diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index ff3154307b85..8b05b5da61c4 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -139,7 +139,7 @@ public void loadSystemAccessControl() List configFiles = this.configFiles; if (configFiles.isEmpty()) { if (!CONFIG_FILE.exists()) { - setSystemAccessControl(defaultAccessControlName, ImmutableMap.of()); + loadSystemAccessControl(defaultAccessControlName, ImmutableMap.of()); log.info("Using system access control: %s", defaultAccessControlName); return; } @@ -187,7 +187,7 @@ private SystemAccessControl createSystemAccessControl(File configFile) } @VisibleForTesting - protected void setSystemAccessControl(String name, Map properties) + public void loadSystemAccessControl(String name, Map properties) { requireNonNull(name, "name is null"); requireNonNull(properties, "properties is null"); @@ -200,6 +200,9 @@ protected void setSystemAccessControl(String name, Map propertie systemAccessControl = factory.create(ImmutableMap.copyOf(properties)); } + systemAccessControl.getEventListeners() + .forEach(eventListenerManager::addEventListener); + setSystemAccessControls(ImmutableList.of(systemAccessControl)); } diff --git a/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java index 73ddb30b7801..8d928c0a7654 100644 --- a/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java @@ -144,11 +144,6 @@ public TestingAccessControlManager(TransactionManager transactionManager, EventL this(transactionManager, eventListenerManager, new AccessControlConfig()); } - public void loadSystemAccessControl(String name, Map properties) - { - setSystemAccessControl(name, properties); - } - public static TestingPrivilege privilege(String entityName, TestingPrivilegeType type) { return new TestingPrivilege(Optional.empty(), entityName, type); diff --git a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java index 41d77d45b0e5..3dcaf06348ba 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java +++ b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java @@ -90,7 +90,7 @@ public void testInitializing() public void testNoneSystemAccessControl() { AccessControlManager accessControlManager = createAccessControlManager(createTestTransactionManager()); - accessControlManager.setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of()); + accessControlManager.loadSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.empty(), USER_NAME); } @@ -102,7 +102,7 @@ public void testReadOnlySystemAccessControl() TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = createAccessControlManager(transactionManager); - accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of()); + accessControlManager.loadSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME); accessControlManager.checkCanSetSystemSessionProperty(identity, "property"); @@ -139,7 +139,7 @@ public void testSetAccessControl() TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); - accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("test", ImmutableMap.of()); accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME); assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME); @@ -154,7 +154,7 @@ public void testNoCatalogAccessControl() TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); - accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("test", ImmutableMap.of()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { @@ -171,7 +171,7 @@ public void testDenyCatalogAccessControl() TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); - accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("test", ImmutableMap.of()); queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of()); accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new DenyConnectorAccessControl()); @@ -218,7 +218,7 @@ public void checkCanSetSystemSessionProperty(SystemSecurityContext context, Stri }; } }); - accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("test", ImmutableMap.of()); queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of()); accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new ConnectorAccessControl() @@ -263,7 +263,7 @@ public void testDenySystemAccessControl() TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); - accessControlManager.setSystemAccessControl("test", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("test", ImmutableMap.of()); queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of()); accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new DenyConnectorAccessControl()); @@ -289,7 +289,7 @@ public void testDenyExecuteProcedureBySystem() TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("deny-all"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); - accessControlManager.setSystemAccessControl("deny-all", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("deny-all", ImmutableMap.of()); assertDenyExecuteProcedure(transactionManager, accessControlManager, "Access Denied: Cannot execute procedure connector.schema.procedure"); } @@ -300,7 +300,7 @@ public void testDenyExecuteProcedureByConnector() try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) { TransactionManager transactionManager = queryRunner.getTransactionManager(); AccessControlManager accessControlManager = createAccessControlManager(transactionManager); - accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of()); queryRunner.createCatalog("connector", MockConnectorFactory.create(), ImmutableMap.of()); accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new