diff --git a/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java b/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java index dd50b7d68311..84cf183c09f4 100644 --- a/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java @@ -14,7 +14,6 @@ package io.trino.connector; import com.google.common.collect.ImmutableList; -import io.trino.plugin.base.security.AllowAllAccessControl; import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.security.ConnectorIdentity; @@ -38,7 +37,7 @@ import static java.util.Objects.requireNonNull; class MockConnectorAccessControl - extends AllowAllAccessControl + extends TestingAllowAllAccessControl { private static final String INFORMATION_SCHEMA = "information_schema"; diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/core/trino-main/src/test/java/io/trino/connector/TestingAllowAllAccessControl.java similarity index 99% rename from lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java rename to core/trino-main/src/test/java/io/trino/connector/TestingAllowAllAccessControl.java index 2d9c275fdfca..335a8318ef20 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/connector/TestingAllowAllAccessControl.java @@ -11,7 +11,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package io.trino.plugin.base.security; +package io.trino.connector; import com.google.common.collect.ImmutableList; import io.trino.spi.connector.ConnectorAccessControl; @@ -29,7 +29,7 @@ import java.util.Optional; import java.util.Set; -public class AllowAllAccessControl +public class TestingAllowAllAccessControl implements ConnectorAccessControl { @Override diff --git a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java index ab692a765fa7..484df258d4bd 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java +++ b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java @@ -20,7 +20,6 @@ import io.trino.connector.MockConnectorFactory; import io.trino.eventlistener.EventListenerManager; import io.trino.metadata.QualifiedObjectName; -import io.trino.plugin.base.security.AllowAllAccessControl; import io.trino.plugin.base.security.AllowAllSystemAccessControl; import io.trino.plugin.base.security.DefaultSystemAccessControl; import io.trino.plugin.base.security.ReadOnlySystemAccessControl; @@ -318,7 +317,7 @@ public void testAllowExecuteProcedure() accessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of()); queryRunner.createCatalog(TEST_CATALOG_NAME, MockConnectorFactory.create(), ImmutableMap.of()); - accessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(TEST_CATALOG_HANDLE, Optional.of(new AllowAllAccessControl()))); + accessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(TEST_CATALOG_HANDLE, Optional.empty())); transaction(transactionManager, accessControlManager) .execute(transactionId -> { diff --git a/docs/src/main/sphinx/connector/hive-security.rst b/docs/src/main/sphinx/connector/hive-security.rst index 7f37d227bc41..7881ef72c0ee 100644 --- a/docs/src/main/sphinx/connector/hive-security.rst +++ b/docs/src/main/sphinx/connector/hive-security.rst @@ -36,7 +36,8 @@ Property value Description :doc:`/sql/revoke` commands. See :ref:`hive-sql-standard-based-authorization` for details. -``allow-all`` No authorization checks are enforced. +``system`` No authorization checks are enforced. Roles are controlled by + system access control. ================================================== ============================================================ .. _hive-sql-standard-based-authorization: diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java deleted file mode 100644 index 7de751d5db6f..000000000000 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package io.trino.plugin.base.security; - -import io.trino.spi.connector.ConnectorAccessControl; -import org.testng.annotations.Test; - -import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; - -public class TestAllowAllAccessControl -{ - @Test - public void testEverythingImplemented() - throws NoSuchMethodException - { - assertAllMethodsOverridden(ConnectorAccessControl.class, AllowAllAccessControl.class); - } -} diff --git a/plugin/trino-hive-hadoop2/src/test/java/io/trino/plugin/hive/TestHivePlugin.java b/plugin/trino-hive-hadoop2/src/test/java/io/trino/plugin/hive/TestHivePlugin.java index a50798c847a9..740e8a5ab17b 100644 --- a/plugin/trino-hive-hadoop2/src/test/java/io/trino/plugin/hive/TestHivePlugin.java +++ b/plugin/trino-hive-hadoop2/src/test/java/io/trino/plugin/hive/TestHivePlugin.java @@ -335,7 +335,7 @@ public void testAllowAllAccessControl() "test", ImmutableMap.builder() .put("hive.metastore.uri", "thrift://foo:1234") - .put("hive.security", "allow-all") + .put("hive.security", "system") .buildOrThrow(), new TestingConnectorContext()) .shutdown(); diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/AllowAllSecurityModule.