Remove unused checkCanShowRoleAuthorizationDescriptors

core/trino-main/src/main/java/io/trino/security/AccessControl.java

@@ -515,14 +515,6 @@ void checkCanRevokeRoles(SecurityContext context,
      */
     void checkCanSetCatalogRole(SecurityContext context, String role, String catalogName);
 
-    /**
-     * Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants).
-     *
-     * @param catalogName if present, the role catalog; otherwise the role is a system role
-     * @throws AccessDeniedException if not allowed
-     */
-    void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional<String> catalogName);
-
     /**
      * Check if identity is allowed to show roles on the specified catalog.
      *

core/trino-main/src/main/java/io/trino/security/AccessControlManager.java

@@ -1137,22 +1137,6 @@ public void checkCanSetCatalogRole(SecurityContext securityContext, String role,
         catalogAuthorizationCheck(catalogName, securityContext, (control, context) -> control.checkCanSetRole(context, role));
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext securityContext, Optional<String> catalogName)
-    {
-        requireNonNull(securityContext, "securityContext is null");
-        requireNonNull(catalogName, "catalogName is null");
-
-        if (catalogName.isPresent()) {
-            checkCanAccessCatalog(securityContext, catalogName.get());
-            checkCatalogRoles(securityContext, catalogName.get());
-            catalogAuthorizationCheck(catalogName.get(), securityContext, ConnectorAccessControl::checkCanShowRoleAuthorizationDescriptors);
-        }
-        else {
-            systemAuthorizationCheck(control -> control.checkCanShowRoleAuthorizationDescriptors(securityContext.toSystemSecurityContext()));
-        }
-    }
-
     @Override
     public void checkCanShowRoles(SecurityContext securityContext, Optional<String> catalogName)
     {

core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java

@@ -361,11 +361,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String
     {
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional<String> catalogName)
-    {
-    }
-
     @Override
     public void checkCanShowRoles(SecurityContext context, Optional<String> catalogName)
     {

core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java

@@ -87,7 +87,6 @@
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable;
 import static io.trino.spi.security.AccessDeniedException.denyShowCurrentRoles;
-import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoleGrants;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoles;
 import static io.trino.spi.security.AccessDeniedException.denyShowSchemas;
@@ -490,12 +489,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String
         denySetRole(role);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional<String> catalogName)
-    {
-        denyShowRoleAuthorizationDescriptors();
-    }
-
     @Override
     public void checkCanShowRoles(SecurityContext context, Optional<String> catalogName)
     {

core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java

@@ -443,12 +443,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String
         delegate().checkCanSetCatalogRole(context, role, catalogName);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional<String> catalogName)
-    {
-        delegate().checkCanShowRoleAuthorizationDescriptors(context, catalogName);
-    }
-
     @Override
     public void checkCanShowRoles(SecurityContext context, Optional<String> catalogName)
     {

core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java

@@ -429,13 +429,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
         accessControl.checkCanSetCatalogRole(securityContext, role, catalogName);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        checkArgument(context == null, "context must be null");
-        accessControl.checkCanShowRoleAuthorizationDescriptors(securityContext, Optional.of(catalogName));
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java

@@ -240,9 +240,6 @@ public void checkCanRevokeRoles(SecurityContext context, Set<String> roles, Set<
     @Override
     public void checkCanSetCatalogRole(SecurityContext context, String role, String catalogName) {}
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional<String> catalogName) {}
-
     @Override
     public void checkCanShowRoles(SecurityContext context, Optional<String> catalogName) {}
 

core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java

@@ -644,15 +644,6 @@ public void checkCanSetCatalogRole(SecurityContext context, String role, String
         }
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext context, Optional<String> catalogName)
-    {
-        Span span = startSpan("checkCanShowRoleAuthorizationDescriptors");
-        try (var ignored = scopedSpan(span)) {
-            delegate.checkCanShowRoleAuthorizationDescriptors(context, catalogName);
-        }
-    }
-
     @Override
     public void checkCanShowRoles(SecurityContext context, Optional<String> catalogName)
     {

core/trino-spi/pom.xml

@@ -228,6 +228,16 @@
                                     </old>
                                 </item>
                                 <!-- Backwards incompatible changes since the previous release -->
+                                <item>
+                                    <ignore>true</ignore>
+                                    <code>java.method.removed</code>
+                                    <old>method void io.trino.spi.connector.ConnectorAccessControl::checkCanShowRoleAuthorizationDescriptors(io.trino.spi.connector.ConnectorSecurityContext)</old>
+                                </item>
+                                <item>
+                                    <ignore>true</ignore>
+                                    <code>java.method.removed</code>
+                                    <old>method void io.trino.spi.security.SystemAccessControl::checkCanShowRoleAuthorizationDescriptors(io.trino.spi.security.SystemSecurityContext)</old>
+                                </item>
                                 <!-- Any exclusions below can be deleted after each release -->
                             </differences>
                         </revapi.differences>

core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java

@@ -76,7 +76,6 @@
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable;
 import static io.trino.spi.security.AccessDeniedException.denyShowCurrentRoles;
-import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoleGrants;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoles;
 import static io.trino.spi.security.AccessDeniedException.denyShowSchemas;
@@ -586,16 +585,6 @@ default void checkCanSetRole(ConnectorSecurityContext context, String role)
         denySetRole(role);
     }
 
