diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java index 9b5a568beb5b..d1133a1c0d1a 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java @@ -27,7 +27,6 @@ import io.trino.spi.connector.SchemaTableName; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.ConnectorIdentity; -import io.trino.spi.security.PrincipalType; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; import io.trino.spi.security.ViewExpression; @@ -48,6 +47,8 @@ import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.function.FunctionKind.WINDOW; +import static io.trino.spi.security.PrincipalType.ROLE; +import static io.trino.spi.security.PrincipalType.USER; import static io.trino.spi.security.Privilege.UPDATE; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; import static io.trino.spi.type.VarcharType.VARCHAR; @@ -76,7 +77,7 @@ public void testEmptyFile() accessControl.checkCanCreateSchema(UNKNOWN, "unknown", ImmutableMap.of()); accessControl.checkCanDropSchema(UNKNOWN, "unknown"); accessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown"); - accessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(PrincipalType.ROLE, "some_role")); + accessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(ROLE, "some_role")); accessControl.checkCanShowCreateSchema(UNKNOWN, "unknown"); accessControl.checkCanSelectFromColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"), ImmutableSet.of()); @@ -101,7 +102,7 @@ public void testEmptyFile() assertEquals(accessControl.filterTables(UNKNOWN, tables), tables); // permissions management APIs are hard coded to deny - TrinoPrincipal someUser = new TrinoPrincipal(PrincipalType.USER, "some_user"); + TrinoPrincipal someUser = new TrinoPrincipal(USER, "some_user"); assertDenied(() -> accessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false)); assertDenied(() -> accessControl.checkCanDenyTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser)); assertDenied(() -> accessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), someUser, false)); @@ -199,12 +200,12 @@ public void testSchemaRules() accessControl.checkCanRenameSchema(CHARLIE, "authenticated", "authenticated"); assertDenied(() -> accessControl.checkCanRenameSchema(CHARLIE, "test", "new_schema")); - accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.USER, "some_user")); - accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.USER, "some_user")); - assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role"))); - assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.USER, "some_user"))); + accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(USER, "some_user")); + accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(USER, "some_user")); + assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(ROLE, "some_role"))); + assertDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(USER, "some_user"))); accessControl.checkCanShowCreateSchema(ADMIN, "bob"); accessControl.checkCanShowCreateSchema(ADMIN, "staff"); @@ -226,7 +227,7 @@ public void testSchemaRules() public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) { ConnectorAccessControl accessControl = createAccessControl("schema.json"); - TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice"); + TrinoPrincipal grantee = new TrinoPrincipal(USER, "alice"); accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "bob", grantee, grantOption); accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "staff", grantee, grantOption); @@ -248,7 +249,7 @@ public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) public void testDenySchemaPrivilege() { ConnectorAccessControl accessControl = createAccessControl("schema.json"); - TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice"); + TrinoPrincipal grantee = new TrinoPrincipal(USER, "alice"); accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "bob", grantee); accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, "staff", grantee); @@ -270,7 +271,7 @@ public void testDenySchemaPrivilege() public void testRevokeSchemaPrivilege(Privilege privilege, boolean grantOption) { ConnectorAccessControl accessControl = createAccessControl("schema.json"); - TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice"); + TrinoPrincipal grantee = new TrinoPrincipal(USER, "alice"); accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "bob", grantee, grantOption); accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "staff", grantee, grantOption); @@ -375,19 +376,19 @@ public void testTableRules() assertDenied(() -> accessControl.checkCanSetMaterializedViewProperties(ALICE, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of())); assertDenied(() -> accessControl.checkCanSetMaterializedViewProperties(BOB, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of())); - accessControl.checkCanSetTableAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetTableAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.USER, "some_user")); - accessControl.checkCanSetTableAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetTableAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.USER, "some_user")); - assertDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role"))); - assertDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.USER, "some_user"))); - - accessControl.checkCanSetViewAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetViewAuthorization(ADMIN, testTable, new TrinoPrincipal(PrincipalType.USER, "some_user")); - accessControl.checkCanSetViewAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetViewAuthorization(ALICE, aliceTable, new