Register event listeners for default system access control

core/trino-main/src/main/java/io/trino/security/AccessControlManager.java

@@ -139,7 +139,7 @@ public void loadSystemAccessControl()
         List<File> configFiles = this.configFiles;
         if (configFiles.isEmpty()) {
             if (!CONFIG_FILE.exists()) {
-                setSystemAccessControl(defaultAccessControlName, ImmutableMap.of());
+                loadSystemAccessControl(defaultAccessControlName, ImmutableMap.of());
                 log.info("Using system access control: %s", defaultAccessControlName);
                 return;
             }
@@ -187,7 +187,7 @@ private SystemAccessControl createSystemAccessControl(File configFile)
     }
 
     @VisibleForTesting
-    protected void setSystemAccessControl(String name, Map<String, String> properties)
+    public void loadSystemAccessControl(String name, Map<String, String> properties)
     {
         requireNonNull(name, "name is null");
         requireNonNull(properties, "properties is null");
@@ -200,6 +200,9 @@ protected void setSystemAccessControl(String name, Map<String, String> propertie
             systemAccessControl = factory.create(ImmutableMap.copyOf(properties));
         }
 
+        systemAccessControl.getEventListeners()
+                .forEach(eventListenerManager::addEventListener);
+
         setSystemAccessControls(ImmutableList.of(systemAccessControl));
     }
 

core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java

@@ -144,11 +144,6 @@ public TestingAccessControlManager(TransactionManager transactionManager, EventL
         this(transactionManager, eventListenerManager, new AccessControlConfig());
     }
 
-    public void loadSystemAccessControl(String name, Map<String, String> properties)
-    {
-        setSystemAccessControl(name, properties);
-    }
-
     public static TestingPrivilege privilege(String entityName, TestingPrivilegeType type)
     {
         return new TestingPrivilege(Optional.empty(), entityName, type);

core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java

@@ -90,7 +90,7 @@ public void testInitializing()
     public void testNoneSystemAccessControl()
     {
         AccessControlManager accessControlManager = createAccessControlManager(createTestTransactionManager());
-        accessControlManager.setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of());
         accessControlManager.checkCanSetUser(Optional.empty(), USER_NAME);
     }
 
@@ -102,7 +102,7 @@ public void testReadOnlySystemAccessControl()
         TransactionManager transactionManager = createTestTransactionManager();
         AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
 
-        accessControlManager.setSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl(ReadOnlySystemAccessControl.NAME, ImmutableMap.of());
         accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
         accessControlManager.checkCanSetSystemSessionProperty(identity, "property");
 
@@ -139,7 +139,7 @@ public void testSetAccessControl()
 
         TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
         accessControlManager.addSystemAccessControlFactory(accessControlFactory);
-        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
 
         accessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
         assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME);
@@ -154,7 +154,7 @@ public void testNoCatalogAccessControl()
 
         TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
         accessControlManager.addSystemAccessControlFactory(accessControlFactory);
-        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
 
         transaction(transactionManager, accessControlManager)
                 .execute(transactionId -> {
@@ -171,7 +171,7 @@ public void testDenyCatalogAccessControl()
 
             TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
             accessControlManager.addSystemAccessControlFactory(accessControlFactory);
-            accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
+            accessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
 
             queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of());
             accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new DenyConnectorAccessControl());
@@ -218,7 +218,7 @@ public void checkCanSetSystemSessionProperty(SystemSecurityContext context, Stri
                     };
                 }
             });
-            accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
+            accessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
 
             queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of());
             accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new ConnectorAccessControl()
@@ -263,7 +263,7 @@ public void testDenySystemAccessControl()
 
             TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("test");
             accessControlManager.addSystemAccessControlFactory(accessControlFactory);
-            accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
+            accessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
 
             queryRunner.createCatalog("catalog", MockConnectorFactory.create(), ImmutableMap.of());
             accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new DenyConnectorAccessControl());
@@ -289,7 +289,7 @@ public void testDenyExecuteProcedureBySystem()
 
         TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("deny-all");
         accessControlManager.addSystemAccessControlFactory(accessControlFactory);
-        accessControlManager.setSystemAccessControl("deny-all", ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl("deny-all", ImmutableMap.of());
 
         assertDenyExecuteProcedure(transactionManager, accessControlManager, "Access Denied: Cannot execute procedure connector.schema.procedure");
     }
@@ -300,7 +300,7 @@ public void testDenyExecuteProcedureByConnector()
         try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) {
             TransactionManager transactionManager = queryRunner.getTransactionManager();
             AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
-            accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of());
+            accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
 
             queryRunner.createCatalog("connector", MockConnectorFactory.create(), ImmutableMap.of());
             accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new DenyConnectorAccessControl());
@@ -315,7 +315,7 @@ public void testAllowExecuteProcedure()
         try (LocalQueryRunner queryRunner = LocalQueryRunner.create(TEST_SESSION)) {
             TransactionManager transactionManager = queryRunner.getTransactionManager();
             AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
-            accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of());
+            accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
 
             queryRunner.createCatalog("connector", MockConnectorFactory.create(), ImmutableMap.of());
             accessControlManager.addCatalogAccessControl(new CatalogName("connector"), new AllowAllAccessControl());
@@ -327,6 +327,45 @@ public void testAllowExecuteProcedure()
         }
     }
 
