTableName())); } }
@Override public void checkCanDropView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { requireNonNull(identity, "identity is null"); requireNonNull(viewName, "viewName is null"); authenticationCheck(() -> checkCanAccessCatalog(identity, viewName.getCatalogName())); authorizationCheck(() -> systemAccessControl.get().checkCanDropView(identity, viewName.asCatalogSchemaTableName())); CatalogAccessControlEntry entry = getConnectorAccessControl(transactionId, viewName.getCatalogName()); if (entry != null) { authorizationCheck(() -> entry.getAccessControl().checkCanDropView(entry.getTransactionHandle(transactionId), identity, viewName.asSchemaTableName())); } }