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/AllowAllSecurityModule.java deleted file mode 100644 index 7a4ecfd55722..000000000000 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/AllowAllSecurityModule.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package io.trino.plugin.hive.security; - -import com.google.inject.Binder; -import com.google.inject.Module; -import com.google.inject.Scopes; -import io.trino.plugin.base.security.AllowAllAccessControl; -import io.trino.spi.connector.ConnectorAccessControl; - -public class AllowAllSecurityModule - implements Module -{ - @Override - public void configure(Binder binder) - { - binder.bind(ConnectorAccessControl.class).to(AllowAllAccessControl.class).in(Scopes.SINGLETON); - binder.bind(AccessControlMetadataFactory.class).toInstance(metastore -> new AccessControlMetadata() {}); - } -} diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/HiveSecurityModule.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/HiveSecurityModule.java index 5a5a3f51b138..a94c3664e040 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/HiveSecurityModule.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/HiveSecurityModule.java @@ -30,7 +30,6 @@ public class HiveSecurityModule public static final String FILE = "file"; public static final String READ_ONLY = "read-only"; public static final String SQL_STANDARD = "sql-standard"; - public static final String ALLOW_ALL = "allow-all"; public static final String SYSTEM = "system"; @Override @@ -53,7 +52,6 @@ protected void setup(Binder binder) new ReadOnlySecurityModule(), new StaticAccessControlMetadataModule())); bindSecurityModule(SQL_STANDARD, new SqlStandardSecurityModule()); - bindSecurityModule(ALLOW_ALL, new AllowAllSecurityModule()); bindSecurityModule(SYSTEM, new SystemSecurityModule()); } diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/HiveQueryRunner.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/HiveQueryRunner.java index 3a12ac6d7090..8adf6553de99 100644 --- a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/HiveQueryRunner.java +++ b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/HiveQueryRunner.java @@ -52,7 +52,6 @@ import static io.airlift.log.Level.WARN; import static io.airlift.units.Duration.nanosSince; import static io.trino.plugin.hive.HiveTestUtils.HDFS_ENVIRONMENT; -import static io.trino.plugin.hive.security.HiveSecurityModule.ALLOW_ALL; import static io.trino.plugin.hive.security.HiveSecurityModule.SQL_STANDARD; import static io.trino.plugin.tpch.ColumnNaming.SIMPLIFIED; import static io.trino.plugin.tpch.DecimalTypeMapping.DOUBLE; @@ -398,7 +397,6 @@ public static void main(String[] args) .setInitialTables(TpchTable.getTables()) .setBaseDataDir(baseDataDir) .setTpcdsCatalogEnabled(true) - .setSecurity(ALLOW_ALL) // Uncomment to enable standard column naming (column names to be prefixed with the first letter of the table name, e.g.: o_orderkey vs orderkey) // and standard column types (decimals vs double for some columns). This will allow running unmodified tpch queries on the cluster. //.setTpchColumnNaming(ColumnNaming.STANDARD) diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/s3/S3HiveQueryRunner.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/s3/S3HiveQueryRunner.java index 68051de2a58a..6cff504aed70 100644 --- a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/s3/S3HiveQueryRunner.java +++ b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/s3/S3HiveQueryRunner.java @@ -27,7 +27,6 @@ import static com.google.common.base.Preconditions.checkArgument; import static io.trino.plugin.hive.TestingThriftHiveMetastoreBuilder.testingThriftHiveMetastoreBuilder; -import static io.trino.plugin.hive.security.HiveSecurityModule.ALLOW_ALL; import static java.util.Objects.requireNonNull; public final class S3HiveQueryRunner @@ -152,7 +151,6 @@ public static void main(String[] args) .setExtraProperties(ImmutableMap.of("http-server.http.port", "8080")) .setSkipTimezoneSetup(true) .setInitialTables(TpchTable.getTables()) - .setSecurity(ALLOW_ALL) .build(); Logger log = Logger.get(S3HiveQueryRunner.class); log.info("======== SERVER STARTED ========"); diff --git a/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/AllowAllSecurityModule.java b/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/AllowAllSecurityModule.java deleted file mode 100644 index ad84d335fefc..000000000000 --- a/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/AllowAllSecurityModule.