Class-level resource access type

core/trino-main/src/main/java/io/trino/server/NodeResource.java

@@ -26,6 +26,7 @@
 import static io.trino.server.security.ResourceSecurity.AccessType.MANAGEMENT_READ;
 
 @Path("/v1/node")
+@ResourceSecurity(MANAGEMENT_READ)
 public class NodeResource
 {
     private final HeartbeatFailureDetector failureDetector;
@@ -36,14 +37,12 @@ public NodeResource(HeartbeatFailureDetector failureDetector)
         this.failureDetector = failureDetector;
     }
 
-    @ResourceSecurity(MANAGEMENT_READ)
     @GET
     public Collection<HeartbeatFailureDetector.Stats> getNodeStats()
     {
         return failureDetector.getStats().values();
     }
 
-    @ResourceSecurity(MANAGEMENT_READ)
     @GET
     @Path("failed")
     public Collection<HeartbeatFailureDetector.Stats> getFailed()

core/trino-main/src/main/java/io/trino/server/QueryResource.java

@@ -55,6 +55,7 @@
  * Manage queries scheduled on this node
  */
 @Path("/v1/query")
+@ResourceSecurity(AUTHENTICATED_USER)
 public class QueryResource
 {
     private final DispatchManager dispatchManager;
@@ -69,7 +70,6 @@ public QueryResource(DispatchManager dispatchManager, AccessControl accessContro
         this.sessionContextFactory = requireNonNull(sessionContextFactory, "sessionContextFactory is null");
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @GET
     public List<BasicQueryInfo> getAllQueryInfo(@QueryParam("state") String stateFilter, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders)
     {
@@ -87,7 +87,6 @@ public List<BasicQueryInfo> getAllQueryInfo(@QueryParam("state") String stateFil
         return builder.build();
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @GET
     @Path("{queryId}")
     public Response getQueryInfo(@PathParam("queryId") QueryId queryId, @QueryParam("pruned") @DefaultValue("false") boolean pruned, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders)
@@ -108,7 +107,6 @@ public Response getQueryInfo(@PathParam("queryId") QueryId queryId, @QueryParam(
         }
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @DELETE
     @Path("{queryId}")
     public void cancelQuery(@PathParam("queryId") QueryId queryId, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders)
@@ -127,15 +125,13 @@ public void cancelQuery(@PathParam("queryId") QueryId queryId, @Context HttpServ
         }
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @PUT
     @Path("{queryId}/killed")
     public Response killQuery(@PathParam("queryId") QueryId queryId, String message, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders)
     {
         return failQuery(queryId, createKillQueryException(message), servletRequest, httpHeaders);
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @PUT
     @Path("{queryId}/preempted")
     public Response preemptQuery(@PathParam("queryId") QueryId queryId, String message, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders)

core/trino-main/src/main/java/io/trino/server/QueryStateInfoResource.java

@@ -49,6 +49,7 @@
 import static java.util.Objects.requireNonNull;
 
 @Path("/v1/queryState")
+@ResourceSecurity(AUTHENTICATED_USER)
 public class QueryStateInfoResource
 {
     private final DispatchManager dispatchManager;
@@ -69,7 +70,6 @@ public QueryStateInfoResource(
         this.sessionContextFactory = requireNonNull(sessionContextFactory, "sessionContextFactory is null");
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     public List<QueryStateInfo> getQueryStateInfos(@QueryParam("user") String user, @Context HttpServletRequest servletRequest, @Context HttpHeaders httpHeaders)
@@ -102,7 +102,6 @@ private QueryStateInfo getQueryStateInfo(BasicQueryInfo queryInfo)
         return createQueryStateInfo(queryInfo, groupId);
     }
 
-    @ResourceSecurity(AUTHENTICATED_USER)
     @GET
     @Path("{queryId}")
     @Produces(MediaType.APPLICATION_JSON)

core/trino-main/src/main/java/io/trino/server/ResourceGroupStateInfoResource.java

@@ -35,6 +35,7 @@
 import static java.util.Objects.requireNonNull;
 
