diff --git a/core/trino-main/src/main/java/io/trino/metadata/FunctionMetadata.java b/core/trino-main/src/main/java/io/trino/metadata/FunctionMetadata.java index 42e31e7ce058..a30735ba4ba2 100644 --- a/core/trino-main/src/main/java/io/trino/metadata/FunctionMetadata.java +++ b/core/trino-main/src/main/java/io/trino/metadata/FunctionMetadata.java @@ -15,14 +15,15 @@ import com.google.common.collect.ImmutableList; import com.google.common.primitives.Booleans; +import io.trino.spi.function.FunctionKind; import java.util.Collections; import java.util.List; import static com.google.common.base.Preconditions.checkArgument; -import static io.trino.metadata.FunctionKind.AGGREGATE; -import static io.trino.metadata.FunctionKind.SCALAR; -import static io.trino.metadata.FunctionKind.WINDOW; +import static io.trino.spi.function.FunctionKind.AGGREGATE; +import static io.trino.spi.function.FunctionKind.SCALAR; +import static io.trino.spi.function.FunctionKind.WINDOW; import static java.util.Objects.requireNonNull; public class FunctionMetadata diff --git a/core/trino-main/src/main/java/io/trino/metadata/FunctionResolver.java b/core/trino-main/src/main/java/io/trino/metadata/FunctionResolver.java index a2781957ac60..eeb9f387a607 100644 --- a/core/trino-main/src/main/java/io/trino/metadata/FunctionResolver.java +++ b/core/trino-main/src/main/java/io/trino/metadata/FunctionResolver.java @@ -38,13 +38,13 @@ import static com.google.common.base.Preconditions.checkState; import static com.google.common.collect.ImmutableList.toImmutableList; import static com.google.common.collect.Iterables.getOnlyElement; -import static io.trino.metadata.FunctionKind.AGGREGATE; -import static io.trino.metadata.FunctionKind.SCALAR; import static io.trino.metadata.GlobalFunctionCatalog.GLOBAL_CATALOG; import static io.trino.metadata.GlobalFunctionCatalog.GLOBAL_SCHEMA; import static io.trino.spi.StandardErrorCode.AMBIGUOUS_FUNCTION_CALL; import static io.trino.spi.StandardErrorCode.FUNCTION_IMPLEMENTATION_MISSING; import static io.trino.spi.StandardErrorCode.FUNCTION_NOT_FOUND; +import static io.trino.spi.function.FunctionKind.AGGREGATE; +import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.sql.analyzer.TypeSignatureProvider.fromTypeSignatures; import static io.trino.type.UnknownType.UNKNOWN; import static java.lang.String.format; diff --git a/core/trino-main/src/main/java/io/trino/metadata/GlobalFunctionCatalog.java b/core/trino-main/src/main/java/io/trino/metadata/GlobalFunctionCatalog.java index 526555034fb3..f0949d7c3a11 100644 --- a/core/trino-main/src/main/java/io/trino/metadata/GlobalFunctionCatalog.java +++ b/core/trino-main/src/main/java/io/trino/metadata/GlobalFunctionCatalog.java @@ -34,9 +34,9 @@ import static com.google.common.base.Preconditions.checkArgument; import static com.google.common.base.Preconditions.checkState; import static com.google.common.collect.ImmutableMap.toImmutableMap; -import static io.trino.metadata.FunctionKind.AGGREGATE; import static io.trino.metadata.Signature.isOperatorName; import static io.trino.metadata.Signature.unmangleOperator; +import static io.trino.spi.function.FunctionKind.AGGREGATE; import static io.trino.spi.type.BigintType.BIGINT; import static io.trino.spi.type.BooleanType.BOOLEAN; import static io.trino.spi.type.IntegerType.INTEGER; diff --git a/core/trino-main/src/main/java/io/trino/metadata/ResolvedFunction.java b/core/trino-main/src/main/java/io/trino/metadata/ResolvedFunction.java index dd5c6f1ce093..dfdcdc1dfc43 100644 --- a/core/trino-main/src/main/java/io/trino/metadata/ResolvedFunction.java +++ b/core/trino-main/src/main/java/io/trino/metadata/ResolvedFunction.java @@ -26,6 +26,7 @@ import io.airlift.json.JsonCodecFactory; import io.airlift.json.ObjectMapperProvider; import io.trino.collect.cache.NonEvictableLoadingCache; +import io.trino.spi.function.FunctionKind; import io.trino.spi.type.Type; import io.trino.spi.type.TypeId; import io.trino.spi.type.TypeSignature; diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControl.java b/core/trino-main/src/main/java/io/trino/security/AccessControl.java index 204ceb28f611..3902ca444c9b 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; @@ -530,7 +531,7 @@ void checkCanRevokeRoles(SecurityContext context, * * @throws AccessDeniedException if not allowed */ - void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName); + void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName); /** * Check if identity is allowed to execute given table procedure on given table diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index 786b103a94af..0a3ef6ac96fe 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -35,6 +35,7 @@ import