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package io.trino.plugin.iceberg; - -import com.google.inject.Binder; -import com.google.inject.Module; -import com.google.inject.Scopes; -import io.trino.plugin.base.security.AllowAllAccessControl; -import io.trino.spi.connector.ConnectorAccessControl; - -public class AllowAllSecurityModule - implements Module -{ - @Override - public void configure(Binder binder) - { - binder.bind(ConnectorAccessControl.class).to(AllowAllAccessControl.class).in(Scopes.SINGLETON); - } -} diff --git a/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityConfig.java b/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityConfig.java index a327a25b9826..5bd5dec906b2 100644 --- a/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityConfig.java +++ b/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityConfig.java @@ -21,13 +21,12 @@ public class IcebergSecurityConfig { public enum IcebergSecurity { - ALLOW_ALL, READ_ONLY, SYSTEM, FILE, } - private IcebergSecurity securitySystem = IcebergSecurity.ALLOW_ALL; + private IcebergSecurity securitySystem = IcebergSecurity.SYSTEM; @NotNull public IcebergSecurity getSecuritySystem() diff --git a/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityModule.java b/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityModule.java index 6aa9f419b388..e658ca6b6b22 100644 --- a/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityModule.java +++ b/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/IcebergSecurityModule.java @@ -22,7 +22,6 @@ import io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity; import static io.airlift.configuration.ConditionalModule.conditionalModule; -import static io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity.ALLOW_ALL; import static io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity.FILE; import static io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity.READ_ONLY; @@ -33,7 +32,6 @@ public class IcebergSecurityModule protected void setup(Binder binder) { install(new ConnectorAccessControlModule()); - bindSecurityModule(ALLOW_ALL, new AllowAllSecurityModule()); bindSecurityModule(READ_ONLY, new ReadOnlySecurityModule()); bindSecurityModule(FILE, new FileBasedAccessControlModule()); // SYSTEM: do not bind an ConnectorAccessControl so the engine will use system security with system roles diff --git a/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergPlugin.java b/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergPlugin.java index f2516b8c806c..fe5d4ade5c36 100644 --- a/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergPlugin.java +++ b/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergPlugin.java @@ -124,22 +124,6 @@ public void testRecordingMetastore() .hasMessageContaining("Configuration property 'hive.metastore-recording-path' was not used"); } - @Test - public void testAllowAllAccessControl() - { - ConnectorFactory connectorFactory = getConnectorFactory(); - - connectorFactory.create( - "test", - ImmutableMap.builder() - .put("iceberg.catalog.type", "HIVE_METASTORE") - .put("hive.metastore.uri", "thrift://foo:1234") - .put("iceberg.security", "allow-all") - .buildOrThrow(), - new TestingConnectorContext()) - .shutdown(); - } - @Test public void testReadOnlyAllAccessControl() { diff --git a/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergSecurityConfig.java b/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergSecurityConfig.java index 6e30079bf96c..cea22a45782e 100644 --- a/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergSecurityConfig.java +++ b/plugin/trino-iceberg/src/test/java/io/trino/plugin/iceberg/TestIcebergSecurityConfig.java @@ -21,8 +21,8 @@ import static io.airlift.configuration.testing.ConfigAssertions.assertFullMapping; import static io.airlift.configuration.testing.ConfigAssertions.assertRecordedDefaults; import static io.airlift.configuration.testing.ConfigAssertions.recordDefaults; -import static io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity.ALLOW_ALL; import static io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity.READ_ONLY; +import static io.trino.plugin.iceberg.IcebergSecurityConfig.IcebergSecurity.SYSTEM; public class TestIcebergSecurityConfig { @@ -30,7 +30,7 @@ public class TestIcebergSecurityConfig public void testDefaults() { assertRecordedDefaults(recordDefaults(IcebergSecurityConfig.class) - .setSecuritySystem(ALLOW_ALL)); + .setSecuritySystem(SYSTEM)); } @Test