+    @Test
+    public void testRegisterSingleEventListenerForDefaultAccessControl()
+    {
+        EventListener expectedListener = new EventListener() {};
+
+        String defaultAccessControlName = "event-listening-default-access-control";
+        TestingEventListenerManager eventListenerManager = emptyEventListenerManager();
+        AccessControlManager accessControlManager = createAccessControlManager(
+                eventListenerManager,
+                defaultAccessControlName);
+        accessControlManager.addSystemAccessControlFactory(
+                eventListeningSystemAccessControlFactory(defaultAccessControlName, expectedListener));
+
+        accessControlManager.loadSystemAccessControl();
+
+        assertThat(eventListenerManager.getConfiguredEventListeners())
+                .contains(expectedListener);
+    }
+
+    @Test
+    public void testRegisterMultipleEventListenerForDefaultAccessControl()
+    {
+        EventListener firstListener = new EventListener() {};
+        EventListener secondListener = new EventListener() {};
+
+        String defaultAccessControlName = "event-listening-default-access-control";
+        TestingEventListenerManager eventListenerManager = emptyEventListenerManager();
+        AccessControlManager accessControlManager = createAccessControlManager(
+                eventListenerManager,
+                defaultAccessControlName);
+        accessControlManager.addSystemAccessControlFactory(
+                eventListeningSystemAccessControlFactory(defaultAccessControlName, firstListener, secondListener));
+
+        accessControlManager.loadSystemAccessControl();
+
+        assertThat(eventListenerManager.getConfiguredEventListeners())
+                .contains(firstListener, secondListener);
+    }
+
     @Test
     public void testRegisterSingleEventListener()
             throws IOException
@@ -384,7 +423,7 @@ public void testDenyExecuteFunctionBySystemAccessControl()
 
         TestSystemAccessControlFactory accessControlFactory = new TestSystemAccessControlFactory("deny-all");
         accessControlManager.addSystemAccessControlFactory(accessControlFactory);
-        accessControlManager.setSystemAccessControl("deny-all", ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl("deny-all", ImmutableMap.of());
 
         transaction(transactionManager, accessControlManager)
                 .execute(transactionId -> {
@@ -403,7 +442,7 @@ public void testAllowExecuteFunction()
         CatalogManager catalogManager = new CatalogManager();
         TransactionManager transactionManager = createTestTransactionManager(catalogManager);
         AccessControlManager accessControlManager = createAccessControlManager(transactionManager);
-        accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of());
+        accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
 
         transaction(transactionManager, accessControlManager)
                 .execute(transactionId -> {
@@ -436,6 +475,11 @@ private AccessControlManager createAccessControlManager(EventListenerManager eve
         return new AccessControlManager(createTestTransactionManager(), eventListenerManager, config, DefaultSystemAccessControl.NAME);
     }
 
+    private AccessControlManager createAccessControlManager(EventListenerManager eventListenerManager, String defaultAccessControlName)
+    {
+        return new AccessControlManager(createTestTransactionManager(), eventListenerManager, new AccessControlConfig(), defaultAccessControlName);
+    }
+
     private SystemAccessControlFactory eventListeningSystemAccessControlFactory(String name, EventListener... eventListeners)
     {
         return new SystemAccessControlFactory()

core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java

@@ -123,7 +123,7 @@ public void testDocsExample()
     {
         TransactionManager transactionManager = createTestTransactionManager();
         AccessControlManager accessControlManager = new AccessControlManager(transactionManager, emptyEventListenerManager(), new AccessControlConfig(), DefaultSystemAccessControl.NAME);
-        accessControlManager.setSystemAccessControl(
+        accessControlManager.loadSystemAccessControl(
                 FileBasedSystemAccessControl.NAME,
                 ImmutableMap.of("security.config-file", new File("../../docs/src/main/sphinx/security/user-impersonation.json").getAbsolutePath()));
 
@@ -785,7 +785,7 @@ public void testRefreshing()
         configFile.deleteOnExit();
         copy(new File(getResourcePath("catalog.json")), configFile);
 
-        accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of(
+        accessControlManager.loadSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of(
                 SECURITY_CONFIG_FILE, configFile.getAbsolutePath(),
                 SECURITY_REFRESH_PERIOD, "1ms"));
 
@@ -842,7 +842,7 @@ private AccessControlManager newAccessControlManager(TransactionManager transact
     {
         AccessControlManager accessControlManager = new AccessControlManager(transactionManager, emptyEventListenerManager(), new AccessControlConfig(), DefaultSystemAccessControl.NAME);
 
-        accessControlManager.setSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName)));
+        accessControlManager.loadSystemAccessControl(FileBasedSystemAccessControl.NAME, ImmutableMap.of("security.config-file", getResourcePath(resourceName)));
 
         return accessControlManager;
     }