TrinoPrincipal(PrincipalType.USER, "some_user")); - assertDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.ROLE, "some_role"))); - assertDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, bobTable, new TrinoPrincipal(PrincipalType.USER, "some_user"))); + accessControl.checkCanSetTableAuthorization(ADMIN, testTable, new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetTableAuthorization(ADMIN, testTable, new TrinoPrincipal(USER, "some_user")); + accessControl.checkCanSetTableAuthorization(ALICE, aliceTable, new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetTableAuthorization(ALICE, aliceTable, new TrinoPrincipal(USER, "some_user")); + assertDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, bobTable, new TrinoPrincipal(ROLE, "some_role"))); + assertDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, bobTable, new TrinoPrincipal(USER, "some_user"))); + + accessControl.checkCanSetViewAuthorization(ADMIN, testTable, new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetViewAuthorization(ADMIN, testTable, new TrinoPrincipal(USER, "some_user")); + accessControl.checkCanSetViewAuthorization(ALICE, aliceTable, new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetViewAuthorization(ALICE, aliceTable, new TrinoPrincipal(USER, "some_user")); + assertDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, bobTable, new TrinoPrincipal(ROLE, "some_role"))); + assertDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, bobTable, new TrinoPrincipal(USER, "some_user"))); } @Test @@ -519,10 +520,10 @@ public void testNoFunctionRules() assertDenied(() -> accessControl.checkCanExecuteFunction(ALICE, SCALAR, new SchemaRoutineName("schema", "some_function"))); assertDenied(() -> accessControl.checkCanExecuteFunction(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"))); assertDenied(() -> accessControl.checkCanExecuteFunction(ALICE, WINDOW, new SchemaRoutineName("schema", "some_function"))); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(USER, "some_user"), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(USER, "some_user"), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, "some_user"), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(USER, "some_user"), true)); } @Test @@ -608,35 +609,35 @@ public void testFunctionRulesForCheckCanExecute() public void testFunctionRulesForCheckCanGrantExecute() { ConnectorAccessControl accessControl = createAccessControl("visibility.json"); - accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true)); - - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true)); - assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true)); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true); - accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, ADMIN.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, TABLE, new SchemaRoutineName("ptf_schema", "some_function"), new TrinoPrincipal(USER, ADMIN.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true)); + + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, ADMIN.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true)); + assertDenied(() -> accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, TABLE, new SchemaRoutineName("ptf_schema", "some_function"), new TrinoPrincipal(USER, ADMIN.getIdentity().getUser()), true)); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, ALICE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, BOB.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true); + accessControl.checkCanGrantExecuteFunctionPrivilege(BOB, WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(USER, CHARLIE.getIdentity().getUser()), true); } @Test diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java index 532e10ad4339..43114da01592 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java @@ -24,7 +24,6 @@ import io.trino.spi.connector.SchemaTableName; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.Identity; -import io.trino.spi.security.PrincipalType; import io.trino.spi.security.Privilege; import io.trino.spi.security.SystemAccessControl; import io.trino.spi.security.SystemSecurityContext; @@ -50,6 +49,7 @@ import static io.trino.spi.function.FunctionKind.SCALAR; import static io.trino.spi.function.FunctionKind.TABLE; import static io.trino.spi.function.FunctionKind.WINDOW; +import static io.trino.spi.security.PrincipalType.ROLE; import static io.trino.spi.security.PrincipalType.USER; import static io.trino.spi.security.Privilege.UPDATE; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; @@ -63,7 +63,7 @@ public abstract class BaseFileBasedSystemAccessControlTest { - protected static final Identity alice = Identity.forUser("alice").withGroups(ImmutableSet.of("staff")).build(); + private static final Identity alice = Identity.forUser("alice").withGroups(ImmutableSet.of("staff")).build(); private static final Identity kerberosValidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("alice/example.com@EXAMPLE.COM")).build(); private static final Identity kerberosValidNonAsciiUser = Identity.forUser("\u0194\u0194\u0194").withPrincipal(new KerberosPrincipal("\u0194\u0194\u0194/example.com@EXAMPLE.COM")).build(); private static final Identity kerberosInvalidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("mallory/example.com@EXAMPLE.COM")).build(); @@ -90,45 +90,45 @@ public abstract class BaseFileBasedSystemAccessControlTest private static final SystemSecurityContext JOE = new SystemSecurityContext(joe, queryId); private static final SystemSecurityContext UNKNOWN = new SystemSecurityContext(Identity.ofUser("some-unknown-user-id"), queryId); - private static final String SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show schemas"; - private static final String CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot create schema .