prestodb · electrum · Dec 15, 2018 · rschlussel · Dec 17, 2018 · electrum
@@ -7,7 +7,9 @@ Synopsis
 
 .. code-block:: none
 
-    CREATE [ OR REPLACE ] VIEW view_name AS query
+    CREATE [ OR REPLACE ] VIEW view_name
+    [ SECURITY { DEFINER | INVOKER } ]
+    AS query
 
 Description
 -----------
@@ -20,6 +22,22 @@ referenced by another query.
 The optional ``OR REPLACE`` clause causes the view to be replaced if it
 already exists rather than raising an error.
 
+Security
+--------
+
+In the default ``DEFINER`` security mode, tables referenced in the view
+are accessed using the permissions of the view owner (the *creator* or
+*definer* of the view) rather than the user executing the query. This
+allows providing restricted access to the underlying tables, for which
+the query user may not be allowed to access directly. Note that the
+``current_user`` function will return the query user, not the view owner,
+and thus may be used to filter out rows or otherwise restrict access
+based on the user currently accessing the view.
+
+In the ``INVOKER`` security mode, tables referenced in the view are
+accessed using the permissions of the query user (the *invoker* of the
+view). A view created in this mode is simply a stored query.
+
 Examples
 --------
 

@@ -38,6 +38,7 @@
 import static com.facebook.presto.metadata.MetadataUtil.createQualifiedObjectName;
 import static com.facebook.presto.metadata.ViewDefinition.ViewColumn;
 import static com.facebook.presto.sql.SqlFormatterUtil.getFormattedSql;
+import static com.facebook.presto.sql.tree.CreateView.Security.INVOKER;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.util.concurrent.Futures.immediateFuture;
 import static java.util.Objects.requireNonNull;
@@ -88,7 +89,13 @@ public ListenableFuture<?> execute(CreateView statement, TransactionManager tran
                 .map(field -> new ViewColumn(field.getName().get(), field.getType()))
                 .collect(toImmutableList());
 
-        String data = codec.toJson(new ViewDefinition(sql, session.getCatalog(), session.getSchema(), columns, Optional.of(session.getUser())));
+        // use DEFINER security by default
+        Optional<String> owner = Optional.of(session.getUser());
+        if (statement.getSecurity().orElse(null) == INVOKER) {
+            owner = Optional.empty();
+        }
+
+        String data = codec.toJson(new ViewDefinition(sql, session.getCatalog(), session.getSchema(), columns, owner, !owner.isPresent()));
 
         metadata.createView(session, name, data, statement.isReplace());
 

@@ -836,7 +836,7 @@ public Optional<ViewDefinition> getView(Session session, QualifiedObjectName vie
             ConnectorViewDefinition view = views.get(viewName.asSchemaTableName());
             if (view != null) {
                 ViewDefinition definition = deserializeView(view.getViewData());
-                if (view.getOwner().isPresent()) {
+                if (view.getOwner().isPresent() && !definition.isRunAsInvoker()) {
                     definition = definition.withOwner(view.getOwner().get());
                 }
                 return Optional.of(definition);

@@ -22,6 +22,7 @@
 import java.util.Optional;
 
 import static com.google.common.base.MoreObjects.toStringHelper;
+import static com.google.common.base.Preconditions.checkArgument;
 import static java.util.Objects.requireNonNull;
 
 public final class ViewDefinition
@@ -31,20 +32,24 @@ public final class ViewDefinition
     private final Optional<String> schema;
     private final List<ViewColumn> columns;
     private final Optional<String> owner;
+    private final boolean runAsInvoker;
 
     @JsonCreator
     public ViewDefinition(
             @JsonProperty("originalSql") String originalSql,
             @JsonProperty("catalog") Optional<String> catalog,
             @JsonProperty("schema") Optional<String> schema,
             @JsonProperty("columns") List<ViewColumn> columns,
-            @JsonProperty("owner") Optional<String> owner)
+            @JsonProperty("owner") Optional<String> owner,
+            @JsonProperty("runAsInvoker") boolean runAsInvoker)
     {
         this.originalSql = requireNonNull(originalSql, "originalSql is null");
         this.catalog = requireNonNull(catalog, "catalog is null");
         this.schema = requireNonNull(schema, "schema is null");
         this.columns = ImmutableList.copyOf(requireNonNull(columns, "columns is null"));
         this.owner = requireNonNull(owner, "owner is null");
+        this.runAsInvoker = runAsInvoker;
+        checkArgument(!runAsInvoker || !owner.isPresent(), "owner cannot be present with runAsInvoker");
     }
 
     @JsonProperty
@@ -77,6 +82,12 @@ public Optional<String> getOwner()
         return owner;
     }
 