io.trino.spi.connector.ConnectorAccessControl; import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.PrincipalType; import io.trino.spi.security.Privilege; @@ -1135,19 +1136,23 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext securityContext, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext securityContext, FunctionKind functionKind, QualifiedObjectName functionName) { requireNonNull(securityContext, "securityContext is null"); + requireNonNull(functionKind, "functionKind is null"); requireNonNull(functionName, "functionName is null"); checkCanAccessCatalog(securityContext, functionName.getCatalogName()); - systemAuthorizationCheck(control -> control.checkCanExecuteFunction(securityContext.toSystemSecurityContext(), functionName.asCatalogSchemaRoutineName())); + systemAuthorizationCheck(control -> control.checkCanExecuteFunction( + securityContext.toSystemSecurityContext(), + functionKind, + functionName.asCatalogSchemaRoutineName())); catalogAuthorizationCheck( functionName.getCatalogName(), securityContext, - (control, context) -> control.checkCanExecuteFunction(context, functionName.asSchemaRoutineName())); + (control, context) -> control.checkCanExecuteFunction(context, functionKind, functionName.asSchemaRoutineName())); } @Override diff --git a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java index 5b2c8ec9a33e..a9e86932d0b8 100644 --- a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -366,7 +367,7 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) { } diff --git a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java index a6482ec826e3..3e9d71cce596 100644 --- a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -492,7 +493,7 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) { denyExecuteFunction(functionName.toString()); } diff --git a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java index e6a2c277f546..6fea169c4b63 100644 --- a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -449,9 +450,9 @@ public void checkCanExecuteFunction(SecurityContext context, String functionName } @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) { - delegate().checkCanExecuteFunction(context, functionName); + delegate().checkCanExecuteFunction(context, functionKind, functionName); } @Override diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index 2732b9db26a2..ec885716b153 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -22,6 +22,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -447,10 +448,10 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { checkArgument(context == null, "context must be null"); - accessControl.checkCanExecuteFunction(securityContext, new QualifiedObjectName(catalogName, function.getSchemaName(), function.getRoutineName())); + accessControl.checkCanExecuteFunction(securityContext, functionKind, new QualifiedObjectName(catalogName, function.getSchemaName(), function.getRoutineName())); } @Override diff --git a/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java b/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java index 5bc3784d46ba..d147b43db908 100644 --- a/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java +++ b/core/trino-main/src/main/java/io/trino/sql/analyzer/StatementAnalyzer.java @@ -29,7 +29,6 @@ import io.trino.execution.Column; import io.trino.execution.warnings.WarningCollector; import io.trino.metadata.AnalyzePropertyManager; -import io.trino.metadata.FunctionKind; import io.trino.metadata.MaterializedViewDefinition; import io.trino.metadata.Metadata; import io.trino.metadata.OperatorNotFoundException; @@ -66,6 +65,7 @@ import io.trino.spi.connector.PointerType; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.connector.TableProcedureMetadata; +import io.trino.spi.function.FunctionKind; import io.trino.spi.function.OperatorType; import io.trino.spi.ptf.Argument; import io.trino.spi.ptf.ArgumentSpecification; @@ -254,8 +254,6 @@ import static com.google.common.collect.Iterables.getLast; import static com.google.common.collect.Iterables.getOnlyElement; import static io.trino.SystemSessionProperties.getMaxGroupingSets; -import static io.trino.metadata.FunctionKind.AGGREGATE; -import static io.trino.metadata.FunctionKind.WINDOW; import static io.trino.metadata.MetadataUtil.createQualifiedObjectName; import static io.trino.metadata.MetadataUtil.getRequiredCatalogHandle; import static io.trino.spi.StandardErrorCode.AMBIGUOUS_NAME; @@ -303,6 +301,8 @@ import static io.trino.spi.StandardErrorCode.VIEW_IS_RECURSIVE; import static io.trino.spi.StandardErrorCode.VIEW_IS_STALE; import static io.trino.spi.connector.StandardWarningCode.REDUNDANT_ORDER_BY; +import static io.trino.spi.function.FunctionKind.AGGREGATE; +import static