*"; - private static final String DROP_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop schema .*"; - private static final String RENAME_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot rename schema from .* to .*"; - private static final String AUTH_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set authorization for schema .* to .*"; - private static final String SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show create schema for .*"; - private static final String GRANT_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot grant privilege %s on schema %s%s"; - private static final String DENY_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot deny privilege %s on schema %s%s"; - private static final String REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot revoke privilege %s on schema %s%s"; - - private static final String SHOWN_TABLES_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show tables of .*"; - private static final String SELECT_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot select from table .*"; - private static final String SHOW_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show columns of table .*"; - private static final String ADD_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot add a column to table .*"; - private static final String DROP_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop a column from table .*"; - private static final String RENAME_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot rename a column in table .*"; - private static final String AUTH_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set authorization for table .* to .*"; - private static final String AUTH_VIEW_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set authorization for view .* to .*"; - private static final String TABLE_COMMENT_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot comment table to .*"; - private static final String INSERT_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot insert into table .*"; - private static final String DELETE_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot delete from table .*"; - private static final String TRUNCATE_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot truncate table .*"; - private static final String DROP_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop table .*"; - private static final String CREATE_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show create table for .*"; - private static final String RENAME_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot rename table .*"; - private static final String SET_TABLE_PROPERTIES_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set table properties to .*"; - private static final String CREATE_VIEW_ACCESS_DENIED_MESSAGE = "Access Denied: View owner '.*' cannot create view that selects from .*"; - private static final String CREATE_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot create materialized view .*"; - private static final String DROP_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop materialized view .*"; - private static final String REFRESH_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot refresh materialized view .*"; - private static final String SET_MATERIALIZED_VIEW_PROPERTIES_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set properties of materialized view .*"; - private static final String GRANT_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot grant privilege DELETE on table .*"; - private static final String DENY_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot deny privilege DELETE on table .*"; - private static final String REVOKE_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot revoke privilege DELETE on table .*"; - - private static final String SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set system session property .*"; - private static final String SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set catalog session property .*"; - private static final String EXECUTE_FUNCTION_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot execute function .*"; - private static final String GRANT_EXECUTE_FUNCTION_ACCESS_DENIED_MESSAGE = "Access Denied: .* cannot grant .*"; + private static final String SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE = "Cannot show schemas"; + private static final String CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot create schema .*"; + private static final String DROP_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot drop schema .*"; + private static final String RENAME_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot rename schema from .* to .*"; + private static final String AUTH_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot set authorization for schema .* to .*"; + private static final String SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot show create schema for .*"; + private static final String GRANT_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot grant privilege %s on schema %s%s"; + private static final String DENY_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot deny privilege %s on schema %s%s"; + private static final String REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot revoke privilege %s on schema %s%s"; + + private static final String SHOWN_TABLES_ACCESS_DENIED_MESSAGE = "Cannot show tables of .*"; + private static final String SELECT_TABLE_ACCESS_DENIED_MESSAGE = "Cannot select from table .*"; + private static final String SHOW_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot show columns of table .