+    @JsonProperty
+    public boolean isRunAsInvoker()
+    {
+        return runAsInvoker;
+    }
+
     @Override
     public String toString()
     {
@@ -86,13 +97,14 @@ public String toString()
                 .add("schema", schema.orElse(null))
                 .add("columns", columns)
                 .add("owner", owner.orElse(null))
+                .add("runAsInvoker", runAsInvoker)
                 .omitNullValues()
                 .toString();
     }
 
     public ViewDefinition withOwner(String owner)
     {
-        return new ViewDefinition(originalSql, catalog, schema, columns, Optional.of(owner));
+        return new ViewDefinition(originalSql, catalog, schema, columns, Optional.of(owner), runAsInvoker);
     }
 
     public static final class ViewColumn

@@ -373,7 +373,7 @@ protected Node visitShowCreate(ShowCreate node, Void context)
                 }
 
                 Query query = parseView(viewDefinition.get().getOriginalSql(), objectName, node);
-                String sql = formatSql(new CreateView(createQualifiedName(objectName), query, false), Optional.of(parameters)).trim();
+                String sql = formatSql(new CreateView(createQualifiedName(objectName), query, false, Optional.empty()), Optional.of(parameters)).trim();
                 return singleValueQuery("Create View", sql);
             }
 

@@ -74,7 +74,7 @@ public TestInformationSchemaMetadata()
                                 new SchemaTableName("test_schema", "test_view"),
                                 new SchemaTableName("test_schema", "another_table")))
                 .withGetViews((connectorSession, prefix) -> {
-                    String viewJson = VIEW_DEFINITION_JSON_CODEC.toJson(new ViewDefinition("select 1", Optional.of("test_catalog"), Optional.of("test_schema"), ImmutableList.of(), Optional.empty()));
+                    String viewJson = VIEW_DEFINITION_JSON_CODEC.toJson(new ViewDefinition("select 1", Optional.of("test_catalog"), Optional.of("test_schema"), ImmutableList.of(), Optional.empty(), false));
                     SchemaTableName viewName = new SchemaTableName("test_schema", "test_view");
                     return ImmutableMap.of(viewName, new ConnectorViewDefinition(viewName, Optional.empty(), viewJson));
                 }).build();

@@ -1574,7 +1574,8 @@ public void setup()
                         Optional.of(TPCH_CATALOG),
                         Optional.of("s1"),
                         ImmutableList.of(new ViewColumn("a", BIGINT)),
-                        Optional.of("user")));
+                        Optional.of("user"),
+                        false));
         inSetupTransaction(session -> metadata.createView(session, new QualifiedObjectName(TPCH_CATALOG, "s1", "v1"), viewData1, false));
 
         // stale view (different column type)
@@ -1584,7 +1585,8 @@ public void setup()
                         Optional.of(TPCH_CATALOG),
                         Optional.of("s1"),
                         ImmutableList.of(new ViewColumn("a", VARCHAR)),
-                        Optional.of("user")));
+                        Optional.of("user"),
+                        false));
         inSetupTransaction(session -> metadata.createView(session, new QualifiedObjectName(TPCH_CATALOG, "s1", "v2"), viewData2, false));
 
         // view referencing table in different schema from itself and session
@@ -1594,7 +1596,8 @@ public void setup()
                         Optional.of(SECOND_CATALOG),
                         Optional.of("s2"),
                         ImmutableList.of(new ViewColumn("a", BIGINT)),
-                        Optional.of("owner")));
+                        Optional.of("owner"),
+                        false));
         inSetupTransaction(session -> metadata.createView(session, new QualifiedObjectName(THIRD_CATALOG, "s3", "v3"), viewData3, false));
 
         // valid view with uppercase column name
@@ -1604,7 +1607,8 @@ public void setup()
                         Optional.of("tpch"),
                         Optional.of("s1"),
                         ImmutableList.of(new ViewColumn("a", BIGINT)),
-                        Optional.of("user")));
+                        Optional.of("user"),
+                        false));
         inSetupTransaction(session -> metadata.createView(session, new QualifiedObjectName("tpch", "s1", "v4"), viewData4, false));
 
         // recursive view referencing to itself
@@ -1614,7 +1618,8 @@ public void setup()
                         Optional.of(TPCH_CATALOG),
                         Optional.of("s1"),
                         ImmutableList.of(new ViewColumn("a", BIGINT)),
-                        Optional.of("user")));
+                        Optional.of("user"),
+                        false));
         inSetupTransaction(session -> metadata.createView(session, new QualifiedObjectName(TPCH_CATALOG, "s1", "v5"), viewData5, false));
     }
 

