Propagate function lifecycle events to SystemSecurityMetadata

[homar]

Description

Propagate function lifecycle events sucha as create function and drop function to SystemSecurityMetadata

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

## Section
* Add support for functions ownership 

[ksobolew]

With views it's done differently - there's a tableCreated callback function, which is (presumably) used to update the ownership. The setXOwner methods are called in response to ALTER X SET AUTHORIZATION commands, instead (which we don't have here). Note that the actual function is created by the connector metadata, which is a factor too.

[ksobolew]

This test is fine, but it could take some inspiration for the existing tests for views. For example, those tests are also checking things like: the access to the underlying resources (here: my_test_function_inner) is only checked on query/execute, not during creation. Though it could be different for functions.

[Dith3r]

nit. ImmutableSet.of

[kokosing]

I think you need to follow the convention here. Instead of saying what you want to do on event, you should simply emit the event and handle what you want in the implementation.

So you should emit events, when function is created, dropped or renamed. Like for any other object.

[ksobolew]

Apart from nits LGTM

[ksobolew]

Nit: keep formatting consistent

Suggested change

	@Override
	public void functionCreated(Session session, CatalogSchemaFunctionName function, TrinoPrincipal principal)
	{}
	@Override
	public void functionCreated(Session session, CatalogSchemaFunctionName function, TrinoPrincipal principal) {}

[ksobolew]

These callbacks should be done as the last thing, specifically after the actual update (here: after metadata.createLanguageFunction is called)

[homar]

It is called later, here we just prepare a lambda function, it is invoked much later.

[ksobolew]

I'm sorry, I don't see any lambda...

[homar]

nvm, my bad i looked at a wrong place, sorry for the confusion

[ksobolew]

Suggested change

	@Override
	public void functionCreated(Session session, CatalogSchemaFunctionName function, TrinoPrincipal principal)
	{ }
	@Override
	public void functionCreated(Session session, CatalogSchemaFunctionName function, TrinoPrincipal principal) {}

[ksobolew]

I mean these two statements should be switched, per convention at least:

Suggested change

	if (catalogMetadata.getSecurityManagement() == SYSTEM) {
	systemSecurityMetadata.functionCreated(
	session,
	new CatalogSchemaFunctionName(catalogHandle.getCatalogName().toString(), schemaFunctionName),
	new TrinoPrincipal(PrincipalType.USER, session.getUser()));
	}
	metadata.createLanguageFunction(session.toConnectorSession(catalogHandle), schemaFunctionName, function, replace);
	metadata.createLanguageFunction(session.toConnectorSession(catalogHandle), schemaFunctionName, function, replace);
	if (catalogMetadata.getSecurityManagement() == SYSTEM) {
	systemSecurityMetadata.functionCreated(
	session,
	new CatalogSchemaFunctionName(catalogHandle.getCatalogName().toString(), schemaFunctionName),
	new TrinoPrincipal(PrincipalType.USER, session.getUser()));
	}

[lukasz-walkiewicz]

Is there an operation which this method should be used by? There's not ALTER FUNCTION .. SET AUTHORIZATION for functions so I don't think there is such operation.

[lukasz-walkiewicz]

What's principal for? Isn't session enough to get the identity of the creator of the function?

[homar]

following convention from other methods

[homar]

ok i got it, fixed, thanks

[lukasz-walkiewicz]

(identity, function)

[lukasz-walkiewicz]

Is this needed if there's also:

        assertAccessAllowed(
                functionOwnerSession,
                "CREATE FUNCTION memory.default.my_test_function_inner (x integer) RETURNS bigint RETURN x + 42");

?

[homar]

yes, io.trino.security.TestingSystemSecurityMetadata#functionCreated is empty
This was suggested by @ksobolew to follow the convention

[homar]

it was during offline conversation when I asked him about #24696 (comment) and #24696 (comment)

[lukasz-walkiewicz]

How about a check with the default session?

[homar]

What would be the point of such a test? Verification if a function can be created is out of scope for this commit

[lukasz-walkiewicz]

It's a fairly complicated test case so maybe it's worth adding a few comments.
As I understand here the default session gets access denied because the function owner got access denied on the inner function, correct?

[kokosing]

Please improve a commit message and pull request title and description. It is more about propagating events of function creation than handling onwnership.

[kokosing]

Please fix the PR description to not to mention anything about ownerhship.

[kokosing]

I don't think it is correct testing of the functionality you have introduced. You need to check if events are propagated. It has not much to do with "ownership". It is a different layer. You need a test similar to io.trino.execution.TestBeginQuery. Then you don't need any changes in TestingAccessControlManager too.

[kokosing]

I have discussed this with @lukasz-walkiewicz and now I understand why it was added.

Please use functionCreated and functionDropped in testing access control and extract the case with DENY to inner function as separate test case. This test is getting quite complex as we are reusing entities for different test cases.

[homar]

I was about to add another test

[ksobolew]

Looks like now we have more extensive tests for functions than for views :)

[ksobolew]

Suggested change

	.setIdentity(Identity.forUser(functionOwner)
	.build())
	.setIdentity(Identity.ofUser(functionOwner))

[ksobolew]

Nit: just to be extra-safe, you could add an assertion that with the same denied privilege you are not allowed to call the inner function directly

[ksobolew]

Did you mean to deny it here?

[homar]

fixed

[ksobolew]

I'm not sure this is what @kokosing had in mind, but this name is not right. It's more about roles than denying.

[ksobolew]

Suggested change

	.setIdentity(Identity.forUser(functionOwner1)
	.build())
	.setIdentity(Identity.ofUser(functionOwner1))

[ksobolew]

Suggested change

	.setIdentity(Identity.forUser(functionOwner2)
	.build())
	.setIdentity(Identity.ofUser(functionOwner2))

[ksobolew]

Isn't this test duplicated now?

[ksobolew]

Re-approved from my side :)

[kokosing]

nit. it already pre-exisiting, but we could do this as part of @Before method. Maybe an idea for a follow-up?

[homar]

PTAL #24852

[kokosing]

Thank you! Merged.