*"; + private static final String ADD_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot add a column to table .*"; + private static final String DROP_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot drop a column from table .*"; + private static final String RENAME_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot rename a column in table .*"; + private static final String AUTH_TABLE_ACCESS_DENIED_MESSAGE = "Cannot set authorization for table .* to .*"; + private static final String AUTH_VIEW_ACCESS_DENIED_MESSAGE = "Cannot set authorization for view .* to .*"; + private static final String TABLE_COMMENT_ACCESS_DENIED_MESSAGE = "Cannot comment table to .*"; + private static final String INSERT_TABLE_ACCESS_DENIED_MESSAGE = "Cannot insert into table .*"; + private static final String DELETE_TABLE_ACCESS_DENIED_MESSAGE = "Cannot delete from table .*"; + private static final String TRUNCATE_TABLE_ACCESS_DENIED_MESSAGE = "Cannot truncate table .*"; + private static final String DROP_TABLE_ACCESS_DENIED_MESSAGE = "Cannot drop table .*"; + private static final String CREATE_TABLE_ACCESS_DENIED_MESSAGE = "Cannot show create table for .*"; + private static final String RENAME_TABLE_ACCESS_DENIED_MESSAGE = "Cannot rename table .*"; + private static final String SET_TABLE_PROPERTIES_ACCESS_DENIED_MESSAGE = "Cannot set table properties to .*"; + private static final String CREATE_VIEW_ACCESS_DENIED_MESSAGE = "View owner '.*' cannot create view that selects from .*"; + private static final String CREATE_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Cannot create materialized view .*"; + private static final String DROP_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Cannot drop materialized view .*"; + private static final String REFRESH_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Cannot refresh materialized view .*"; + private static final String SET_MATERIALIZED_VIEW_PROPERTIES_ACCESS_DENIED_MESSAGE = "Cannot set properties of materialized view .*"; + private static final String GRANT_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Cannot grant privilege DELETE on table .*"; + private static final String DENY_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Cannot deny privilege DELETE on table .*"; + private static final String REVOKE_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Cannot revoke privilege DELETE on table .*"; + + private static final String SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Cannot set system session property .*"; + private static final String SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Cannot set catalog session property .*"; + private static final String EXECUTE_FUNCTION_ACCESS_DENIED_MESSAGE = "Cannot execute function .*"; + private static final String GRANT_EXECUTE_FUNCTION_ACCESS_DENIED_MESSAGE = ".* cannot grant .*"; protected abstract SystemAccessControl newFileBasedSystemAccessControl(File configFile, Map properties); @@ -184,7 +184,7 @@ public void testEmptyFile() accessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown"); accessControl.checkCanSetSchemaAuthorization(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), - new TrinoPrincipal(PrincipalType.ROLE, "some_role")); + new TrinoPrincipal(ROLE, "some_role")); accessControl.checkCanShowCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown")); accessControl.checkCanSelectFromColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), ImmutableSet.of()); @@ -215,12 +215,12 @@ public void testEmptyFile() accessControl.checkCanKillQueryOwnedBy(UNKNOWN, anyone); // system information access is denied by default - assertThatThrownBy(() -> accessControl.checkCanReadSystemInformation(UNKNOWN)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot read system information"); - assertThatThrownBy(() -> accessControl.checkCanWriteSystemInformation(UNKNOWN)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot write system information"); + assertAccessDenied( + () -> accessControl.checkCanReadSystemInformation(UNKNOWN), + "Cannot read system information"); + assertAccessDenied( + () -> accessControl.checkCanWriteSystemInformation(UNKNOWN), + "Cannot write system information"); } @Test @@ -312,12 +312,12 @@ public void testSchemaRulesForCheckCanSetSchemaAuthorization() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json"); - accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")); - accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(PrincipalType.USER, "some_user")); - assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE); - assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE); + accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(USER, "some_user")); + accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new TrinoPrincipal(USER, "some_user")); + assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(ROLE, "some_role")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new TrinoPrincipal(USER, "some_user")), AUTH_SCHEMA_ACCESS_DENIED_MESSAGE); } @Test @@ -345,7 +345,7 @@ public void testSchemaRulesForCheckCanShowCreateSchema() public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json"); - TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice"); + TrinoPrincipal grantee = new TrinoPrincipal(USER, "alice"); accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption); accessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption); @@ -375,7 +375,7 @@ public void testGrantSchemaPrivilege(Privilege privilege, boolean grantOption) public void