Verify authorization access for SET AUTHORIZATION statements#16691
Merged
kokosing merged 3 commits intotrinodb:masterfrom Jun 7, 2023
Merged
Conversation
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
from
c4bb91a to
173f26e
Compare
ksobolew
reviewed
Mar 23, 2023
Contributor
ksobolew
left a comment
ksobolew
left a comment
There was a problem hiding this comment.
There are two concerns here:
-
Whether impersonation is the right precondition for this
- We discussed this when we worked on this last time, and this was one of the suggestions. I think it makes sense, but I'm no strongly sold on it yet.
-
This requires all access control to implement this in a correct way, which is error prone.
- I would suggest moving the logic to
AccessControlManagerand remove thecheckCanSetViewAuthorizationfrom the access control interface(s).
- I would suggest moving the logic to
Bonus concern:
- The commit message seems malformed :) It should explain why impersonation is the correct thing to do, not just that it's delegated to the access control.
core/trino-main/src/main/java/io/trino/execution/SetViewAuthorizationTask.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/security/TestFileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java
Outdated
Show resolved
Hide resolved
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
from
173f26e to
f4d4e3a
Compare
Member
Author
|
AC, PTAL |
ksobolew
reviewed
Apr 13, 2023
Contributor
ksobolew
left a comment
ksobolew
left a comment
There was a problem hiding this comment.
So file-based access controls will have their own model for this? We were discussing things like checking for impersonation, does that mean this is not viable here or just undesirable?
lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AuthorizationRule.java
Outdated
Show resolved
Hide resolved
lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AuthorizationRule.java
Outdated
Show resolved
Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java
Outdated
Show resolved
Hide resolved
...plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Why not return Optional like from all the others?
Member
Author
There was a problem hiding this comment.
Because this one if it is not present is denied by default.
...oolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Does this warrant a separate commit?
Contributor
There was a problem hiding this comment.
Why no roles in connector access control tests?
Member
Author
There was a problem hiding this comment.
there is also authorization.json, however file based connector access control does not support roles.
checkArgument(!rules.hasRoleRules(), "File connector access control does not support role rules");
...kit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java
Outdated
Show resolved
Hide resolved
...kit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java
Outdated
Show resolved
Hide resolved
Member
Author
|
AC, PTAL |
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
from
f4d4e3a to
f71b287
Compare
martint
reviewed
May 29, 2023
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
from
f71b287 to
94acb6e
Compare
dain
reviewed
May 30, 2023
Member
dain
left a comment
dain
left a comment
There was a problem hiding this comment.
The message on the second commit should be rewritten as the new solution is to add a file based access control rule for set authorization checks. Also, I think the PR message and release notes will need a rewrite.
core/trino-main/src/main/java/io/trino/execution/SetViewAuthorizationTask.java
Outdated
Show resolved
Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java
Outdated
Show resolved
Hide resolved
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
4 times, most recently
from
8edefc5 to
8083741
Compare
kokosing
changed the title
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
2 times, most recently
from
ae08d58 to
bcd8574
Compare
dain
approved these changes
Jun 5, 2023
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
from
bcd8574 to
1c98782
Compare
Using new rules will allow to control who can grant AUTHORIZATION (move ownership) to whom. In order to perform the SET AUTHORIZATION statement one has also ownership access to referred entity. So to be authorized to perform: ALTER TABLE T SET AUTHORIZATION USER U; one has to have access to modify the table T and proper authorization rule to move ownership to user U:
This property is no longer needed. It is required that plugin that implements access control make sure that control for SET AUTHORIZATION is implemented securely.
kokosing
force-pushed
the
origin/master/177_alter_view_authorization
branch
from
1c98782 to
c04f7c2
Compare
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With this pull request we are going to assume from all pluggable access control to make sure that SET AUTHORIZATION statements are secure to be performed. Previously it was not clear if it is engine or access control responsibility. Hence we had
legacy.allow-set-view-authorizationconfig property.To accomplish that now:
hive.security=sql-standardrequires admin role privilege to performALTER ... SET AUTHORIZATION...statementsThanks to the above
legacy.allow-set-view-authorizationcan be removed.Release notes:
Hive
securty requires admin role privilege to performALTER ... SET AUTHORIZATION...` statementsSecurity:
ALTER ... SET AUTHORIZATION...to whom authorization can be set.legacy.allow-set-view-authorizationconfiguration property