Adding schema access rules to file based system access control

[agrawalreetika]

Currently, file-based system access control allows defining catalog level rule. As a part of these changes, schema access rules can be included with file-based system access control for the below operations -

• checkCanCreateSchema : If the user has access to the catalog and is also schema owner, then access is provided.
• checkCanDropSchema : If the user has access to the catalog and is also schema owner, then access is provided.
• checkCanRenameSchema : If the user has access to the catalog and is also schema owner, then access is provided.

== RELEASE NOTES ==

Security Changes

- Add ability to set schema access rules in file-based system access control

[aweisberg]

Can you link to the PR? It's a better source of context then the commit trinodb/trino#3766 Also the linked commit is not actually on Trino master.

[aweisberg]

Thanks!

Some simplification we can take from Trino and the tests seem to be a bit different and incomplete compared to what Trino is currently doing.

[aweisberg]

If you ignore the linked diff and look at just how Trino is operating today they dropped the canAccessCatalog check here and pushed it into isSchemaOwner() which is simpler.

trinodb/trino#5039

[agrawalreetika]

Sure sounds good. I will place a catalog access check with the isSchemaOwner() method itself.

[aweisberg]

Same as above

[agrawalreetika]

Noted

[aweisberg]

And here.

[agrawalreetika]

Noted

[aweisberg]

Where the simplified catalog check goes https://github.com/trinodb/trino/blob/6f5553f9f1f8638cd6e47278c35844dc0245fd3e/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java#L869

[agrawalreetika]

Noted

[aweisberg]

We seem to deviate a lot on the tests? Are there "extra" tests that we don't need to cover? Can we do a better job of synchronizing?

[agrawalreetika]

@aweisberg I have tried covering all positive and negative tests for all the 3 schema operations. If you think something is missing here, I can add more tests to this.

[aweisberg]

I can see why we deviated in several ways like not supporting groups and thus not needing to test groups.

If you fix the assertThrows I think it will be fine.

[agrawalreetika]

@aweisberg I have made the required changes.

[aweisberg]

Why does one assertThrows have a bunch of different things in it? It will stop executing after the first one fails?

[agrawalreetika]

Made the changes.

[aweisberg]

There are three cases now where there were five previously? It looks like it isn't validating whether the catalog can be accessed since coverage shows no cases where it is denied because the user can't access the catalog.

[agrawalreetika]

Yes look like those got removed while making other changes in test, added them back.

[aweisberg]

It's still not testing the catalog ownership check. You can see because if you step through in the debugger it will never stop at return false in the test cases for schema. It does happen to do it in the read only catalog case, but I don't want to depend on testing unrelated functionality to cover it.

Sorry I know I am being picky here.

[agrawalreetika]

@aweisberg I had added tests for catalog ownership check via read-only catalog access as you mentioned. In all the other cases AccessManager would redirect checks for Accesscatalog to checkCanAccessCatalog. Please review and let me know if any other changes are required.

[aweisberg]

@arhimondr @rschlussel This is ready for review/merge.