testDenySchemaPrivilege() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json"); - TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice"); + TrinoPrincipal grantee = new TrinoPrincipal(USER, "alice"); accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, new CatalogSchemaName("some-catalog", "bob"), grantee); accessControl.checkCanDenySchemaPrivilege(ADMIN, UPDATE, new CatalogSchemaName("some-catalog", "staff"), grantee); @@ -405,7 +405,7 @@ public void testDenySchemaPrivilege() public void testRevokeSchemaPrivilege(Privilege privilege, boolean grantOption) { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json"); - TrinoPrincipal grantee = new TrinoPrincipal(PrincipalType.USER, "alice"); + TrinoPrincipal grantee = new TrinoPrincipal(USER, "alice"); accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), grantee, grantOption); accessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), grantee, grantOption); @@ -829,8 +829,8 @@ public void testCheckCanSetTableAuthorizationForAdmin() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json"); - accessControl.checkCanSetTableAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetTableAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")); + accessControl.checkCanSetTableAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetTableAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(USER, "some_user")); } @Test @@ -838,8 +838,8 @@ public void testCheckCanSetViewAuthorizationForAdmin() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json"); - accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")); + accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetViewAuthorization(ADMIN, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(USER, "some_user")); } @Test @@ -847,8 +847,8 @@ public void testCheckCanSetTableAuthorizationForOwner() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json"); - accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")); + accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(USER, "some_user")); } @Test @@ -856,8 +856,8 @@ public void testCheckCanSetViewAuthorizationForOwner() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json"); - accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")); - accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")); + accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(ROLE, "some_role")); + accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "test"), new TrinoPrincipal(USER, "some_user")); } @Test @@ -865,8 +865,8 @@ public void testCheckCanSetTableAuthorizationForNonOwner() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json"); - assertAccessDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_TABLE_ACCESS_DENIED_MESSAGE); - assertAccessDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_TABLE_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(ROLE, "some_role")), AUTH_TABLE_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanSetTableAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(USER, "some_user")), AUTH_TABLE_ACCESS_DENIED_MESSAGE); } @Test @@ -874,8 +874,8 @@ public void testCheckCanSetViewAuthorizationForNonOwner() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json"); - assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.ROLE, "some_role")), AUTH_VIEW_ACCESS_DENIED_MESSAGE); - assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(PrincipalType.USER, "some_user")), AUTH_VIEW_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(ROLE, "some_role")), AUTH_VIEW_ACCESS_DENIED_MESSAGE); + assertAccessDenied(() -> accessControl.checkCanSetViewAuthorization(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), new TrinoPrincipal(USER, "some_user")), AUTH_VIEW_ACCESS_DENIED_MESSAGE); } @Test @@ -913,38 +913,26 @@ public void testCanSetUserOperations() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog_principal.json"); - try { - accessControl.checkCanSetUser(Optional.empty(), alice.getUser()); - throw new AssertionError("expected AccessDeniedException"); - } - catch (AccessDeniedException expected) { - } + assertAccessDenied( + () -> accessControl.checkCanSetUser(Optional.empty(), alice.getUser()), + "Principal null cannot become user alice"); accessControl.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser()); accessControl.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser()); - try { - accessControl.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser()); - throw new AssertionError("expected AccessDeniedException"); - } - catch (AccessDeniedException expected) { - } + assertAccessDenied( + () -> accessControl.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser()), + "Principal mallory/example.com@EXAMPLE.COM cannot become user alice"); accessControl.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser()); - try { - accessControl.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser()); - throw new AssertionError("expected AccessDeniedException"); - } - catch (AccessDeniedException expected) { - } + assertAccessDenied( + () -> accessControl.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser()), + "Principal invalid/example.com@EXAMPLE.COM cannot become user alice"); accessControl.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser()); accessControl.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser()); - try { - accessControl.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser()); - throw new AssertionError("expected AccessDeniedException"); - } - catch (AccessDeniedException expected) { - } + assertAccessDenied( + () -> accessControl.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser()), + "Principal special/.