Add generic SET AUTHORIZATION

[djsagain]

This commit adds machinery to set the owner of arbitrary entities, by extending the syntax of
ALTER (SCHEMA | TABLE | VIEW) qualifiedName SET AUTHORIZATION to support arbitrary owningKinds in place of SCHEMA, TABLE or VIEW. Checks that a specific SET AUTHORIZATION is legal is done by AccessControl.checkCanSetEntityAuthorization, also defined by SystemAccessControl. Setting the owner is done by Metadata.setEntityAuthorization and
SystemSecurityMetadata.setEntityAuthorization.

Description

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

[lozbrown]

Would that help with this issue?

#21450

[djsagain]

Would that help with this issue?

#21450

No, I don't think this change will help. Materialized views must have owners when they are created. Perhaps you could post to the Trino #troubleshooting Slack channel about this.

[lozbrown]

I did that some time ago but got no response

https://trinodb.slack.com/archives/CGB0QHWSW/p1712241258245569

[github-actions]

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

[mosabua]

I assume you are still working on this @djsstarburst

[djsagain]

I assume you are still working on this @djsstarburst

Yes, @mosabua.

[djsagain]

Hi @martint. We discussed this PR, and you took a quick look at it last spring. I just brought it up-to-date with tip master.

Could you please take another look and see if it can be approved? Thanks!

[dain]

I would like to take a different approach to this PR. Instead of retaining the existing set*Authorization we remove them entirelly. Then in the SPI we have default implementation of setEntityAuthorization we switch over the entities and call the exisitng methods. Then we mark the existing 3 methods as deprecated for removal. We would do the same thing for the security checks.

The main, notable, difference with the existing code would be that we no longer perform an existance check before doing the authorization assignment. I think that is ok. If we decide we want that later we can add a generic entitiy exists mehtod.

[djsagain]

I would like to take a different approach to this PR.

@dain - - I've tried to do what you suggested, and I've pushed out the result. But I'm not certain I've gotten the details right. Please take another quick look.

[dain]

You are getting there. In all modules other than SPI, we should simply remove the methods. In the SPI we leave the methods, but mark them @Deprecated(forRemoval=ture). This means the nothing else in Trino is allowed to call this method. The new method will have a default implementation that calls through to the old deprecated implementations (likely needs the deprecation check suppressed for that method). This way existing implementations should still work, but it forces them to update. Then in a few months we remove the deprecated methods entirelly.

[djsagain]

@homar raised the question of whether there should be a way in SQL to see the owner of an entity. AIUI that would require some new syntax, maybe something like:

SHOW AUTHORIZATION ON ownedEntityKind qualifiedName BY principal

@martint and @dain - - Do you think it's worthwhile to extend this PR to add something like that? If we think it's worth doing, we would have to decide on the visibility rules for owners of entities.

[ksobolew]

@djsstarburst see #10593, there are some (other) options there

[djsagain]

@djsstarburst see #10593, there are some (other) options there

Good point; maybe exposing ownership as columns in the information_schema makes sense. I don't really have an opinion, but I'll be @martint does.

[dain]

@electrum what do you think about this change?

[djsagain]

FTR, I removed this line, and will add any dependency methods that are found to be missing.

Changes implemented

[dain]

Other than the build failure, and the outstanding question for @electrum, this looks good to me

[kokosing]

@electrum can you please take a look? It looks this PR waits on your feedback only (see #21794 (review)).

[electrum]

The comment for me was addressed. This can proceed.

[kokosing]

MATERIALIZED VIEW was not supported before. I think it would be nice to add it in separate commit, or at least mention this in the commit message that it is something it is now possible to set owner for materialized view.

EDIT: I see that it is missing in the implementation so let's simply remove it from the grammar.

[kokosing]

What is the use case for identifier? Does it mean that user is able to pass anything, syntax will be fine, but we will fail to execute that?

Also I have some hard time to understand why identifier is something for that. Usually identifier is a name of the thing not a type of the thing.

I would prefer to remove this from this PR.

[djsagain]

The reason for the identifier is that this is an extension mechanism, and therefore Trino can't know what entity kinds will be used.

This can't be removed from the PR - - the extension mechanism is the entire reason for the PR.

[ksobolew]

We already support arbitrary entity kinds in GRANT, REVOKE and DENY, so it perfectly makes sense to have it here as well.

[kokosing]

MATERIALIZED VIEW is missing here, maybe we should simply remove it from the grammar?

[djsagain]

No, it's not missing. MATERIALIZED VIEW is treated as a VIEW. See line 512 of AstBuilder.

[kokosing]

Please correct me if I am wrong. Previously we were also able to set an owner for MATERIALIZED view because it was just had it for the view. Now we do the same but we change the syntax that MATERIALIZED keyword can be added but it is not necessary.

So my question is why are you adding MATERIALIZED keyword? Why not to keep existing behaviour?

[djsagain]

Oh! You are absolutely right - - using the MATERIALIZED keyword in the SET AUTHORIZATION grammar is a bug.

Fixed in the grammar and in AstBuilder.visitSetAuthorization.

[kokosing]

Can we enum for ownedKind. I would prefer the name entityType. Or let's use the name from the grammar OwnedEntityKind.

Notice that using enum will help us to do static code analysis to make sure we cover all the cases by using the switch statement. It will be useful when one would like to add new entries.

[djsagain]

As mentioned we cannot use an enum, because this is an extension mechanism, and Trino itself can't know all the entity kinds used by all extension uses.

[kokosing]

Materialized view is also missing here.

[djsagain]

No, it's not missing. MATERIALIZED VIEW is treated as a VIEW. See line 512 of AstBuilder.

[kokosing]

Are there any entities that are not catalog related?

[djsagain]

Clients of the extension mechanism can define entity kinds that not contained in catalogs. For example, the extension mechanism can be used to support ownership of roles, which are not contained in catalogs.

[kokosing]

Can we use io.trino.metadata.QualifiedObjectName instead of List<String>?

[djsagain]

No, we can't use QualifiedObjectName because it is based on the assumption that all ownable entity kinds are contained in a catalog and schema.

[ksobolew]

See also io.trino.spi.connector.EntityKindAndName, which is a pair of String entityKind and List<String> name. BTW, perhaps we could use it here as well.

[djsagain]

This is a reasonable suggestion, and is consistent with checkCanGrantEntityPrivilege.

I made this change everywhere except denySetEntityAuthorization. I didn't make it there because there are quite a few of calls.

[Later]

I ended up making the change for denySetEntityAuthorization as well, since that is more consistent.

[kokosing]

@djsstarburst Thank you! Merged.

[djsagain]

Thank you! Merged.

Thank YOU @kokosing for your review!