 @Path("/v1/resourceGroupState")
+@ResourceSecurity(MANAGEMENT_READ)
 public class ResourceGroupStateInfoResource
 {
     private final ResourceGroupInfoProvider resourceGroupInfoProvider;
@@ -45,7 +46,6 @@ public ResourceGroupStateInfoResource(ResourceGroupInfoProvider resourceGroupInf
         this.resourceGroupInfoProvider = requireNonNull(resourceGroupInfoProvider, "resourceGroupInfoProvider is null");
     }
 
-    @ResourceSecurity(MANAGEMENT_READ)
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     @Encoded

core/trino-main/src/main/java/io/trino/server/StatusResource.java

@@ -34,6 +34,7 @@
 import static java.util.Objects.requireNonNull;
 
 @Path("/v1/status")
+@ResourceSecurity(PUBLIC)
 public class StatusResource
 {
     private final NodeInfo nodeInfo;
@@ -64,15 +65,13 @@ public StatusResource(NodeVersion nodeVersion, NodeInfo nodeInfo, ServerConfig s
         }
     }
 
-    @ResourceSecurity(PUBLIC)
     @HEAD
     @Produces(APPLICATION_JSON) // to match the GET route
     public Response statusPing()
     {
         return Response.ok().build();
     }
 
-    @ResourceSecurity(PUBLIC)
     @GET
     @Produces(APPLICATION_JSON)
     public NodeStatus getStatus()

core/trino-main/src/main/java/io/trino/server/TaskExecutorResource.java

@@ -25,6 +25,7 @@
 import static java.util.Objects.requireNonNull;
 
 @Path("/v1/maxActiveSplits")
+@ResourceSecurity(MANAGEMENT_READ)
 public class TaskExecutorResource
 {
     private final TimeSharingTaskExecutor taskExecutor;
@@ -36,7 +37,6 @@ public TaskExecutorResource(
         this.taskExecutor = requireNonNull(taskExecutor, "taskExecutor is null");
     }
 
-    @ResourceSecurity(MANAGEMENT_READ)
     @GET
     @Produces(MediaType.TEXT_PLAIN)
     public String getMaxActiveSplit()

core/trino-main/src/main/java/io/trino/server/TaskResource.java

@@ -91,6 +91,7 @@
  * Manages tasks on this worker node
  */
 @Path("/v1/task")
+@ResourceSecurity(INTERNAL_ONLY)
 public class TaskResource
 {
     private static final Logger log = Logger.get(TaskResource.class);
@@ -127,7 +128,6 @@ public TaskResource(
         this.failureInjector = requireNonNull(failureInjector, "failureInjector is null");
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     public List<TaskInfo> getAllTaskInfo(@Context UriInfo uriInfo)
@@ -139,7 +139,6 @@ public List<TaskInfo> getAllTaskInfo(@Context UriInfo uriInfo)
         return allTaskInfo;
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @POST
     @Path("{taskId}")
     @Consumes(MediaType.APPLICATION_JSON)
@@ -178,7 +177,6 @@ public void createOrUpdateTask(
         asyncResponse.resume(Response.ok().entity(taskInfo).build());
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @GET
     @Path("{taskId}")
     @Produces(MediaType.APPLICATION_JSON)
@@ -228,7 +226,6 @@ public void getTaskInfo(
         bindAsyncResponse(asyncResponse, withFallbackAfterTimeout(response, timeout, () -> serviceUnavailable(timeout), timeoutExecutor), responseExecutor);
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @GET
     @Path("{taskId}/status")
     @Produces(MediaType.APPLICATION_JSON)
@@ -273,7 +270,6 @@ public void getTaskStatus(
         bindAsyncResponse(asyncResponse, withFallbackAfterTimeout(response, timeout, () -> serviceUnavailable(timeout), timeoutExecutor), responseExecutor);
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @GET
     @Path("{taskId}/dynamicfilters")
     @Produces(MediaType.APPLICATION_JSON)
@@ -295,7 +291,6 @@ public void acknowledgeAndGetNewDynamicFilterDomains(
         asyncResponse.resume(taskManager.acknowledgeAndGetNewDynamicFilterDomains(taskId, currentDynamicFiltersVersion));
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @DELETE
     @Path("{taskId}")
     @Produces(MediaType.APPLICATION_JSON)
@@ -320,7 +315,6 @@ public TaskInfo deleteTask(
         return taskInfo;
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @POST
     @Path("{taskId}/fail")
     @Consumes(MediaType.APPLICATION_JSON)
@@ -334,7 +328,6 @@ public TaskInfo failTask(
         return taskManager.failTask(taskId, failTaskRequest.getFailureInfo().toException());
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @GET
     @Path("{taskId}/results/{bufferId}/{token}")
     @Produces(TRINO_PAGES)
@@ -375,7 +368,6 @@ public void getResults(
         responseFuture.addListener(() -> readFromOutputBufferTime.add(Duration.nanosSince(start)), directExecutor());
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @GET
     @Path("{taskId}/results/{bufferId}/{token}/acknowledge")
     public Response acknowledgeResults(
@@ -390,7 +382,6 @@ public Response acknowledgeResults(
         return Response.ok().build();
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @DELETE
     @Path("{taskId}/results/{bufferId}")
     public void destroyTaskResults(
@@ -409,7 +400,6 @@ public void destroyTaskResults(
         asyncResponse.resume(Response.noContent().build());
     }
 