*@EXAMPLE.COM cannot become user alice"); SystemAccessControl accessControlNoPatterns = newFileBasedSystemAccessControl("file-based-system-catalog.json"); accessControlNoPatterns.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser()); @@ -955,51 +943,51 @@ public void testQuery() { SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("query.json"); - accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId)); - accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); - accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any); + accessControlManager.checkCanExecuteQuery(ADMIN); + accessControlManager.checkCanViewQueryOwnedBy(ADMIN, any); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ADMIN, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + accessControlManager.checkCanKillQueryOwnedBy(ADMIN, any); - accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId)); - accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); + accessControlManager.checkCanExecuteQuery(ALICE); + accessControlManager.checkCanViewQueryOwnedBy(ALICE, any); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ALICE, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(ALICE, any), + "Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of()); - accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any); + assertAccessDenied( + () -> accessControlManager.checkCanExecuteQuery(BOB), + "Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(BOB, any), + "Cannot view query"); + assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of("a", "b")), ImmutableSet.of()); + accessControlManager.checkCanKillQueryOwnedBy(BOB, any); accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave); assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave")); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice), + "Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob), + "Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob), + "Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin), + "Cannot view query"); Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build(); accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave), + "Cannot view query"); accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(nonAsciiUser, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any); @@ -1019,10 +1007,10 @@ public void testQueryNotSet() { SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("file-based-system-catalog.json"); - accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId)); - accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); - accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any); + accessControlManager.checkCanExecuteQuery(BOB); + accessControlManager.checkCanViewQueryOwnedBy(BOB, any); + assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + accessControlManager.checkCanKillQueryOwnedBy(BOB, any); } @Test @@ -1031,51 +1019,50 @@ public void testQueryDocsExample() File rulesFile = new File("../../docs/src/main/sphinx/security/query-access.json"); SystemAccessControl accessControlManager = newFileBasedSystemAccessControl(rulesFile, ImmutableMap.of()); - accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId)); - accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); - accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), any); + accessControlManager.checkCanExecuteQuery(ADMIN); + accessControlManager.checkCanViewQueryOwnedBy(ADMIN, any); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ADMIN, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + accessControlManager.checkCanKillQueryOwnedBy(ADMIN, any); - accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId)); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), any)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of()); - accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), any); + accessControlManager.checkCanExecuteQuery(ALICE); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(ALICE, any), + "Cannot view query"); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ALICE, ImmutableSet.of("a", "b")), ImmutableSet.of()); + accessControlManager.checkCanKillQueryOwnedBy(ALICE, any); - accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId)); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of()); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), any)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); + accessControlManager.checkCanExecuteQuery(BOB); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(BOB, any), + "Cannot view query"); + assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of("a", "b")), ImmutableSet.of()); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(BOB, any), + "Cannot view query"); accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave); assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), ImmutableSet.of("alice", "dave")); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); - assertThatThrownBy(() -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice), + "Cannot view query"); + assertAccessDenied(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob), + "Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), bob), + "Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), admin), + "Cannot view query"); Identity contractor = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build(); accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(contractor, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave); - assertThatThrownBy(() -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave)) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot view query"); + assertAccessDenied( + () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(contractor, queryId), dave), + "Cannot