DenyConnectorAccessControl()); @@ -315,7 +315,7 @@ public void testAllowExecuteProcedure() try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) { TransactionManager transactionManager = queryRunner.getTransactionManager(); AccessControlManager accessControlManager = createAccessControlManager(transactionManager); - accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of()); queryRunner.createCatalog("connector", MockConnectorFactory.create(), ImmutableMap.of()); accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new AllowAllAccessControl()); @@ -327,6 +327,45 @@ public void testAllowExecuteProcedure() } } + @Test + public void testRegisterSingleEventListenerForDefaultAccessControl() + { + EventListener expectedListener = new EventListener() {}; + + String defaultAccessControlName = "event-listening-default-access-control"; + TestingEventListenerManager eventListenerManager = emptyEventListenerManager(); + AccessControlManager accessControlManager = createAccessControlManager( + eventListenerManager, + defaultAccessControlName); + accessControlManager.addSystemAccessControlFactory( + eventListeningSystemAccessControlFactory(defaultAccessControlName, expectedListener)); + + accessControlManager.loadSystemAccessControl(); + + assertThat(eventListenerManager.getConfiguredEventListeners()) + .contains(expectedListener); + } + + @Test + public void testRegisterMultipleEventListenerForDefaultAccessControl() + { + EventListener firstListener = new EventListener() {}; + EventListener secondListener = new EventListener() {}; + + String defaultAccessControlName = "event-listening-default-access-control"; + TestingEventListenerManager eventListenerManager = emptyEventListenerManager(); + AccessControlManager accessControlManager = createAccessControlManager( + eventListenerManager, + defaultAccessControlName); + accessControlManager.addSystemAccessControlFactory( + eventListeningSystemAccessControlFactory(defaultAccessControlName, firstListener, secondListener)); + + accessControlManager.loadSystemAccessControl(); + + assertThat(eventListenerManager.getConfiguredEventListeners()) + .contains(firstListener, secondListener); + } + @Test public void testRegisterSingleEventListener() throws IOException @@ -384,7 +423,7 @@ public void testDenyExecuteFunctionBySystemAccessControl() TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("deny-all"); accessControlManager.addSystemAccessControlFactory(accessControlFactory); - accessControlManager.setSystemAccessControl("deny-all", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("deny-all", ImmutableMap.of()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { @@ -403,7 +442,7 @@ public void testAllowExecuteFunction() CatalogManager catalogManager = new CatalogManager(); TransactionManager transactionManager = createTestTransactionManager(catalogManager); AccessControlManager accessControlManager = createAccessControlManager(transactionManager); - accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of()); + accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of()); transaction(transactionManager, accessControlManager) .execute(transactionId -> { @@ -436,6 +475,11 @@ private AccessControlManager createAccessControlManager(EventListenerManager eve return new AccessControlManager(createTestTransactionManager(), eventListenerManager, config, DefaultSystemAccessControl.NAME); } + private AccessControlManager createAccessControlManager(EventListenerManager eventListenerManager, String defaultAccessControlName) + { + return new AccessControlManager(createTestTransactionManager(), eventListenerManager, new AccessControlConfig(), defaultAccessControlName); + } + private SystemAccessControlFactory eventListeningSystemAccessControlFactory(String name, EventListener... eventListeners) { return new SystemAccessControlFactory() diff --git a/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java b/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java index 7915ebe9da62..e02f5147d28e 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java @@ -123,7 +123,7 @@ public void testDocsExample() { TransactionManager transactionManager = createTestTransactionManager(); AccessControlManager accessControlManager = new AccessControlManager(transactionManager, emptyEventListenerManager(), new AccessControlConfig(), DefaultSystemAccessControl.NAME); - accessControlManager.setSystemAccessControl( + accessControlManager.loadSystemAccessControl( FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", new File("../../docs/src/main/sphinx/security/user-impersonation.json").getAbsolutePath())); @@ -785,7 +785,7 @@ public void testRefreshing() configFile.deleteOnExit(); copy(new File(getResourcePath("catalog.json")), configFile); - accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of( + accessControlManager.loadSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of( SECURITY_CONFIG_FILE, configFile.getAbsolutePath(), SECURITY_REFRESH_PERIOD, "1ms")); @@ -842,7 +842,7 @@ private AccessControlManager newAccessControlManager(TransactionManager transact { AccessControlManager accessControlManager = new AccessControlManager(transactionManager, emptyEventListenerManager(), new AccessControlConfig(), DefaultSystemAccessControl.NAME); - accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName))); + accessControlManager.loadSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName))); return accessControlManager; }