-    @ResourceSecurity(INTERNAL_ONLY)
     @POST
     @Path("pruneCatalogs")
     @Consumes(MediaType.APPLICATION_JSON)

core/trino-main/src/main/java/io/trino/server/ThreadResource.java

@@ -37,9 +37,9 @@
 import static java.util.Comparator.comparing;
 
 @Path("/v1/thread")
+@ResourceSecurity(MANAGEMENT_READ)
 public class ThreadResource
 {
-    @ResourceSecurity(MANAGEMENT_READ)
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     public List<Info> getThreadInfo()

core/trino-main/src/main/java/io/trino/server/protocol/ExecutingStatementResource.java

@@ -72,6 +72,7 @@
 import static java.util.concurrent.TimeUnit.SECONDS;
 
 @Path("/v1/statement/executing")
+@ResourceSecurity(PUBLIC)
 public class ExecutingStatementResource
 {
     private static final Logger log = Logger.get(ExecutingStatementResource.class);
@@ -156,7 +157,6 @@ public void stop()
         queryPurger.shutdownNow();
     }
 
-    @ResourceSecurity(PUBLIC)
     @GET
     @Path("{queryId}/{slug}/{token}")
     @Produces(MediaType.APPLICATION_JSON)
@@ -295,7 +295,6 @@ private Response toResponse(QueryResultsResponse resultsResponse, Optional<Strin
         return response.build();
     }
 
-    @ResourceSecurity(PUBLIC)
     @DELETE
     @Path("{queryId}/{slug}/{token}")
     @Produces(MediaType.APPLICATION_JSON)
@@ -326,7 +325,6 @@ public Response cancelQuery(
         }
     }
 
-    @ResourceSecurity(PUBLIC)
     @DELETE
     @Path("partialCancel/{queryId}/{stage}/{slug}/{token}")
     public void partialCancel(

core/trino-main/src/main/java/io/trino/server/protocol/spooling/CoordinatorSegmentResource.java

@@ -64,7 +64,6 @@ public CoordinatorSegmentResource(SpoolingManager spoolingManager, SpoolingConfi
     @GET
     @Path("/download/{identifier}")
     @Produces(MediaType.APPLICATION_OCTET_STREAM)
-    @ResourceSecurity(PUBLIC)
     public Response download(@Context UriInfo uriInfo, @PathParam("identifier") String identifier, @Context HttpHeaders headers)
             throws IOException
     {
@@ -92,7 +91,6 @@ public Response download(@Context UriInfo uriInfo, @PathParam("identifier") Stri
 
