Skip to content

Add checkQueryIntegrity call to DispatchManager #24574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rschlussel merged 1 commit into from
Feb 21, 2025
Merged

Add checkQueryIntegrity call to DispatchManager #24574

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .../src/test/java/com/facebook/presto/hive/security/ranger/TestRangerBasedAccessControl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
public class TestRangerBasedAccessControl
{
public static final ConnectorTransactionHandle TRANSACTION_HANDLE = new ConnectorTransactionHandle() {};
public static final AccessControlContext CONTEXT = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty());
public static final AccessControlContext CONTEXT = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty());

@Test
public void testTablePriviledgesRolesNotAllowed()
Expand Down
2 changes: 1 addition & 1 deletion presto-main/src/main/java/com/facebook/presto/Session.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ public Session(
this.warningCollector = requireNonNull(warningCollector, "warningCollector is null");
this.runtimeStats = requireNonNull(runtimeStats, "runtimeStats is null");
this.queryType = requireNonNull(queryType, "queryType is null");
this.context = new AccessControlContext(queryId, clientInfo, clientTags, source, warningCollector, runtimeStats, queryType);
this.context = new AccessControlContext(queryId, clientInfo, clientTags, source, warningCollector, runtimeStats, queryType, catalog, schema);
}

public QueryId getQueryId()
Expand Down
15 changes: 15 additions & 0 deletions presto-main/src/main/java/com/facebook/presto/dispatcher/DispatchManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,13 @@
import com.facebook.presto.server.SessionSupplier;
import com.facebook.presto.spi.PrestoException;
import com.facebook.presto.spi.QueryId;
import com.facebook.presto.spi.WarningCollector;
import com.facebook.presto.spi.analyzer.AnalyzerOptions;
import com.facebook.presto.spi.analyzer.QueryPreparerProvider;
import com.facebook.presto.spi.resourceGroups.SelectionContext;
import com.facebook.presto.spi.resourceGroups.SelectionCriteria;
import com.facebook.presto.spi.security.AccessControl;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.sql.analyzer.QueryPreparerProviderManager;
import com.facebook.presto.transaction.TransactionManager;
import com.google.common.util.concurrent.AbstractFuture;
Expand Down Expand Up @@ -271,6 +273,19 @@ private <C> void createQueryInternal(QueryId queryId, String slug, int retryCoun

// decode session
sessionBuilder = sessionSupplier.createSessionBuilder(queryId, sessionContext, warningCollectorFactory);

AccessControlContext accessControlContext = new AccessControlContext(
queryId,
Optional.ofNullable(sessionContext.getClientInfo()),
sessionContext.getClientTags(),
Optional.ofNullable(sessionContext.getSource()),
WarningCollector.NOOP,
sessionContext.getRuntimeStats(),
Optional.empty(),
Optional.ofNullable(sessionContext.getCatalog()),
Optional.ofNullable(sessionContext.getSchema()));

accessControl.checkQueryIntegrity(sessionContext.getIdentity(), accessControlContext, query);
session = sessionBuilder.build();

