Support all Trino Security Access Control modes in Delta lake Connector

[mdesmet]

Description

Support Read-only, file and allow all access control modes in delta connector.

Is this change a fix, improvement, new feature, refactoring, or other?

Improvement

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)

Change to the Delta Lake Connector

How would you describe this change to a non-technical end user or system administrator?

Related issues, pull requests, and links

• Fixes Delta connector doesn't support all Trino Access Control modes #11779

Documentation

( ) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

( ) No release notes entries required.
( ) Release notes entries required with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

[mdesmet]

This PR is preparation to support Trino views within the Delta Lake connector. We would need to support Access control modes as otherwise the default SYSTEM access control would fail on every view access.

See following comment

[findepi]

@kokosing @lukasz-walkiewicz did you have time to look into this?

[mdesmet]

I've also added docs based on the existing Iceberg docs.

[alexjo2144]

Are the other SecurityModules used by the Hive connector applicable? legacy and sql-standard?

[findepi]

@alexjo2144 good question

legacy is Hive's default because changing the default is hard.
i don't think we want it for Delta, do we?

cc @kokosing @electrum

[kokosing]

We don't want legacy.

[mdesmet]

Is this good to be merged? This would unblock #11763

[findinpath]

@lukasz-walkiewicz CPTAL ?

[lukasz-walkiewicz]

LGTM 👍

[lukasz-walkiewicz]

nit: static import

[lukasz-walkiewicz]

nit: description

[findinpath]

Gentle reminder

[alexjo2144]

@mdesmet can you resolve the conflicts?

[kokosing]

I would prefer SYSTEM as default

[mdesmet]

I based myself on the Iceberg security default:

trino/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityConfig.java

Line 30 in 627e395

private IcebergSecurity securitySystem = IcebergSecurity.ALLOW_ALL;

Wouldn't we want to keep this consistent with Iceberg?

[kokosing]

I would change the Iceberg too. From user perspective ALLOW_ALL and and SYSTEM do not differ match, other than ALLOW_ALL pretends that it manages roles (while actaully it has no roles) so it limits system roles use cases.

I think we could even consider removal of ALLOW_ALL.

Hence I would prefer to use SYSTEM here, and then update Iceberg too.

[findinpath]

Please add a note which option is used by default.

[findinpath]

Gentle reminder

[findinpath]

test-iceberg-plugin-access-control -> test-delta-lake-plugin-access-control

[findinpath]

@kokosing CPTAL over this PR ? It has been dormant for a while now.

[kokosing]

Either I need to base #13862 on this, on this has to be rebased on top of #13862.

[kokosing]

Thanks to #13862 I realized I was wrong. I think you should allow-all as default.

[kokosing]

I am very sorry I have mislead you in the first place.

[findinpath]

Unused parameter. Please remove.

[findinpath]

We can safely add a static import here. I think it will not be misleading.

[mdesmet]

@kokosing: Can you have another look?

[kokosing]

Thanks. I am sorry for the delay.

[vkorukanti]

@mdesmet @findepi On qn: can Hive's sql-standard be one of the options here in addition the existing access models?