io.trino.spi.function.FunctionKind.WINDOW; import static io.trino.spi.ptf.ReturnTypeSpecification.GenericTable.GENERIC_TABLE; import static io.trino.spi.ptf.ReturnTypeSpecification.OnlyPassThrough.ONLY_PASS_THROUGH; import static io.trino.spi.type.BigintType.BIGINT; @@ -1481,7 +1481,7 @@ protected Scope visitTableFunctionInvocation(TableFunctionInvocation node, Optio CatalogName catalogName = tableFunctionMetadata.getCatalogName(); QualifiedObjectName functionName = new QualifiedObjectName(catalogName.getCatalogName(), function.getSchema(), function.getName()); - accessControl.checkCanExecuteFunction(SecurityContext.of(session), functionName); + accessControl.checkCanExecuteFunction(SecurityContext.of(session), FunctionKind.TABLE, functionName); Map passedArguments = analyzeArguments(node, function.getArguments(), node.getArguments()); diff --git a/core/trino-main/src/main/java/io/trino/sql/analyzer/WindowFunctionValidator.java b/core/trino-main/src/main/java/io/trino/sql/analyzer/WindowFunctionValidator.java index 37b40b3a609d..0409e3ea9bfc 100644 --- a/core/trino-main/src/main/java/io/trino/sql/analyzer/WindowFunctionValidator.java +++ b/core/trino-main/src/main/java/io/trino/sql/analyzer/WindowFunctionValidator.java @@ -19,8 +19,8 @@ import io.trino.sql.tree.DefaultExpressionTraversalVisitor; import io.trino.sql.tree.FunctionCall; -import static io.trino.metadata.FunctionKind.WINDOW; import static io.trino.spi.StandardErrorCode.MISSING_OVER; +import static io.trino.spi.function.FunctionKind.WINDOW; import static io.trino.sql.analyzer.SemanticExceptions.semanticException; import static java.util.Objects.requireNonNull; diff --git a/core/trino-main/src/main/java/io/trino/sql/planner/LocalExecutionPlanner.java b/core/trino-main/src/main/java/io/trino/sql/planner/LocalExecutionPlanner.java index e5cbeeebdc3c..ffa1ca5c0b93 100644 --- a/core/trino-main/src/main/java/io/trino/sql/planner/LocalExecutionPlanner.java +++ b/core/trino-main/src/main/java/io/trino/sql/planner/LocalExecutionPlanner.java @@ -45,7 +45,6 @@ import io.trino.index.IndexManager; import io.trino.metadata.BoundSignature; import io.trino.metadata.FunctionId; -import io.trino.metadata.FunctionKind; import io.trino.metadata.Metadata; import io.trino.metadata.ResolvedFunction; import io.trino.metadata.TableExecuteHandle; @@ -161,6 +160,7 @@ import io.trino.spi.connector.DynamicFilter; import io.trino.spi.connector.RecordSet; import io.trino.spi.connector.SortOrder; +import io.trino.spi.function.FunctionKind; import io.trino.spi.predicate.Domain; import io.trino.spi.predicate.NullableValue; import io.trino.spi.type.RowType; diff --git a/core/trino-main/src/main/java/io/trino/sql/rewrite/ShowQueriesRewrite.java b/core/trino-main/src/main/java/io/trino/sql/rewrite/ShowQueriesRewrite.java index 6800e87a63f8..fa4bcc0069cd 100644 --- a/core/trino-main/src/main/java/io/trino/sql/rewrite/ShowQueriesRewrite.java +++ b/core/trino-main/src/main/java/io/trino/sql/rewrite/ShowQueriesRewrite.java @@ -24,8 +24,6 @@ import io.trino.connector.CatalogName; import io.trino.execution.warnings.WarningCollector; import io.trino.metadata.ColumnPropertyManager; -import io.trino.metadata.FunctionKind; -import io.trino.metadata.FunctionManager; import io.trino.metadata.FunctionMetadata; import io.trino.metadata.MaterializedViewDefinition; import io.trino.metadata.MaterializedViewPropertyManager; @@ -45,6 +43,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.ConnectorTableMetadata; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.PrincipalType; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.session.PropertyMetadata; @@ -173,7 +172,6 @@ public final class ShowQueriesRewrite @Inject public ShowQueriesRewrite( Metadata metadata, - FunctionManager functionManager, SqlParser parser, AccessControl accessControl, SessionPropertyManager sessionPropertyManager, @@ -822,6 +820,8 @@ private static String getFunctionType(FunctionMetadata function) return "window"; case SCALAR: return "scalar"; + case TABLE: + throw new IllegalArgumentException("Unexpected function kind: " + kind); // TODO https://github.com/trinodb/trino/issues/12550 } throw new IllegalArgumentException("Unsupported function kind: " + kind); } diff --git a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java index c0cd458f75dc..cc72964b556c 100644 --- a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.CatalogSchemaName; import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -243,7 +244,7 @@ public void checkCanExecuteProcedure(SecurityContext context, QualifiedObjectNam public void checkCanExecuteFunction(SecurityContext context, String functionName) {} @Override - public void checkCanExecuteFunction(SecurityContext