Add checkCanGrantExecuteFunctionPrivilege to ConnectorAccessControl by huberty89 · Pull Request #14191 · trinodb/trino

huberty89 · 2022-09-19T12:28:10Z

Description

Follow-up to #13944
I will needed this to complete #13713

Release notes

( ) This is not user-visible and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# SPI
* Add `ConnectorAccessControl.checkCanGrantExecuteFunctionPrivilege` overload that needs to be implemented
  to allow views that use table functions. ({issue}`13944`)

huberty89 · 2022-09-19T13:21:11Z

I would like to add a test for that, but not sure where should I start.

ksobolew

Makes sense, but I wonder... How much are we going to phase out connector access control in favor of global access control? (I know, this is a bigger question :) )

core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java

kokosing

You can write a test against sql-standard access control, to see it is rejecting table functions by default.

kokosing · 2022-09-19T15:33:11Z

...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java

I am under impression that this throw is not needed. However, it leaves no question that is a dead code.

Or maybe you can use return switch here?

I wanted to say the same, but the return value is void so it won't work.

findepi · 2022-09-19T20:16:07Z

lgtm % let's have a test

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java

kokosing · 2022-09-20T19:42:33Z

You can use io.trino.tests.product.hive.TestSqlStandardAccessControlChecks for testing

kokosing · 2022-09-27T20:30:58Z

LGTM % test

huberty89 · 2022-10-06T12:27:23Z

I rebased and add few tests in TestAccessControlManager

kokosing · 2022-10-06T14:33:51Z

Maven checks are failiing

ssheikin · 2022-10-06T14:36:03Z

core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java

May be { not needed?

What about testing checkCanExecuteFunction?

May be { not needed?

execute is overloaded and in-lining cause compilation error

What about testing checkCanExecuteFunction?

This is already checked in other tests

ssheikin · 2022-10-06T14:42:33Z

core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java

could you please verify that you have access before setting DenyConnectorAccessControl?

This is checked in testAllowExecuteTableFunction test

Yeah, I'd prefer to have these tests duplicated, than not to have it here.
It would underline that just before setting DenyConnectorAccessControl it was possible to select from that connector. Actually that's @kokosing's style.

huberty89 · 2022-10-07T10:36:45Z

@findepi @dain Would you like to take a look? I'm adding new method to SPI so I want to be sure if that's ok

kokosing · 2022-10-08T18:19:11Z

Merged, thanks!

cla-bot bot added the cla-signed label Sep 19, 2022

huberty89 requested review from dain, findepi, kasiafi, kokosing, ksobolew and ssheikin September 19, 2022 12:28

github-actions bot added the tests:hive label Sep 19, 2022

ksobolew approved these changes Sep 19, 2022

View reviewed changes

core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java Outdated Show resolved Hide resolved

kokosing reviewed Sep 19, 2022

View reviewed changes

ssheikin reviewed Sep 20, 2022

View reviewed changes

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java Outdated Show resolved Hide resolved

huberty89 force-pushed the hubert/add-can-grant-execute-function-to-connector-access-control branch from 8035179 to 03bc954 Compare September 27, 2022 14:44

kokosing approved these changes Sep 27, 2022

View reviewed changes

huberty89 force-pushed the hubert/add-can-grant-execute-function-to-connector-access-control branch from 03bc954 to 9838b12 Compare October 6, 2022 11:24

kokosing approved these changes Oct 6, 2022

View reviewed changes

ssheikin reviewed Oct 6, 2022

View reviewed changes

Add checkCanGrantExecuteFunctionPrivilege to ConnectorAccessControl

befc8b4

huberty89 force-pushed the hubert/add-can-grant-execute-function-to-connector-access-control branch from 9838b12 to befc8b4 Compare October 6, 2022 15:28

ssheikin approved these changes Oct 7, 2022

View reviewed changes

findepi assigned kokosing Oct 7, 2022

kokosing merged commit 4302296 into trinodb:master Oct 8, 2022

github-actions bot added this to the 400 milestone Oct 8, 2022

huberty89 mentioned this pull request Oct 10, 2022

Release notes for 400 #14509

Closed

colebow mentioned this pull request Oct 11, 2022

Add Trino 400 release notes #14556

Merged

Conversation

huberty89 commented Sep 19, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Release notes

Uh oh!

huberty89 commented Sep 19, 2022

Uh oh!

ksobolew left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

kokosing left a comment

Choose a reason for hiding this comment

Uh oh!

kokosing Sep 19, 2022

Choose a reason for hiding this comment

Uh oh!

ksobolew Sep 19, 2022

Choose a reason for hiding this comment

Uh oh!

findepi commented Sep 19, 2022

Uh oh!

Uh oh!

kokosing commented Sep 20, 2022

Uh oh!

kokosing commented Sep 27, 2022

Uh oh!

huberty89 commented Oct 6, 2022

Uh oh!

kokosing commented Oct 6, 2022

Uh oh!

ssheikin Oct 6, 2022

Choose a reason for hiding this comment

Uh oh!

huberty89 Oct 6, 2022

Choose a reason for hiding this comment

Uh oh!

ssheikin Oct 6, 2022

Choose a reason for hiding this comment

Uh oh!

huberty89 Oct 6, 2022

Choose a reason for hiding this comment

Uh oh!

ssheikin Oct 6, 2022

Choose a reason for hiding this comment

Uh oh!

huberty89 commented Oct 7, 2022

Uh oh!

kokosing commented Oct 8, 2022

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

5 participants

huberty89 commented Sep 19, 2022 •

edited

Loading