view query"); } @Test @@ -1087,16 +1074,16 @@ public void testSystemInformation() accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty())); accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty())); - assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot write system information"); + assertAccessDenied( + () -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty())), + "Cannot write system information"); - assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot read system information"); - assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot write system information"); + assertAccessDenied( + () -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty())), + "Cannot read system information"); + assertAccessDenied( + () -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty())), + "Cannot write system information"); accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(nonAsciiUser, Optional.empty())); accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(nonAsciiUser, Optional.empty())); @@ -1107,12 +1094,12 @@ public void testSystemInformationNotSet() { SystemAccessControl accessControlManager = newFileBasedSystemAccessControl("file-based-system-catalog.json"); - assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot read system information"); - assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot write system information"); + assertAccessDenied( + () -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty())), + "Cannot read system information"); + assertAccessDenied( + () -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty())), + "Cannot write system information"); } @Test @@ -1125,16 +1112,16 @@ public void testSystemInformationDocsExample() accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty())); accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty())); - assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot write system information"); + assertAccessDenied( + () -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty())), + "Cannot write system information"); - assertThatThrownBy(() -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot read system information"); - assertThatThrownBy(() -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()))) - .isInstanceOf(AccessDeniedException.class) - .hasMessage("Access Denied: Cannot write system information"); + assertAccessDenied( + () -> accessControlManager.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty())), + "Cannot read system information"); + assertAccessDenied( + () -> accessControlManager.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty())), + "Cannot write system information"); } @Test @@ -1142,30 +1129,30 @@ public void testSchemaOperations() { SystemAccessControl accessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json"); - TrinoPrincipal user = new TrinoPrincipal(PrincipalType.USER, "some_user"); - TrinoPrincipal role = new TrinoPrincipal(PrincipalType.ROLE, "some_user"); + TrinoPrincipal user = new TrinoPrincipal(USER, "some_user"); + TrinoPrincipal role = new TrinoPrincipal(ROLE, "some_user"); - accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user); - accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role); + accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("alice-catalog", "some_schema"), user); + accessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("alice-catalog", "some_schema"), role); - accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user); - accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role); + accessControl.checkCanSetSchemaAuthorization(ALICE, new CatalogSchemaName("alice-catalog", "some_schema"), user); + accessControl.checkCanSetSchemaAuthorization(ALICE, new CatalogSchemaName("alice-catalog", "some_schema"), role); - assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), user)) - .isInstanceOf(AccessDeniedException.class) - .hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema"); + assertAccessDenied( + () -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("alice-catalog", "some_schema"), user), + "Cannot set authorization for schema alice-catalog.some_schema.*"); - assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), role)) - .isInstanceOf(AccessDeniedException.class) - .hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema"); + assertAccessDenied( + () -> accessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("alice-catalog", "some_schema"), role), + "Cannot set authorization for schema alice-catalog.some_schema.*"); - assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), user)) - .isInstanceOf(AccessDeniedException.class) - .hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema"); + assertAccessDenied( + () -> accessControl.checkCanSetSchemaAuthorization(ALICE, new CatalogSchemaName("secret", "some_schema"), user), + "Cannot set authorization for schema secret.some_schema.*"); - assertThatThrownBy(() -> accessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), role)) - .isInstanceOf(AccessDeniedException.class) - .hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema"); + assertAccessDenied( + () -> accessControl.checkCanSetSchemaAuthorization(ALICE, new CatalogSchemaName("secret", "some_schema"), role), + "Cannot set authorization for schema secret.some_schema.*"); } @Test @@ -1538,6 +1525,6 @@ private static void assertAccessDenied(ThrowingCallable callable, String expecte { assertThatThrownBy(callable) .isInstanceOf(AccessDeniedException.class) - .hasMessageMatching(expectedMessage); + .hasMessageMatching("Access Denied: " + expectedMessage); } }