context, QualifiedObjectName functionName) {} + public void checkCanExecuteFunction(SecurityContext context, FunctionKind functionKind, QualifiedObjectName functionName) {} @Override public void checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName tableName, String procedureName) {} diff --git a/core/trino-main/src/main/java/io/trino/testing/LocalQueryRunner.java b/core/trino-main/src/main/java/io/trino/testing/LocalQueryRunner.java index 09b277a4a7e5..24f21883db06 100644 --- a/core/trino-main/src/main/java/io/trino/testing/LocalQueryRunner.java +++ b/core/trino-main/src/main/java/io/trino/testing/LocalQueryRunner.java @@ -1123,7 +1123,6 @@ private AnalyzerFactory createAnalyzerFactory(QueryExplainerFactory queryExplain new DescribeOutputRewrite(sqlParser), new ShowQueriesRewrite( plannerContext.getMetadata(), - plannerContext.getFunctionManager(), sqlParser, accessControl, sessionPropertyManager, diff --git a/core/trino-main/src/test/java/io/trino/metadata/AbstractMockMetadata.java b/core/trino-main/src/test/java/io/trino/metadata/AbstractMockMetadata.java index 5742af206575..f309625ecd7c 100644 --- a/core/trino-main/src/test/java/io/trino/metadata/AbstractMockMetadata.java +++ b/core/trino-main/src/test/java/io/trino/metadata/AbstractMockMetadata.java @@ -74,9 +74,9 @@ import java.util.Set; import static io.trino.metadata.FunctionId.toFunctionId; -import static io.trino.metadata.FunctionKind.SCALAR; import static io.trino.metadata.RedirectionAwareTableHandle.noRedirection; import static io.trino.spi.StandardErrorCode.FUNCTION_NOT_FOUND; +import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.spi.type.DoubleType.DOUBLE; import static io.trino.type.InternalTypeManager.TESTING_TYPE_MANAGER; diff --git a/core/trino-main/src/test/java/io/trino/metadata/TestResolvedFunction.java b/core/trino-main/src/test/java/io/trino/metadata/TestResolvedFunction.java index 8f7e78e9f278..b09517d59972 100644 --- a/core/trino-main/src/test/java/io/trino/metadata/TestResolvedFunction.java +++ b/core/trino-main/src/test/java/io/trino/metadata/TestResolvedFunction.java @@ -27,7 +27,7 @@ import java.util.regex.Pattern; import static com.google.common.collect.ImmutableMap.toImmutableMap; -import static io.trino.metadata.FunctionKind.SCALAR; +import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.spi.type.VarcharType.createVarcharType; import static java.lang.Integer.parseInt; import static org.testng.Assert.assertEquals; diff --git a/core/trino-main/src/test/java/io/trino/sql/analyzer/TestAnalyzer.java b/core/trino-main/src/test/java/io/trino/sql/analyzer/TestAnalyzer.java index 1aeaa201154d..88c017f7fb44 100644 --- a/core/trino-main/src/test/java/io/trino/sql/analyzer/TestAnalyzer.java +++ b/core/trino-main/src/test/java/io/trino/sql/analyzer/TestAnalyzer.java @@ -5990,7 +5990,6 @@ private Analyzer createAnalyzer(Session session, AccessControl accessControl) { StatementRewrite statementRewrite = new StatementRewrite(ImmutableSet.of(new ShowQueriesRewrite( plannerContext.getMetadata(), - plannerContext.getFunctionManager(), SQL_PARSER, accessControl, new SessionPropertyManager(), diff --git a/core/trino-main/src/test/java/io/trino/sql/planner/TestEffectivePredicateExtractor.java b/core/trino-main/src/test/java/io/trino/sql/planner/TestEffectivePredicateExtractor.java index 0ba894957661..7d176d184eaf 100644 --- a/core/trino-main/src/test/java/io/trino/sql/planner/TestEffectivePredicateExtractor.java +++ b/core/trino-main/src/test/java/io/trino/sql/planner/TestEffectivePredicateExtractor.java @@ -95,7 +95,7 @@ import static com.google.common.base.Preconditions.checkState; import static com.google.common.collect.ImmutableList.toImmutableList; import static io.trino.metadata.FunctionId.toFunctionId; -import static io.trino.metadata.FunctionKind.SCALAR; +import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.spi.type.BigintType.BIGINT; import static io.trino.spi.type.DoubleType.DOUBLE; import static io.trino.spi.type.RealType.REAL; diff --git a/core/trino-main/src/test/java/io/trino/sql/planner/TestLiteralEncoder.java b/core/trino-main/src/test/java/io/trino/sql/planner/TestLiteralEncoder.java index 3f89830e100e..4aadd6e5dc2a 100644 --- a/core/trino-main/src/test/java/io/trino/sql/planner/TestLiteralEncoder.java +++ b/core/trino-main/src/test/java/io/trino/sql/planner/TestLiteralEncoder.java @@ -47,11 +47,11 @@ import static io.airlift.testing.Assertions.assertEqualsIgnoreCase; import static io.trino.SessionTestUtils.TEST_SESSION; import static io.trino.metadata.FunctionId.toFunctionId; -import static io.trino.metadata.FunctionKind.SCALAR; import static io.trino.metadata.LiteralFunction.LITERAL_FUNCTION_NAME; import static