diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index a88de3cb6d7d..a424230e2a73 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -494,12 +494,6 @@ public Optional getColumnMask(ConnectorSecurityContext context, throw new TrinoException(NOT_SUPPORTED, "Column masking not supported"); } - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - throw new UnsupportedOperationException(); - } - private QualifiedObjectName getQualifiedObjectName(SchemaTableName schemaTableName) { return new QualifiedObjectName(catalogName, schemaTableName.getSchemaName(), schemaTableName.getTableName()); diff --git a/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java b/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java index bc763bcbd88d..93faae00fd1a 100644 --- a/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java @@ -135,12 +135,6 @@ public Optional getColumnMask(ConnectorSecurityContext context, return Optional.ofNullable(columnMasks.apply(tableName, columnName)); } - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - throw new UnsupportedOperationException(); - } - public void grantSchemaPrivileges(String schemaName, Set privileges, TrinoPrincipal grantee, boolean grantOption) { schemaGrants.grant(grantee, schemaName, privileges, grantOption); diff --git a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java index af1c2534a755..26a902fe1093 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java +++ b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java @@ -229,9 +229,9 @@ public SystemAccessControl create(Map config) return new SystemAccessControl() { @Override - public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String column, Type type) + public Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String column, Type type) { - return ImmutableList.of(new ViewExpression(Optional.of("user"), Optional.empty(), Optional.empty(), "system mask")); + return Optional.of(new ViewExpression(Optional.of("user"), Optional.empty(), Optional.empty(), "system mask")); } @Override @@ -247,9 +247,9 @@ public void checkCanSetSystemSessionProperty(SystemSecurityContext context, Stri accessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(queryRunner.getCatalogHandle(TEST_CATALOG_NAME), Optional.of(new ConnectorAccessControl() { @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) + public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) { - return ImmutableList.of(new ViewExpression(Optional.of("user"), Optional.empty(), Optional.empty(), "connector mask")); + return Optional.of(new ViewExpression(Optional.of("user"), Optional.empty(), Optional.empty(), "connector mask")); } @Override diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 4973ca7babdd..548780e3a75b 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -657,17 +657,6 @@ default List getRowFilters(ConnectorSecurityContext context, Sch */ default Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { - List masks = getColumnMasks(context, tableName, columnName, type); - if (masks.size() > 1) { - throw new UnsupportedOperationException("Multiple masks on a single column are no longer supported"); - } - - return masks.stream().findFirst(); - } - - @Deprecated - default List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - return emptyList(); + return Optional.empty(); } } diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index 7139f7930c93..e925475eac81 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -28,7 +28,6 @@ import java.util.Map; import java.util.Optional; import java.util.Set; -import java.util.stream.Collectors; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyAlterColumn; @@ -136,19 +135,6 @@ default void checkCanExecuteQuery(SystemSecurityContext context) * @throws AccessDeniedException if not allowed */ default void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) - { - checkCanViewQueryOwnedBy(context, queryOwner.getUser()); - } - - /** - * Checks if identity can view a query owned by the specified user. The method - * will not be called when the current user is the query owner. - * - * @throws AccessDeniedException if not allowed - * @deprecated Implement {@link #checkCanViewQueryOwnedBy(SystemSecurityContext, Identity)} instead. - */ - @Deprecated - default void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) { denyViewQuery(); } @@ -158,24 +144,6 @@ default void checkCanViewQueryOwnedBy(SystemSecurityContext context, String quer * will not be called with the current user in the set. */ default Collection filterViewQueryOwnedBy(SystemSecurityContext context, Collection queryOwners) - { - Set ownerUsers = queryOwners.stream() - .map(Identity::getUser) - .collect(Collectors.toSet()); - Set allowedUsers = filterViewQueryOwnedBy(context, ownerUsers); - return queryOwners.stream() - .filter(owner -> allowedUsers.contains(owner.getUser())) - .collect(Collectors.toList()); - } - - /** - * Filter the list of users to those the identity view query owned by the user. The method - * will not be called with the current user in the set. - * - * @deprecated Implement {@link #filterViewQueryOwnedBy(SystemSecurityContext, Collection)} instead. - */ - @Deprecated - default Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) { return emptySet(); } @@ -187,19 +155,6 @@ default Set filterViewQueryOwnedBy(SystemSecurityContext context, Set getRowFilters(SystemSecurityContext context, Catalo */ default Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { - List masks = getColumnMasks(context, tableName, columnName, type); - if (masks.size() > 1) { - throw new UnsupportedOperationException("Multiple masks on a single column are no longer supported"); - } - - return masks.stream().findFirst(); - } - - @Deprecated - default List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) - { - return List.of(); + return Optional.empty(); } /** diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index da23a9d8c624..0297cafe9d6b 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -532,12 +532,4 @@ public Optional getColumnMask(ConnectorSecurityContext context, return delegate.getColumnMask(context, tableName, columnName, type); } } - - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { - return delegate.getColumnMasks(context, tableName, columnName, type); - } - } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index 328098c9ad98..fd941afdd6ab 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -344,10 +344,4 @@ public Optional getColumnMask(ConnectorSecurityContext context, { return Optional.empty(); } - - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - return ImmutableList.of(); - } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index 81708a6d5fae..47b85f6aab4b 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -93,33 +93,17 @@ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity que { } - @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) - { - } - @Override public void checkCanKillQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) { } - @Override - public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) - { - } - @Override public Collection filterViewQueryOwnedBy(SystemSecurityContext context, Collection queryOwners) { return queryOwners; } - @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) - { - return queryOwners; - } - @Override public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) { @@ -471,10 +455,4 @@ public Optional getColumnMask(SystemSecurityContext context, Cat { return Optional.empty(); } - - @Override - public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) - { - return emptyList(); - } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index e3df147e349a..7b3b8a93c4a1 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -684,12 +684,6 @@ public Optional getColumnMask(ConnectorSecurityContext context, return masks.stream().findFirst(); } - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - throw new UnsupportedOperationException(); - } - private boolean canSetSessionProperty(ConnectorSecurityContext context, String property) { ConnectorIdentity identity = context.getIdentity(); diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index 93c1e476b4a0..78c2ce78b2ec 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -36,6 +36,7 @@ import io.trino.spi.type.Type; import java.security.Principal; +import java.util.Collection; import java.util.List; import java.util.Map; import java.util.Optional; @@ -288,29 +289,29 @@ public void checkCanExecuteQuery(SystemSecurityContext context) } @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) + public void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) { - if (!canAccessQuery(context.getIdentity(), Optional.of(queryOwner), QueryAccessRule.AccessMode.VIEW)) { + if (!canAccessQuery(context.getIdentity(), Optional.of(queryOwner.getUser()), QueryAccessRule.AccessMode.VIEW)) { denyViewQuery(); } } @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) + public Collection filterViewQueryOwnedBy(SystemSecurityContext context, Collection queryOwners) { if (queryAccessRules.isEmpty()) { return queryOwners; } Identity identity = context.getIdentity(); return queryOwners.stream() - .filter(owner -> canAccessQuery(identity, Optional.of(owner), QueryAccessRule.AccessMode.VIEW)) + .filter(owner -> canAccessQuery(identity, Optional.of(owner.getUser()), QueryAccessRule.AccessMode.VIEW)) .collect(toImmutableSet()); } @Override - public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) + public void checkCanKillQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) { - if (!canAccessQuery(context.getIdentity(), Optional.of(queryOwner), QueryAccessRule.AccessMode.KILL)) { + if (!canAccessQuery(context.getIdentity(), Optional.of(queryOwner.getUser()), QueryAccessRule.AccessMode.KILL)) { denyViewQuery(); } } @@ -1003,12 +1004,6 @@ public Optional getColumnMask(SystemSecurityContext context, Cat return masks.stream().findFirst(); } - @Override - public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName table, String columnName, Type type) - { - throw new UnsupportedOperationException(); - } - private boolean checkAnyCatalogAccess(SystemSecurityContext context, String catalogName) { if (canAccessCatalog(context, catalogName, OWNER)) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 68845fe6346c..6acf0cf33794 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -416,10 +416,4 @@ public Optional getColumnMask(ConnectorSecurityContext context, { return delegate().getColumnMask(context, tableName, columnName, type); } - - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - return delegate().getColumnMasks(context, tableName, columnName, type); - } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 0c03914688ab..17ad56406a7f 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -91,36 +91,18 @@ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity que delegate().checkCanViewQueryOwnedBy(context, queryOwner); } - @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) - { - delegate().checkCanViewQueryOwnedBy(context, queryOwner); - } - @Override public Collection filterViewQueryOwnedBy(SystemSecurityContext context, Collection queryOwners) { return delegate().filterViewQueryOwnedBy(context, queryOwners); } - @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) - { - return delegate().filterViewQueryOwnedBy(context, queryOwners); - } - @Override public void checkCanKillQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) { delegate().checkCanKillQueryOwnedBy(context, queryOwner); } - @Override - public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) - { - delegate().checkCanKillQueryOwnedBy(context, queryOwner); - } - @Override public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) { @@ -522,10 +504,4 @@ public Optional getColumnMask(SystemSecurityContext context, Cat { return delegate().getColumnMask(context, tableName, columnName, type); } - - @Override - public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) - { - return delegate().getColumnMasks(context, tableName, columnName, type); - } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java index 3df609d3890e..a278d4b44714 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java @@ -18,12 +18,14 @@ import io.trino.spi.connector.CatalogSchemaTableName; import io.trino.spi.connector.SchemaTableName; import io.trino.spi.function.FunctionKind; +import io.trino.spi.security.Identity; import io.trino.spi.security.SystemAccessControl; import io.trino.spi.security.SystemAccessControlFactory; import io.trino.spi.security.SystemSecurityContext; import io.trino.spi.security.TrinoPrincipal; import java.security.Principal; +import java.util.Collection; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -68,12 +70,12 @@ public void checkCanExecuteQuery(SystemSecurityContext context) } @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) + public void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) { } @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) + public Collection filterViewQueryOwnedBy(SystemSecurityContext context, Collection queryOwners) { return queryOwners; } diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java index 90396adbaac2..44c84635f36e 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java @@ -36,7 +36,6 @@ import javax.security.auth.kerberos.KerberosPrincipal; import java.io.File; -import java.util.Collection; import java.util.EnumSet; import java.util.List; import java.util.Map; @@ -131,12 +130,8 @@ public abstract class BaseFileBasedSystemAccessControlTest @Test public void testEverythingImplemented() - throws NoSuchMethodException { - assertAllMethodsOverridden(SystemAccessControl.class, FileBasedSystemAccessControl.class, ImmutableSet.of( - FileBasedSystemAccessControl.class.getMethod("checkCanViewQueryOwnedBy", SystemSecurityContext.class, Identity.class), - FileBasedSystemAccessControl.class.getMethod("filterViewQueryOwnedBy", SystemSecurityContext.class, Collection.class), - FileBasedSystemAccessControl.class.getMethod("checkCanKillQueryOwnedBy", SystemSecurityContext.class, Identity.class))); + assertAllMethodsOverridden(SystemAccessControl.class, FileBasedSystemAccessControl.class); } @Test @@ -885,12 +880,12 @@ public void