     @GET
     @Path("/ack/{identifier}")
-    @ResourceSecurity(PUBLIC)
     public Response acknowledge(@PathParam("identifier") String identifier, @Context HttpHeaders headers)
             throws IOException
     {

core/trino-main/src/main/java/io/trino/server/protocol/spooling/WorkerSegmentResource.java

@@ -47,7 +47,6 @@ public WorkerSegmentResource(SpoolingManager spoolingManager)
 
     @GET
     @Produces(MediaType.APPLICATION_OCTET_STREAM)
-    @ResourceSecurity(PUBLIC)
     public Response download(@PathParam("identifier") String identifier, @Context HttpHeaders headers)
             throws IOException
     {

core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java

@@ -46,20 +46,14 @@ public AccessType getAccessType(ResourceInfo resourceInfo)
             if (accessType.isPresent()) {
                 return accessType.get();
             }
-            // check if the resource class has an access type declared for all methods
-            accessType = resourceAccessTypeLoader.getAccessType(resourceInfo.getResourceClass());
-            if (accessType.isPresent()) {
-                verifyNotTrinoResource(resourceInfo);
-                return accessType.get();
-            }
-            // in some cases there the resource is a nested class, so check the parent class
-            // we currently only check one level, but we could handle multiple nesting levels if necessary
-            if (resourceInfo.getResourceClass().getDeclaringClass() != null) {
-                accessType = resourceAccessTypeLoader.getAccessType(resourceInfo.getResourceClass().getDeclaringClass());
+            // check if the resource class or enclosing classes have an access type declared for all methods
+            Class<?> current = resourceInfo.getResourceClass();
+            while (current != null) {
+                accessType = resourceAccessTypeLoader.getAccessType(current);
                 if (accessType.isPresent()) {
-                    verifyNotTrinoResource(resourceInfo);
                     return accessType.get();
                 }
+                current = current.getDeclaringClass();
             }
         }
         // Trino resources are required to have a declared access control

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2CallbackResource.java

@@ -37,6 +37,7 @@
 import static java.util.Objects.requireNonNull;
 
 @Path(CALLBACK_ENDPOINT)
+@ResourceSecurity(PUBLIC)
 public class OAuth2CallbackResource
 {
     private static final Logger LOG = Logger.get(OAuth2CallbackResource.class);
@@ -51,7 +52,6 @@ public OAuth2CallbackResource(OAuth2Service service)
         this.service = requireNonNull(service, "service is null");
     }
 
-    @ResourceSecurity(PUBLIC)
     @GET
     @Produces(TEXT_HTML)
     public Response callback(

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2TokenExchangeResource.java

@@ -55,6 +55,7 @@
 import static java.util.Objects.requireNonNull;
 
 @Path(OAuth2TokenExchangeResource.TOKEN_ENDPOINT)
+@ResourceSecurity(PUBLIC)
 public class OAuth2TokenExchangeResource
 {
     static final String TOKEN_ENDPOINT = "/oauth2/token/";
@@ -75,7 +76,6 @@ public OAuth2TokenExchangeResource(OAuth2TokenExchange tokenExchange, OAuth2Serv
         this.timeoutExecutor = executor.getScheduledExecutor();
     }
 
-    @ResourceSecurity(PUBLIC)
     @Path("initiate/{authIdHash}")
     @GET
     @Produces(MediaType.APPLICATION_JSON)
@@ -84,7 +84,6 @@ public Response initiateTokenExchange(@PathParam("authIdHash") String authIdHash
         return service.startOAuth2Challenge(externalUriInfo.absolutePath(CALLBACK_ENDPOINT), Optional.ofNullable(authIdHash));
     }
 
-    @ResourceSecurity(PUBLIC)
     @Path("{authId}")
     @GET
     @Produces(MediaType.APPLICATION_JSON)
@@ -119,7 +118,6 @@ private static Response pendingResponse(HttpServletRequest request)
         return Response.ok(jsonMap("nextUri", request.getRequestURL()), APPLICATION_JSON_TYPE).build();
     }
 
-    @ResourceSecurity(PUBLIC)
     @DELETE
     @Path("{authId}")
     public Response deleteAuthenticationToken(@PathParam("authId") UUID authId)