Add access control for functions based on full qualified name

core/trino-main/src/main/java/io/trino/security/AccessControl.java

@@ -525,6 +525,13 @@ void checkCanRevokeRoles(SecurityContext context,
      */
     void checkCanExecuteFunction(SecurityContext context, String functionName);
 
+    /**
+     * Check if identity is allowed to execute function
+     *
+     * @throws AccessDeniedException if not allowed
+     */
+    void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName);
+
     /**
      * Check if identity is allowed to execute given table procedure on given table
      *

core/trino-main/src/main/java/io/trino/security/AccessControlManager.java

@@ -1134,6 +1134,22 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName
         systemAuthorizationCheck(control -> control.checkCanExecuteFunction(context.toSystemSecurityContext(), functionName));
     }
 
+    @Override
+    public void checkCanExecuteFunction(SecurityContext securityContext, QualifiedObjectName functionName)
+    {
+        requireNonNull(securityContext, "securityContext is null");
+        requireNonNull(functionName, "functionName is null");
+
+        checkCanAccessCatalog(securityContext, functionName.getCatalogName());
+
+        systemAuthorizationCheck(control -> control.checkCanExecuteFunction(securityContext.toSystemSecurityContext(), functionName.asCatalogSchemaRoutineName()));
+
+        catalogAuthorizationCheck(
+                functionName.getCatalogName(),
+                securityContext,
+                (control, context) -> control.checkCanExecuteFunction(context, functionName.asSchemaRoutineName()));
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SecurityContext securityContext, QualifiedObjectName tableName, String procedureName)
     {

core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java

@@ -365,6 +365,11 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName
     {
     }
 
+    @Override
+    public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName)
+    {
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName)
     {

core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java

@@ -491,6 +491,12 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName
         denyExecuteFunction(functionName);
     }
 
+    @Override
+    public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName)
+    {
+        denyExecuteFunction(functionName.toString());
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName)
     {

core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java

@@ -448,6 +448,12 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName
         delegate().checkCanExecuteFunction(context, functionName);
     }
 
+    @Override
+    public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName)
+    {
+        delegate().checkCanExecuteFunction(context, functionName);
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName)
     {

core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java

@@ -446,6 +446,13 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
                 procedure);
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+        checkArgument(context == null, "context must be null");
+        accessControl.checkCanExecuteFunction(securityContext, new QualifiedObjectName(catalogName, function.getSchemaName(), function.getRoutineName()));
+    }
+
     @Override
     public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
     {

core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java

@@ -242,6 +242,9 @@ public void checkCanExecuteProcedure(SecurityContext context, QualifiedObjectNam
     @Override
     public void checkCanExecuteFunction(SecurityContext context, String functionName) {}
 
+    @Override
+    public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) {}
+
     @Override
     public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) {}
 }

core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java

@@ -41,6 +41,7 @@
 import static io.trino.spi.security.AccessDeniedException.denyDropSchema;
 import static io.trino.spi.security.AccessDeniedException.denyDropTable;
 import static io.trino.spi.security.AccessDeniedException.denyDropView;
+import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction;
 import static io.trino.spi.security.AccessDeniedException.denyExecuteProcedure;
 import static io.trino.spi.security.AccessDeniedException.denyExecuteTableProcedure;
 import static io.trino.spi.security.AccessDeniedException.denyGrantRoles;
@@ -596,6 +597,16 @@ default void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sch
         denyExecuteTableProcedure(tableName.toString(), procedure);
     }
 
+    /**
+     * Check if identity is allowed to execute function.
+     *
+     * @throws io.trino.spi.security.AccessDeniedException if not allowed
+     */
+    default void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+        denyExecuteFunction(function.toString());
+    }
+
     /**
      * Get a row filter associated with the given table and identity.
      * <p>

core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java

@@ -808,6 +808,16 @@ default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext
         denyExecuteFunction(functionName);
     }
 
+    /**
+     * Check if identity is allowed to execute the specified function
+     *
+     * @throws AccessDeniedException if not allowed
+     */
+    default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName)
+    {
+        denyExecuteFunction(functionName.toString());
+    }
+
     /**
      * Check if identity is allowed to execute the specified table procedure on specified table
      *

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java

@@ -493,6 +493,14 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
         }
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+        try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) {
+            delegate.checkCanExecuteFunction(context, function);
+        }
+    }
+
     @Override
     public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java

@@ -317,6 +317,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
     {
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+    }
+
     @Override
     public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java

@@ -425,6 +425,11 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext,
     {
     }
 
+    @Override
+    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName)
+    {
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java

@@ -591,6 +591,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
     {
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+    }
+
     @Override
     public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java

@@ -938,6 +938,11 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext,
     {
     }
 
+    @Override
+    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName)
+    {
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java

@@ -386,6 +386,12 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
         delegate().checkCanExecuteTableProcedure(context, tableName, procedure);
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+        delegate().checkCanExecuteFunction(context, function);
+    }
+
     @Override
     public Optional<ViewExpression> getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java

@@ -468,6 +468,12 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext,
         delegate().checkCanExecuteFunction(systemSecurityContext, functionName);
     }
 
+    @Override
+    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName)
+    {
+        delegate().checkCanExecuteFunction(systemSecurityContext, functionName);
+    }
+
     @Override
     public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure)
     {

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java

@@ -388,6 +388,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
     {
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+    }
+
     @Override
     public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
     {

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java

@@ -569,6 +569,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche
         }
     }
 
+    @Override
+    public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function)
+    {
+    }
+
     @Override
     public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName)
     {