-    /**
-     * Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants).
-     *
-     * @throws io.trino.spi.security.AccessDeniedException if not allowed
-     */
-    default void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        denyShowRoleAuthorizationDescriptors();
-    }
-
     /**
      * Check if identity is allowed to show roles.
      *

core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java

@@ -85,7 +85,6 @@
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable;
 import static io.trino.spi.security.AccessDeniedException.denyShowCurrentRoles;
-import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoleGrants;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoles;
 import static io.trino.spi.security.AccessDeniedException.denyShowSchemas;
@@ -814,16 +813,6 @@ default void checkCanRevokeRoles(SystemSecurityContext context, Set<String> role
         denyRevokeRoles(roles, grantees);
     }
 
-    /**
-     * Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants).
-     *
-     * @throws AccessDeniedException if not allowed
-     */
-    default void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context)
-    {
-        denyShowRoleAuthorizationDescriptors();
-    }
-
     /**
      * Check if identity is allowed to show current roles.
      *

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java

@@ -469,14 +469,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
         }
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) {
-            delegate.checkCanShowRoleAuthorizationDescriptors(context);
-        }
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java

@@ -303,11 +303,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
     {
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java

@@ -424,11 +424,6 @@ public void checkCanRevokeRoles(
     {
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context)
-    {
-    }
-
     @Override
     public void checkCanShowCurrentRoles(SystemSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java

@@ -606,12 +606,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
         denySetRole(role);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        // allow, no roles are supported so show will always be empty
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java

@@ -107,7 +107,6 @@
 import static io.trino.spi.security.AccessDeniedException.denyShowColumns;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable;
-import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors;
 import static io.trino.spi.security.AccessDeniedException.denyShowSchemas;
 import static io.trino.spi.security.AccessDeniedException.denyShowTables;
 import static io.trino.spi.security.AccessDeniedException.denyTruncateTable;
@@ -910,12 +909,6 @@ public void checkCanRevokeRoles(SystemSecurityContext context,
         denyRevokeRoles(roles, grantees);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context)
-    {
-        denyShowRoleAuthorizationDescriptors();
-    }
-
     @Override
     public void checkCanShowCurrentRoles(SystemSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java

@@ -369,12 +369,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
         delegate().checkCanSetRole(context, role);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        delegate().checkCanShowRoleAuthorizationDescriptors(context);
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java

@@ -469,12 +469,6 @@ public void checkCanRevokeRoles(SystemSecurityContext context, Set<String> roles
         delegate().checkCanRevokeRoles(context, roles, grantees, adminOption, grantor);
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context)
-    {
-        delegate().checkCanShowRoleAuthorizationDescriptors(context);
-    }
-
     @Override
     public void checkCanShowCurrentRoles(SystemSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java

@@ -250,12 +250,6 @@ public void checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privi
         denyRevokeTablePrivilege(privilege.name(), tableName.toString());
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        // allow
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java

@@ -166,11 +166,6 @@ public void checkCanShowRoles(SystemSecurityContext context)
     {
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext context)
-    {
-    }
-
     @Override
     public void checkCanShowCurrentRoles(SystemSecurityContext context)
     {

lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java

@@ -123,7 +123,6 @@ public void testEmptyFile()
         assertDenied(() -> accessControl.checkCanSetRole(ADMIN, "role"));
 
         // showing roles and permissions is hard coded to allow
-        accessControl.checkCanShowRoleAuthorizationDescriptors(UNKNOWN);
         accessControl.checkCanShowRoles(UNKNOWN);
         accessControl.checkCanShowCurrentRoles(UNKNOWN);
         accessControl.checkCanShowRoleGrants(UNKNOWN);

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java

@@ -372,11 +372,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
     {
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java

@@ -98,7 +98,6 @@
 import static io.trino.spi.security.AccessDeniedException.denyShowColumns;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateSchema;
 import static io.trino.spi.security.AccessDeniedException.denyShowCreateTable;
-import static io.trino.spi.security.AccessDeniedException.denyShowRoleAuthorizationDescriptors;
 import static io.trino.spi.security.AccessDeniedException.denyShowRoles;
 import static io.trino.spi.security.AccessDeniedException.denyTruncateTable;
 import static io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns;
@@ -570,14 +569,6 @@ public void checkCanSetRole(ConnectorSecurityContext context, String role)
         }
     }
 
-    @Override
-    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context)
-    {
-        if (!isAdmin(context)) {
-            denyShowRoleAuthorizationDescriptors();
-        }
-    }
-
     @Override
     public void checkCanShowRoles(ConnectorSecurityContext context)
     {