diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControl.java b/core/trino-main/src/main/java/io/trino/security/AccessControl.java index 1fa8d0db01cb..b4d7b5b2cdbd 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControl.java @@ -515,14 +515,6 @@ void checkCanRevokeRoles(SecurityContext context, */ void checkCanSetCatalogRole(SecurityContext context, String role, String catalogName); - /** - * Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants). - * - * @param catalogName if present, the role catalog; otherwise the role is a system role - * @throws AccessDeniedException if not allowed - */ - void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional catalogName); - /** * Check if identity is allowed to show roles on the specified catalog. * diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index cf386ce604b3..9df9c6c9dd4a 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -1137,22 +1137,6 @@ public void checkCanSetCatalogRole(SecurityContext securityContext, String role, catalogAuthorizationCheck(catalogName, securityContext, (control, context) -> control.checkCanSetRole(context, role)); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SecurityContext securityContext, Optional catalogName) - { - requireNonNull(securityContext, "securityContext is null"); - requireNonNull(catalogName, "catalogName is null"); - - if (catalogName.isPresent()) { - checkCanAccessCatalog(securityContext, catalogName.get()); - checkCatalogRoles(securityContext, catalogName.get()); - catalogAuthorizationCheck(catalogName.get(), securityContext, ConnectorAccessControl::checkCanShowRoleAuthorizationDescriptors); - } - else { - systemAuthorizationCheck(control -> control.checkCanShowRoleAuthorizationDescriptors(securityContext.toSystemSecurityContext())); - } - } - @Override public void checkCanShowRoles(SecurityContext securityContext, Optional catalogName) { diff --git a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java index 9323a5bc3067..bc29abdb5268 100644 --- a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java @@ -361,11 +361,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String { } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional catalogName) - { - } - @Override public void checkCanShowRoles(SecurityContext context, Optional catalogName) { diff --git a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java index 7105592fcbd0..5cf5dfe1f005 100644 --- a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java @@ -87,7 +87,6 @@ import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema; import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable; import static io.trino.spi.security.AccessDeniedException.denyShowCurrentRoles; -import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors; import static io.trino.spi.security.AccessDeniedException.denyShowRoleGrants; import static io.trino.spi.security.AccessDeniedException.denyShowRoles; import static io.trino.spi.security.AccessDeniedException.denyShowSchemas; @@ -490,12 +489,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String denySetRole(role); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional catalogName) - { - denyShowRoleAuthorizationDescriptors(); - } - @Override public void checkCanShowRoles(SecurityContext context, Optional catalogName) { diff --git a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java index 2cd340bdfae5..fa020ad39028 100644 --- a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java @@ -443,12 +443,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String delegate().checkCanSetCatalogRole(context, role, catalogName); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional catalogName) - { - delegate().checkCanShowRoleAuthorizationDescriptors(context, catalogName); - } - @Override public void checkCanShowRoles(SecurityContext context, Optional catalogName) { diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index 890a3276dfdf..a88de3cb6d7d 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -429,13 +429,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) accessControl.checkCanSetCatalogRole(securityContext, role, catalogName); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - checkArgument(context == null, "context must be null"); - accessControl.checkCanShowRoleAuthorizationDescriptors(securityContext, Optional.of(catalogName)); - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java index b2cafd945f26..8b7fcc6a1dcf 100644 --- a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java @@ -240,9 +240,6 @@ public void checkCanRevokeRoles(SecurityContext context, Set roles, Set< @Override public void checkCanSetCatalogRole(SecurityContext context, String role, String catalogName) {} - @Override - public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional catalogName) {} - @Override public void checkCanShowRoles(SecurityContext context, Optional catalogName) {} diff --git a/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java b/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java index 54403bf236e5..4ab2b8f33bdb 100644 --- a/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java @@ -644,15 +644,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String } } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional catalogName) - { - Span span = startSpan("checkCanShowRoleAuthorizationDescriptors"); - try (var ignored = scopedSpan(span)) { - delegate.checkCanShowRoleAuthorizationDescriptors(context, catalogName); - } - } - @Override public void checkCanShowRoles(SecurityContext context, Optional catalogName) { diff --git a/core/trino-spi/pom.xml b/core/trino-spi/pom.xml index 9e0e9f572ce4..c6c629c654e9 100644 --- a/core/trino-spi/pom.xml +++ b/core/trino-spi/pom.xml @@ -228,6 +228,16 @@ + + true + java.method.removed + method void io.trino.spi.connector.ConnectorAccessControl::checkCanShowRoleAuthorizationDescriptors(io.trino.spi.connector.ConnectorSecurityContext) + + + true + java.method.removed + method void io.trino.spi.security.SystemAccessControl::checkCanShowRoleAuthorizationDescriptors(io.trino.spi.security.SystemSecurityContext) + diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 585f270a1ca4..4973ca7babdd 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -76,7 +76,6 @@ import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema; import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable; import static io.trino.spi.security.AccessDeniedException.denyShowCurrentRoles; -import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors; import static io.trino.spi.security.AccessDeniedException.denyShowRoleGrants; import static io.trino.spi.security.AccessDeniedException.denyShowRoles; import static io.trino.spi.security.AccessDeniedException.denyShowSchemas; @@ -586,16 +585,6 @@ default void checkCanSetRole(ConnectorSecurityContext context, String role) denySetRole(role); } - /** - * Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants). - * - * @throws