io.trino.operator.scalar.JoniRegexpCasts.castVarcharToJoniRegexp; import static io.trino.operator.scalar.JsonFunctions.castVarcharToJsonPath; import static io.trino.operator.scalar.StringFunctions.castVarcharToCodePoints; +import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.spi.type.BigintType.BIGINT; import static io.trino.spi.type.CharType.createCharType; import static io.trino.spi.type.DateTimeEncoding.packDateTimeWithZone; diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 2d0ff5b36c31..d115bf640db1 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.spi.connector; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -598,11 +599,11 @@ default void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sch } /** - * Check if identity is allowed to execute function. + * Check if identity is allowed to execute function * * @throws io.trino.spi.security.AccessDeniedException if not allowed */ - default void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + default void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { denyExecuteFunction(function.toString()); } diff --git a/core/trino-main/src/main/java/io/trino/metadata/FunctionKind.java b/core/trino-spi/src/main/java/io/trino/spi/function/FunctionKind.java similarity index 91% rename from core/trino-main/src/main/java/io/trino/metadata/FunctionKind.java rename to core/trino-spi/src/main/java/io/trino/spi/function/FunctionKind.java index 11aaa1047b34..6bd9e915a789 100644 --- a/core/trino-main/src/main/java/io/trino/metadata/FunctionKind.java +++ b/core/trino-spi/src/main/java/io/trino/spi/function/FunctionKind.java @@ -11,11 +11,12 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package io.trino.metadata; +package io.trino.spi.function; public enum FunctionKind { SCALAR, AGGREGATE, - WINDOW + WINDOW, + TABLE, } diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index ac2c5e836c51..4717fce8b7f5 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.type.Type; import java.security.Principal; @@ -813,7 +814,7 @@ default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext * * @throws AccessDeniedException if not allowed */ - default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + default void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { denyExecuteFunction(functionName.toString()); } diff --git a/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java b/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java index d940dd4a778e..b93c813681e8 100644 --- a/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java +++ b/core/trino-spi/src/test/java/io/trino/spi/TestSpiBackwardCompatibility.java @@ -64,7 +64,9 @@ public class TestSpiBackwardCompatibility "Method: public java.lang.String io.trino.spi.ptf.ConnectorTableFunction.getName()", "Method: public java.lang.String io.trino.spi.ptf.ConnectorTableFunction.getSchema()")) .put("383", ImmutableSet.of( - "Method: public abstract java.lang.String io.trino.spi.function.AggregationState.value()")) + "Method: public abstract java.lang.String io.trino.spi.function.AggregationState.value()", + "Method: public default void io.trino.spi.security.SystemAccessControl.checkCanExecuteFunction(io.trino.spi.security.SystemSecurityContext,io.trino.spi.connector.CatalogSchemaRoutineName)", + "Method: public default void io.trino.spi.connector.ConnectorAccessControl.checkCanExecuteFunction(io.trino.spi.connector.ConnectorSecurityContext,io.trino.spi.connector.SchemaRoutineName)")) .buildOrThrow(); @Test diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index 4eff31b04ae4..618d013aa767 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -494,10 +495,10 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { - delegate.checkCanExecuteFunction(context, function); + delegate.checkCanExecuteFunction(context, functionKind, function); } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index 859d48b496fd..b9e05c45b1c8 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -318,7 +319,7 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index d4dd5a144c6f..274491deb200 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -426,7 +427,7 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index 056537a323bf..0fbc4b525fb4 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -21,6 +21,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.ConnectorIdentity; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; @@ -44,6 +45,7 @@ import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.SELECT; import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE; import static io.trino.plugin.base.util.JsonUtils.parseJson; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentTable; @@ -62,6 +64,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; import