// prepare query
Expand Down
8 changes: 6 additions & 2 deletions presto-main/src/main/java/com/facebook/presto/security/AccessControlUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,9 @@ public static void checkPermissions(AccessControl accessControl, SecurityConfig
Optional.ofNullable(sessionContext.getSource()),
WarningCollector.NOOP,
sessionContext.getRuntimeStats(),
Optional.empty()),
Optional.empty(),
Optional.ofNullable(sessionContext.getCatalog()),
Optional.ofNullable(sessionContext.getSchema())),
identity.getPrincipal(),
identity.getUser());
}
Expand All @@ -73,7 +75,9 @@ public static Optional<AuthorizedIdentity> getAuthorizedIdentity(AccessControl a
Optional.ofNullable(sessionContext.getSource()),
WarningCollector.NOOP,
sessionContext.getRuntimeStats(),
Optional.empty()),
Optional.empty(),
Optional.ofNullable(sessionContext.getCatalog()),
Optional.ofNullable(sessionContext.getSchema())),
identity.getUser(),
sessionContext.getCertificates());
return Optional.of(authorizedIdentity);
Expand Down
16 changes: 8 additions & 8 deletions presto-main/src/test/java/com/facebook/presto/security/TestAccessControlManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ public void testInitializing()
AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager());
accessControlManager.checkCanSetUser(
new Identity(USER_NAME, Optional.of(PRINCIPAL)),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty()),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty()),
Optional.empty(),
"foo");
}
Expand All @@ -94,7 +94,7 @@ public void testNoneSystemAccessControl()
accessControlManager.setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of());
accessControlManager.checkCanSetUser(
new Identity(USER_NAME, Optional.of(PRINCIPAL)),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty()),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty()),
Optional.empty(),
USER_NAME);
}
Expand All @@ -106,7 +106,7 @@ public void testReadOnlySystemAccessControl()
QualifiedObjectName tableName = new QualifiedObjectName("catalog", "schema", "table");
TransactionManager transactionManager = createTestTransactionManager();
AccessControlManager accessControlManager = new AccessControlManager(transactionManager);
AccessControlContext context = new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty());
AccessControlContext context = new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty());

accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
accessControlManager.checkCanSetUser(identity, context, Optional.of(PRINCIPAL), USER_NAME);
Expand Down Expand Up @@ -149,7 +149,7 @@ public void testSetAccessControl()

accessControlManager.checkCanSetUser(
new Identity(USER_NAME, Optional.of(PRINCIPAL)),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty()),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty()),
Optional.of(PRINCIPAL),
USER_NAME);
assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME);
Expand All @@ -160,7 +160,7 @@ public void testSetAccessControl()
public void testCheckQueryIntegrity()
{
AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager());
AccessControlContext context = new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty());
AccessControlContext context = new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty());

TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
accessControlManager.addSystemAccessControlFactory(accessControlFactory);
Expand Down Expand Up @@ -210,7 +210,7 @@ public void testNoCatalogAccessControl()
transaction(transactionManager, accessControlManager)
.execute(transactionId -> {
accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty()),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty()),
new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of(new Subfield("column")));
});
}
Expand All @@ -232,7 +232,7 @@ public void testDenyCatalogAccessControl()
transaction(transactionManager, accessControlManager)
.execute(transactionId -> {
accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty()),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty()),
new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of(new Subfield("column")));
});
}
Expand All @@ -254,7 +254,7 @@ public void testDenySystemAccessControl()
transaction(transactionManager, accessControlManager)
.execute(transactionId -> {
accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty()),
new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty()),
new QualifiedObjectName("secured_catalog", "schema", "table"), ImmutableSet.of(new Subfield("column")));
});
}
Expand Down
2 changes: 1 addition & 1 deletion presto-main/src/test/java/com/facebook/presto/security/TestFileBasedSystemAccessControl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public class TestFileBasedSystemAccessControl
private static final QualifiedObjectName aliceTable = new QualifiedObjectName("alice-catalog", "schema", "table");
private static final QualifiedObjectName aliceView = new QualifiedObjectName("alice-catalog", "schema", "view");
private static final CatalogSchemaName aliceSchema = new CatalogSchemaName("alice-catalog", "schema");
private static final AccessControlContext context = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty());
private static final AccessControlContext context = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty());
@Test
public void testCanSetUserOperations() throws IOException
{
Expand Down
2 changes: 1 addition & 1 deletion ...it/src/test/java/com/facebook/presto/plugin/base/security/TestFileBasedAccessControl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
public class TestFileBasedAccessControl
{
public static final ConnectorTransactionHandle TRANSACTION_HANDLE = new ConnectorTransactionHandle() {};
public static final AccessControlContext CONTEXT = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty());
public static final AccessControlContext CONTEXT = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Collections.emptySet(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats(), Optional.empty(), Optional.empty(), Optional.empty());