testQuery() accessControlManager.checkCanExecuteQuery(ADMIN); accessControlManager.checkCanViewQueryOwnedBy(ADMIN, any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(ADMIN, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ADMIN, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))); accessControlManager.checkCanKillQueryOwnedBy(ADMIN, any); accessControlManager.checkCanExecuteQuery(ALICE); accessControlManager.checkCanViewQueryOwnedBy(ALICE, any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(ALICE, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ALICE, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))); assertAccessDenied( () -> accessControlManager.checkCanKillQueryOwnedBy(ALICE, any), "Cannot view query"); @@ -901,14 +896,14 @@ public void testQuery() assertAccessDenied( () -> accessControlManager.checkCanViewQueryOwnedBy(BOB, any), "Cannot view query"); - assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of("a", "b")), ImmutableSet.of()); + assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of()); accessControlManager.checkCanKillQueryOwnedBy(BOB, any); accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), - ImmutableSet.of("alice", "dave")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("bob"), Identity.ofUser("dave"), Identity.ofUser("admin"))), + ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("dave"))); assertAccessDenied( () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice), "Cannot view query"); @@ -931,7 +926,7 @@ public void testQuery() accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(nonAsciiUser, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))); accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), any); } @@ -949,7 +944,7 @@ public void testQueryNotSet() accessControlManager.checkCanExecuteQuery(BOB); accessControlManager.checkCanViewQueryOwnedBy(BOB, any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))); accessControlManager.checkCanKillQueryOwnedBy(BOB, any); } @@ -961,21 +956,21 @@ public void testQueryDocsExample() accessControlManager.checkCanExecuteQuery(ADMIN); accessControlManager.checkCanViewQueryOwnedBy(ADMIN, any); - assertEquals(accessControlManager.filterViewQueryOwnedBy(ADMIN, ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ADMIN, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))); accessControlManager.checkCanKillQueryOwnedBy(ADMIN, any); accessControlManager.checkCanExecuteQuery(ALICE); assertAccessDenied( () -> accessControlManager.checkCanViewQueryOwnedBy(ALICE, any), "Cannot view query"); - assertEquals(accessControlManager.filterViewQueryOwnedBy(ALICE, ImmutableSet.of("a", "b")), ImmutableSet.of()); + assertEquals(accessControlManager.filterViewQueryOwnedBy(ALICE, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of()); accessControlManager.checkCanKillQueryOwnedBy(ALICE, any); accessControlManager.checkCanExecuteQuery(BOB); assertAccessDenied( () -> accessControlManager.checkCanViewQueryOwnedBy(BOB, any), "Cannot view query"); - assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of("a", "b")), ImmutableSet.of()); + assertEquals(accessControlManager.filterViewQueryOwnedBy(BOB, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b"))), ImmutableSet.of()); assertAccessDenied( () -> accessControlManager.checkCanKillQueryOwnedBy(BOB, any), "Cannot view query"); @@ -983,8 +978,8 @@ public void testQueryDocsExample() accessControlManager.checkCanExecuteQuery(new SystemSecurityContext(dave, queryId)); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice); accessControlManager.checkCanViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), dave); - assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of("alice", "bob", "dave", "admin")), - ImmutableSet.of("alice", "dave")); + assertEquals(accessControlManager.filterViewQueryOwnedBy(new SystemSecurityContext(dave, queryId), ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("bob"), Identity.ofUser("dave"), Identity.ofUser("admin"))), + ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("dave"))); assertAccessDenied( () -> accessControlManager.checkCanKillQueryOwnedBy(new SystemSecurityContext(dave, queryId), alice), "Cannot view query"); diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index d7800e0313ab..d7b24b8ad69e 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -420,10 +420,4 @@ public Optional getColumnMask(ConnectorSecurityContext context, { return Optional.empty(); } - - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - return ImmutableList.of(); - } } diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index ad5eeec1b98b..6566e697a55f 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -627,12 +627,6 @@ public Optional getColumnMask(ConnectorSecurityContext context, return Optional.empty(); } - @Override - public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) - { - return ImmutableList.of(); - } - private boolean isAdmin(ConnectorSecurityContext context) { return isRoleEnabled(context.getIdentity(), hivePrincipal -> metastore.listRoleGrants(context, hivePrincipal), ADMIN_ROLE_NAME);