io.trino.spi.security.AccessDeniedException if not allowed - */ - default void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - denyShowRoleAuthorizationDescriptors(); - } - /** * Check if identity is allowed to show roles. * diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index d4a6fdfe9497..7139f7930c93 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -85,7 +85,6 @@ import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema; import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable; import static io.trino.spi.security.AccessDeniedException.denyShowCurrentRoles; -import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors; import static io.trino.spi.security.AccessDeniedException.denyShowRoleGrants; import static io.trino.spi.security.AccessDeniedException.denyShowRoles; import static io.trino.spi.security.AccessDeniedException.denyShowSchemas; @@ -814,16 +813,6 @@ default void checkCanRevokeRoles(SystemSecurityContext context, Set role denyRevokeRoles(roles, grantees); } - /** - * Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants). - * - * @throws AccessDeniedException if not allowed - */ - default void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context) - { - denyShowRoleAuthorizationDescriptors(); - } - /** * Check if identity is allowed to show current roles. * diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index f2d396399f1f..da23a9d8c624 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -469,14 +469,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) } } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { - delegate.checkCanShowRoleAuthorizationDescriptors(context); - } - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index 00b8d4ed792e..328098c9ad98 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -303,11 +303,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) { } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index 8f2bf40dd799..81708a6d5fae 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -424,11 +424,6 @@ public void checkCanRevokeRoles( { } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context) - { - } - @Override public void checkCanShowCurrentRoles(SystemSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index 360332b02dc2..e3df147e349a 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -606,12 +606,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) denySetRole(role); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - // allow, no roles are supported so show will always be empty - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index f8a4f09d2c3e..93c1e476b4a0 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -107,7 +107,6 @@ import static io.trino.spi.security.AccessDeniedException.denyShowColumns; import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema; import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable; -import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors; import static io.trino.spi.security.AccessDeniedException.denyShowSchemas; import static io.trino.spi.security.AccessDeniedException.denyShowTables; import static io.trino.spi.security.AccessDeniedException.denyTruncateTable; @@ -910,12 +909,6 @@ public void checkCanRevokeRoles(SystemSecurityContext context, denyRevokeRoles(roles, grantees); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context) - { - denyShowRoleAuthorizationDescriptors(); - } - @Override public void checkCanShowCurrentRoles(SystemSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index eca7a3514867..68845fe6346c 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -369,12 +369,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) delegate().checkCanSetRole(context, role); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - delegate().checkCanShowRoleAuthorizationDescriptors(context); - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index d38129848666..0c03914688ab 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -469,12 +469,6 @@ public void checkCanRevokeRoles(SystemSecurityContext context, Set roles delegate().checkCanRevokeRoles(context, roles, grantees, adminOption, grantor); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context) - { - delegate().checkCanShowRoleAuthorizationDescriptors(context); - } - @Override public void checkCanShowCurrentRoles(SystemSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java index 60a1de000a65..7a7988c70003 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java @@ -250,12 +250,6 @@ public void checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privi denyRevokeTablePrivilege(privilege.name(), tableName.toString()); } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - // allow - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java index a15d1737300a..3df609d3890e 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java @@ -166,11 +166,6 @@ public void checkCanShowRoles(SystemSecurityContext context) { } - @Override - public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context) - { - } - @Override public void checkCanShowCurrentRoles(SystemSecurityContext context) { diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java index 3c7d63eb3137..3d83d0e61fb9 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java @@ -123,7 +123,6 @@ public void testEmptyFile() assertDenied(() -> accessControl.checkCanSetRole(ADMIN, "role")); // showing roles and permissions is hard coded to allow - accessControl.checkCanShowRoleAuthorizationDescriptors(UNKNOWN); accessControl.checkCanShowRoles(UNKNOWN); accessControl.checkCanShowCurrentRoles(UNKNOWN); accessControl.checkCanShowRoleGrants(UNKNOWN); diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index 7ab754325f8c..d7800e0313ab 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -372,11 +372,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) { } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) { diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index c75464fa7e8d..ad5eeec1b98b 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -98,7 +98,6 @@ import static io.trino.spi.security.AccessDeniedException.denyShowColumns; import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema; import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable; -import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors; import static io.trino.spi.security.AccessDeniedException.denyShowRoles; import static io.trino.spi.security.AccessDeniedException.denyTruncateTable; import static io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns; @@ -570,14 +569,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role) } } - @Override - public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context) - { - if (!isAdmin(context)) { - denyShowRoleAuthorizationDescriptors(); - } - } - @Override public void checkCanShowRoles(ConnectorSecurityContext context) {