@@ -56,7 +56,8 @@ statement
         DROP COLUMN column=qualifiedName                               #dropColumn
     | ALTER TABLE tableName=qualifiedName
         ADD COLUMN column=columnDefinition                             #addColumn
-    | CREATE (OR REPLACE)? VIEW qualifiedName AS query                 #createView
+    | CREATE (OR REPLACE)? VIEW qualifiedName
+        (SECURITY (DEFINER | INVOKER))? AS query                       #createView
     | DROP VIEW (IF EXISTS)? qualifiedName                             #dropView
     | CALL qualifiedName '(' (callArgument (',' callArgument)*)? ')'   #call
     | GRANT
@@ -455,20 +456,20 @@ nonReserved
     : ADD | ALL | ANALYZE | ANY | ARRAY | ASC | AT
     | BERNOULLI
     | CALL | CASCADE | CATALOGS | COLUMN | COLUMNS | COMMENT | COMMIT | COMMITTED | CURRENT
-    | DATA | DATE | DAY | DESC | DISTRIBUTED
+    | DATA | DATE | DAY | DEFINER | DESC | DISTRIBUTED
     | EXCLUDING | EXPLAIN
     | FILTER | FIRST | FOLLOWING | FORMAT | FUNCTIONS
     | GRANT | GRANTS | GRAPHVIZ
     | HOUR
-    | IF | INCLUDING | INPUT | INTERVAL | IO | ISOLATION
+    | IF | INCLUDING | INPUT | INTERVAL | INVOKER | IO | ISOLATION
     | JSON
     | LAST | LATERAL | LEVEL | LIMIT | LOGICAL
     | MAP | MINUTE | MONTH
     | NFC | NFD | NFKC | NFKD | NO | NULLIF | NULLS
     | ONLY | OPTION | ORDINALITY | OUTPUT | OVER
     | PARTITION | PARTITIONS | PATH | POSITION | PRECEDING | PRIVILEGES | PROPERTIES | PUBLIC
     | RANGE | READ | RENAME | REPEATABLE | REPLACE | RESET | RESTRICT | REVOKE | ROLLBACK | ROW | ROWS
-    | SCHEMA | SCHEMAS | SECOND | SERIALIZABLE | SESSION | SET | SETS
+    | SCHEMA | SCHEMAS | SECOND | SECURITY | SERIALIZABLE | SESSION | SET | SETS
     | SHOW | SOME | START | STATS | SUBSTRING | SYSTEM
     | TABLES | TABLESAMPLE | TEXT | TIME | TIMESTAMP | TO | TRANSACTION | TRY_CAST | TYPE
     | UNBOUNDED | UNCOMMITTED | USE
@@ -515,6 +516,7 @@ DATA: 'DATA';
 DATE: 'DATE';
 DAY: 'DAY';
 DEALLOCATE: 'DEALLOCATE';
+DEFINER: 'DEFINER';
 DELETE: 'DELETE';
 DESC: 'DESC';
 DESCRIBE: 'DESCRIBE';
@@ -555,6 +557,7 @@ INSERT: 'INSERT';
 INTERSECT: 'INTERSECT';
 INTERVAL: 'INTERVAL';
 INTO: 'INTO';
+INVOKER: 'INVOKER';
 IO: 'IO';
 IS: 'IS';
 ISOLATION: 'ISOLATION';
@@ -618,6 +621,7 @@ ROWS: 'ROWS';
 SCHEMA: 'SCHEMA';
 SCHEMAS: 'SCHEMAS';
 SECOND: 'SECOND';
+SECURITY: 'SECURITY';
 SELECT: 'SELECT';
 SERIALIZABLE: 'SERIALIZABLE';
 SESSION: 'SESSION';

@@ -531,8 +531,14 @@ protected Void visitCreateView(CreateView node, Integer indent)
                 builder.append("OR REPLACE ");
             }
             builder.append("VIEW ")
-                    .append(formatName(node.getName()))
-                    .append(" AS\n");
+                    .append(formatName(node.getName()));
+
+            node.getSecurity().ifPresent(security ->
+                    builder.append(" SECURITY ")
+                            .append(security.toString())
+                            .append(" "));
+
+            builder.append(" AS\n");
 
             process(node.getQuery(), indent);
 

