Add access control for functions based on FunctionKind#12544
Add access control for functions based on FunctionKind#12544kokosing merged 4 commits intotrinodb:masterfrom
Conversation
kasiafi
force-pushed
the
355PTFAccessControl
branch
from
0d9a4ed to
ba946f5
Compare
kasiafi
force-pushed
the
355PTFAccessControl
branch
from
ba946f5 to
145284d
Compare
core/trino-main/src/main/java/io/trino/metadata/FunctionKind.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
This method was not used so far. Please simply remove it. The best would be to remove the other method too (the one with function name as String)
There was a problem hiding this comment.
@dain the old method was introduced a short while ago. It was only called for table function invocation analysis, but we don't have any table functions yet. I removed it in a separate commit. If you're OK with removing, I'll squash.
There was a problem hiding this comment.
@kokosing @kasiafi Do I understand correctly that the newly introduced method
void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName);
should eventually replace the old one
void checkCanExecuteFunction(SecurityContext context, String functionName);
, so that all old functionality for AccessControls remains the same for all FunctionKinds which are not FunctionKind.TABLE?
There was a problem hiding this comment.
eventually -- yes, i think so
note however that currently function names are not qualified yet.
core/trino-main/src/main/java/io/trino/security/AccessControl.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/security/AccessControlManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java
Outdated
Show resolved
Hide resolved
core/trino-spi/src/main/java/io/trino/spi/security/FunctionType.java
Outdated
Show resolved
Hide resolved
dain
left a comment
dain
left a comment
There was a problem hiding this comment.
Good stuff! I have two main concerns that we should discuss:
- I have a PR coming up that will move FunctionKind to the SPI, so we should talk about maybe just moving that one class now, so we don't end up with two versions in the future.
- I'm not sure how to handle the check for table functions in the Hive SQL standard impelemtnation. I'm leaning towards
isAdmin, but we could just deny.
core/trino-main/src/main/java/io/trino/security/AccessControlManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/security/AccessControlManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
In the next section of my function refactor, I move function framework from the engine to the SPI. As part of that, I move FunctionKind to io.trino.spi.connector.function. I suggest that we just move (or clone) this class to the new location now... assuming are all happy with my proposed target location.
There was a problem hiding this comment.
I moved FunctionKind to io.trino.spi.function. Or did you mean I should create a new package function under connector?
There was a problem hiding this comment.
This should be deny for table functions until file-based-rules are added that cover functions
There was a problem hiding this comment.
This should be deny for table functions until file-based-rules are added that cover functions
There was a problem hiding this comment.
This should be deny for table functions. Later when someone adds a table function for Hive we can discuss how to handle this.
There was a problem hiding this comment.
I'm not sure what the behavior should be here. My gut instinct it to restrict this to isAdmin(context) or just deny. I think that is admin is a reasonable first step. Also, I don't think Hive has any table functions right now, so even flat deny should be fine until someone adds one.
kasiafi
force-pushed
the
355PTFAccessControl
branch
2 times, most recently
from
c1de7f9 to
7908a08
Compare
kokosing
left a comment
kokosing
left a comment
There was a problem hiding this comment.
I would squash deprecation and method removal into single commit
This change adds an AccessControl method for functions using the function kind. The analogous method without the FunctionKind argument is removed. Access control based on function kind is needed because table functions are much more powerful than other function kinds, so it should be possible to easily deny executing all table functions while allowing all other functions. The new method is currently used only for table funcitons. This change also adds default implementations of function access control in SystemAccessControl and ConnectorAccessControl that deny executing table functions.
kasiafi
force-pushed
the
355PTFAccessControl
branch
from
7908a08 to
011687f
Compare
|
Do we need to document this yet? Or should we just wait for table functions? |
Incorporate following changes Introduce access control for functions based on FunctionKind trinodb/trino#12544 trinodb/trino@12dda62
@colebow we should document it, as it is currently used for table functions. |
6 participants
This is security improvement. It allows to apply different default access rules for functions based on function kind.
This is particularly useful when we add table functions, which are more powerful that other function kinds.
Should be merged before we add table functions:
#12325
#12324
#12502
This is a SPI change:
new ConnectorAccessControl method is added, and existing method is removed. An enum representing the function kind is introduced.
cc @mosabua @colebow for release notes