static io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege; import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege; @@ -592,8 +595,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { + if (functionKind == TABLE) { + denyExecuteFunction(function.toString()); + } } @Override diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index db58f0080a33..81726582b9e6 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -27,6 +27,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -60,6 +61,7 @@ import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE; import static io.trino.plugin.base.util.JsonUtils.parseJson; import static io.trino.spi.StandardErrorCode.CONFIGURATION_INVALID; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCatalogAccess; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; @@ -79,6 +81,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; import static io.trino.spi.security.AccessDeniedException.denyGrantSchemaPrivilege; import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege; @@ -939,8 +942,11 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { + if (functionKind == TABLE) { + denyExecuteFunction(functionName.toString()); + } } @Override diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 8bf3cf665241..a7c80840f2d2 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -17,6 +17,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -387,9 +388,9 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { - delegate().checkCanExecuteFunction(context, function); + delegate().checkCanExecuteFunction(context, functionKind, function); } @Override diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 00f0cefbbba9..c117804eac6e 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Identity; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; @@ -469,9 +470,9 @@ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) + public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName functionName) { - delegate().checkCanExecuteFunction(systemSecurityContext, functionName); + delegate().checkCanExecuteFunction(systemSecurityContext, functionKind, functionName); } @Override diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index 3ef90ed7ed0b..8d1a0b5886d1 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -19,6 +19,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -31,11 +32,13 @@ import java.util.Optional; import java.util.Set; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentTable; import static io.trino.spi.security.AccessDeniedException.denyDropColumn; import static io.trino.spi.security.AccessDeniedException.denyDropTable; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyRenameColumn; import static io.trino.spi.security.AccessDeniedException.denyRenameTable; import static java.lang.String.format; @@ -389,8 +392,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { + if (functionKind == TABLE) { + denyExecuteFunction(function.toString()); + } } @Override diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index e6c0b9bd65fe..8a712b734e7a 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -24,6 +24,7 @@ import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.function.FunctionKind; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.ConnectorIdentity; import io.trino.spi.security.Privilege; @@ -54,6 +55,7 @@ import static io.trino.plugin.hive.metastore.thrift.ThriftMetastoreUtil.listApplicableRoles; import static io.trino.plugin.hive.metastore.thrift.ThriftMetastoreUtil.listEnabledPrincipals; import static io.trino.spi.StandardErrorCode.NOT_SUPPORTED; +import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentColumn; import static io.trino.spi.security.AccessDeniedException.denyCommentTable; @@ -70,6 +72,7 @@ import static io.trino.spi.security.AccessDeniedException.denyDropSchema; import static io.trino.spi.security.AccessDeniedException.denyDropTable; import static io.trino.spi.security.AccessDeniedException.denyDropView; +import static io.trino.spi.security.AccessDeniedException.denyExecuteFunction; import static io.trino.spi.security.AccessDeniedException.denyExecuteTableProcedure; import static io.trino.spi.security.AccessDeniedException.denyGrantRoles; import static io.trino.spi.security.AccessDeniedException.denyGrantTablePrivilege; @@ -570,8 +573,11 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public void checkCanExecuteFunction(ConnectorSecurityContext context, SchemaRoutineName function) + public void checkCanExecuteFunction(ConnectorSecurityContext context, FunctionKind functionKind, SchemaRoutineName function) { + if (functionKind == TABLE && !isAdmin(context)) { + denyExecuteFunction(function.toString()); + } } @Override