diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControl.java b/core/trino-main/src/main/java/io/trino/security/AccessControl.java index 9e74179a58ce..204ceb28f611 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControl.java @@ -525,6 +525,13 @@ void checkCanRevokeRoles(SecurityContext context, */ void checkCanExecuteFunction(SecurityContext context, String functionName); + /** + * Check if identity is allowed to execute function + * + * @throws AccessDeniedException if not allowed + */ + void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName); + /** * Check if identity is allowed to execute given table procedure on given table * diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index 0b1df4f88a00..786b103a94af 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -1134,6 +1134,22 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName systemAuthorizationCheck(control -> control.checkCanExecuteFunction(context.toSystemSecurityContext(), functionName)); } + @Override + public void checkCanExecuteFunction(SecurityContext securityContext, QualifiedObjectName functionName) + { + requireNonNull(securityContext, "securityContext is null"); + requireNonNull(functionName, "functionName is null"); + + checkCanAccessCatalog(securityContext, functionName.getCatalogName()); + + systemAuthorizationCheck(control -> control.checkCanExecuteFunction(securityContext.toSystemSecurityContext(), functionName.asCatalogSchemaRoutineName())); + + catalogAuthorizationCheck( + functionName.getCatalogName(), + securityContext, + (control, context) -> control.checkCanExecuteFunction(context, functionName.asSchemaRoutineName())); + } + @Override public void checkCanExecuteTableProcedure(SecurityContext securityContext, QualifiedObjectName tableName, String procedureName) { diff --git a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java index e4f213782b6e..5b2c8ec9a33e 100644 --- a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java @@ -365,6 +365,11 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName { } + @Override + public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + { + } + @Override public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) { diff --git a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java index 857f7d99fa70..a6482ec826e3 100644 --- a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java @@ -491,6 +491,12 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName denyExecuteFunction(functionName); } + @Override + public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + { + denyExecuteFunction(functionName.toString()); + } + @Override public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) { diff --git a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java index 4720ad6d305e..e6a2c277f546 100644 --- a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java @@ -448,6 +448,12 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName delegate().checkCanExecuteFunction(context, functionName); } + @Override + public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + { + delegate().checkCanExecuteFunction(context, functionName); + } + @Override public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) { diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index a825110157cf..2732b9db26a2 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -446,6 +446,13 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche procedure); } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + checkArgument(context == null, "context must be null"); + accessControl.checkCanExecuteFunction(securityContext, new QualifiedObjectName(catalogName, function.getSchemaName(), function.getRoutineName())); + } + @Override public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java index 44234f6884fa..c0cd458f75dc 100644 --- a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java @@ -242,6 +242,9 @@ public void checkCanExecuteProcedure(SecurityContext context, QualifiedObjectNam @Override public void checkCanExecuteFunction(SecurityContext context, String functionName) {} + @Override + public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) {} + @Override public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) {} } diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 3bdb9f1a7340..2d0ff5b36c31 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -41,6 +41,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyExecuteProcedure; import static io.trino.spi.security.AccessDeniedException.denyExecuteTableProcedure; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; @@ -596,6 +597,16 @@ default void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sch denyExecuteTableProcedure(tableName.toString(), procedure); } + /** + * Check if identity is allowed to execute function. + * + * @throws io.trino.spi.security.AccessDeniedException if not allowed + */ + default void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + denyExecuteFunction(function.toString()); + } + /** * Get a row filter associated with the given table and identity. *

diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index f31536a1bb7d..ac2c5e836c51 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -808,6 +808,16 @@ default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext denyExecuteFunction(functionName); } + /** + * Check if identity is allowed to execute the specified function + * + * @throws AccessDeniedException if not allowed + */ + default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + { + denyExecuteFunction(functionName.toString()); + } + /** * Check if identity is allowed to execute the specified table procedure on specified table * diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index e20d201224bc..4eff31b04ae4 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -493,6 +493,14 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { + delegate.checkCanExecuteFunction(context, function); + } + } + @Override public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index 3c32116427d6..859d48b496fd 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -317,6 +317,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche { } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + } + @Override public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index 9e2e3b024bb4..d4dd5a144c6f 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -425,6 +425,11 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, { } + @Override + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + { + } + @Override public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index 381c0a0b95c3..2e0801961991 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -591,6 +591,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche { } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + } + @Override public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index a01ee62f85fc..6217e50b84fa 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -938,6 +938,11 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, { } + @Override + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + { + } + @Override public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 7ca4f8af67bd..8bf3cf665241 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -386,6 +386,12 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche delegate().checkCanExecuteTableProcedure(context, tableName, procedure); } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + delegate().checkCanExecuteFunction(context, function); + } + @Override public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 9da0a8db83b4..00f0cefbbba9 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -468,6 +468,12 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, delegate().checkCanExecuteFunction(systemSecurityContext, functionName); } + @Override + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + { + delegate().checkCanExecuteFunction(systemSecurityContext, functionName); + } + @Override public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure) { diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index 56dd4f1946e1..3ef90ed7ed0b 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -388,6 +388,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche { } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + } + @Override public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index 2cb23f9db4db..e6c0b9bd65fe 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -569,6 +569,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } } + @Override + public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + { + } + @Override public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) {