@@ -369,11 +369,20 @@ public Node visitDropColumn(SqlBaseParser.DropColumnContext context)
     @Override
     public Node visitCreateView(SqlBaseParser.CreateViewContext context)
     {
+        Optional<CreateView.Security> security = Optional.empty();
+        if (context.DEFINER() != null) {
+            security = Optional.of(CreateView.Security.DEFINER);
+        }
+        else if (context.INVOKER() != null) {
+            security = Optional.of(CreateView.Security.INVOKER);
+        }
+
         return new CreateView(
                 getLocation(context),
                 getQualifiedName(context.qualifiedName()),
                 (Query) visit(context.query()),
-                context.REPLACE() != null);
+                context.REPLACE() != null,
+                security);
     }
 
     @Override

@@ -25,26 +25,33 @@
 public class CreateView
         extends Statement
 {
+    public enum Security
+    {
+        INVOKER, DEFINER
+    }
+
     private final QualifiedName name;
     private final Query query;
     private final boolean replace;
+    private final Optional<Security> security;
 
-    public CreateView(QualifiedName name, Query query, boolean replace)
+    public CreateView(QualifiedName name, Query query, boolean replace, Optional<Security> security)
     {
-        this(Optional.empty(), name, query, replace);
+        this(Optional.empty(), name, query, replace, security);
     }
 
-    public CreateView(NodeLocation location, QualifiedName name, Query query, boolean replace)
+    public CreateView(NodeLocation location, QualifiedName name, Query query, boolean replace, Optional<Security> security)
     {
-        this(Optional.of(location), name, query, replace);
+        this(Optional.of(location), name, query, replace, security);
     }
 
-    private CreateView(Optional<NodeLocation> location, QualifiedName name, Query query, boolean replace)
+    private CreateView(Optional<NodeLocation> location, QualifiedName name, Query query, boolean replace, Optional<Security> security)
     {
         super(location);
         this.name = requireNonNull(name, "name is null");
         this.query = requireNonNull(query, "query is null");
         this.replace = replace;
+        this.security = requireNonNull(security, "security is null");
     }
 
     public QualifiedName getName()
@@ -62,6 +69,11 @@ public boolean isReplace()
         return replace;
     }
 
+    public Optional<Security> getSecurity()
+    {
+        return security;
+    }
+
     @Override
     public <R, C> R accept(AstVisitor<R, C> visitor, C context)
     {
@@ -77,7 +89,7 @@ public List<Node> getChildren()
     @Override
     public int hashCode()
     {
-        return Objects.hash(name, query, replace);
+        return Objects.hash(name, query, replace, security);
     }
 
     @Override
@@ -92,7 +104,8 @@ public boolean equals(Object obj)
         CreateView o = (CreateView) obj;
         return Objects.equals(name, o.name)
                 && Objects.equals(query, o.query)
-                && Objects.equals(replace, o.replace);
+                && Objects.equals(replace, o.replace)
+                && Objects.equals(security, o.security);
     }
 
     @Override
@@ -102,6 +115,7 @@ public String toString()
                 .add("name", name)
                 .add("query", query)
                 .add("replace", replace)
+                .add("security", security)
                 .toString();
     }
 }
@@ -1347,12 +1347,15 @@ public void testCreateView()
     {
         Query query = simpleQuery(selectList(new AllColumns()), table(QualifiedName.of("t")));
 
-        assertStatement("CREATE VIEW a AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false));
-        assertStatement("CREATE OR REPLACE VIEW a AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, true));
+        assertStatement("CREATE VIEW a AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.empty()));
+        assertStatement("CREATE OR REPLACE VIEW a AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, true, Optional.empty()));
 
-        assertStatement("CREATE VIEW bar.foo AS SELECT * FROM t", new CreateView(QualifiedName.of("bar", "foo"), query, false));
-        assertStatement("CREATE VIEW \"awesome view\" AS SELECT * FROM t", new CreateView(QualifiedName.of("awesome view"), query, false));
-        assertStatement("CREATE VIEW \"awesome schema\".\"awesome view\" AS SELECT * FROM t", new CreateView(QualifiedName.of("awesome schema", "awesome view"), query, false));
+        assertStatement("CREATE VIEW a SECURITY DEFINER AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.of(CreateView.Security.DEFINER)));
+        assertStatement("CREATE VIEW a SECURITY INVOKER AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.of(CreateView.Security.INVOKER)));
+
+        assertStatement("CREATE VIEW bar.foo AS SELECT * FROM t", new CreateView(QualifiedName.of("bar", "foo"), query, false, Optional.empty()));
+        assertStatement("CREATE VIEW \"awesome view\" AS SELECT * FROM t", new CreateView(QualifiedName.of("awesome view"), query, false, Optional.empty()));
+        assertStatement("CREATE VIEW \"awesome schema\".\"awesome view\" AS SELECT * FROM t", new CreateView(QualifiedName.of("awesome schema", "awesome view"), query, false, Optional.empty()));
     }
 
     @Test