@Test
public void testSchemaRules()
Expand Down
25 changes: 24 additions & 1 deletion presto-spi/src/main/java/com/facebook/presto/spi/security/AccessControlContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,19 @@ public class AccessControlContext
private final WarningCollector warningCollector;
private final RuntimeStats runtimeStats;
private final Optional<QueryType> queryType;
private final Optional<String> catalog;
private final Optional<String> schema;

public AccessControlContext(QueryId queryId, Optional<String> clientInfo, Set<String> clientTags, Optional<String> source, WarningCollector warningCollector, RuntimeStats runtimeStats, Optional<QueryType> queryType)
public AccessControlContext(
QueryId queryId,
Optional<String> clientInfo,
Set<String> clientTags,
Optional<String> source,
WarningCollector warningCollector,
RuntimeStats runtimeStats,
Optional<QueryType> queryType,
Optional<String> catalog,
Optional<String> schema)
{
this.queryId = requireNonNull(queryId, "queryId is null");
this.clientInfo = requireNonNull(clientInfo, "clientInfo is null");
Expand All @@ -42,6 +53,8 @@ public AccessControlContext(QueryId queryId, Optional<String> clientInfo, Set<St
this.warningCollector = requireNonNull(warningCollector, "warningCollector is null");
this.runtimeStats = requireNonNull(runtimeStats, "runtimeStats is null");
this.queryType = requireNonNull(queryType, "queryType is null");
this.catalog = requireNonNull(catalog, "catalog is null");
this.schema = requireNonNull(schema, "schema is null");
}

public QueryId getQueryId()
Expand Down Expand Up @@ -78,4 +91,14 @@ public Optional<QueryType> getQueryType()
{
return queryType;
}

public Optional<String> getCatalog()
{
return catalog;
}

public Optional<String> getSchema()
{
return schema;
}
}
8 changes: 8 additions & 0 deletions presto-tests/src/test/java/com/facebook/presto/tests/TestQueryManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,8 @@ public void testQueryCpuLimit()
BasicQueryInfo queryInfo = queryManager.getQueryInfo(queryId);
assertEquals(queryInfo.getState(), FAILED);
assertEquals(queryInfo.getErrorCode(), EXCEEDED_CPU_LIMIT.toErrorCode());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getSchema(), TEST_SESSION.getSchema());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getCatalog(), TEST_SESSION.getCatalog());
}
}

Expand All @@ -234,6 +236,8 @@ public void testQueryScanExceeded()
BasicQueryInfo queryInfo = queryManager.getQueryInfo(queryId);
assertEquals(queryInfo.getState(), FAILED);
assertEquals(queryInfo.getErrorCode(), EXCEEDED_SCAN_RAW_BYTES_READ_LIMIT.toErrorCode());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getSchema(), TEST_SESSION.getSchema());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getCatalog(), TEST_SESSION.getCatalog());
}
}

Expand All @@ -248,6 +252,8 @@ public void testQueryOutputPositionsExceeded()
BasicQueryInfo queryInfo = queryManager.getQueryInfo(queryId);
assertEquals(queryInfo.getState(), FAILED);
assertEquals(queryInfo.getErrorCode(), EXCEEDED_OUTPUT_POSITIONS_LIMIT.toErrorCode());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getSchema(), TEST_SESSION.getSchema());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getCatalog(), TEST_SESSION.getCatalog());
}
}

Expand All @@ -262,6 +268,8 @@ public void testQueryOutputSizeExceeded()
BasicQueryInfo queryInfo = queryManager.getQueryInfo(queryId);
assertEquals(queryInfo.getState(), FAILED);
assertEquals(queryInfo.getErrorCode(), EXCEEDED_OUTPUT_SIZE_LIMIT.toErrorCode());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getSchema(), TEST_SESSION.getSchema());
assertEquals(queryManager.getQuerySession(queryId).getAccessControlContext().getCatalog(), TEST_SESSION.getCatalog());
}
}

Expand Down
Loading