Skip to content

Cleanup file access control #5039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dain merged 20 commits into from
Oct 7, 2020
Merged

Cleanup file access control #5039

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
334fc3d
Simplify FileBasedAccessControl
dain Oct 7, 2020
6611817
Fix warnings in FileBasedSystemAccessControl
dain Oct 7, 2020
e10a04b
Change catalog check to match other checks
dain Oct 7, 2020
06b1afc
Simplify catalog checks in FileBasedSystemAccessControl
dain Oct 7, 2020
9e4dc78
Simplify query checks in FileBasedSystemAccessControl
dain Oct 7, 2020
4f846b2
Clean up exception messages in FileBasedSystemAccessControl
dain Oct 7, 2020
1c65efa
Change file access control to consistently use snake case
dain Oct 7, 2020
162f3fe
Fix file access control for table create and rename checks
dain Oct 7, 2020
a5a0325
Fix system file create schema check
dain Oct 7, 2020
78f61cd
Add missing table checks in file system access control
dain Oct 7, 2020
4b83065
Filter tables in file access control
dain Oct 7, 2020
cf812ba
Add catalog regex to schema and table rules in file system access con…
dain Oct 7, 2020
41aa1f9
Allow all catalog access by default in file-based access control
dain Oct 7, 2020
a65adc6
Simplify table and schema rules in file system access control
dain Oct 7, 2020
4c24f4f
Change catalog file access default to allow for no rules
dain Oct 7, 2020
6039d26
Only show catalog if user has schema or table permissions
dain Oct 7, 2020
a94a921
Only show schema if user is schema owner or has table permissions
dain Oct 7, 2020
7cc4a2b
Deny grant and revoke for catalog file access control
dain Oct 7, 2020
b8da3dd
Add session property rules to system file access control
dain Oct 7, 2020
a4bc95a
Improve system file based access documentation
dain Oct 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions presto-docs/src/main/sphinx/admin/session-property-managers.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,20 +69,20 @@ These requirements can be expressed with the following rules:
[
{
"group": "global.*",
"sessionProperties": {
"session_properties": {
Comment thread
dain marked this conversation as resolved.
Outdated
"query_max_execution_time": "8h",
}
},
{
"group": "global.interactive.*",
"sessionProperties": {
"session_properties": {
"query_max_execution_time": "1h"
}
},
{
"group": "global.pipeline.*",
"clientTags": ["etl"],
"sessionProperties": {
"session_properties": {
"scale_writers": "true",
"writer_min_size": "1GB"
}
Expand All @@ -93,4 +93,4 @@ Limitations
-----------

The session property manager only supports system session properties and does
not support catalog session properties.
not support catalog session properties.
2 changes: 1 addition & 1 deletion presto-docs/src/main/sphinx/connector/hive-security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -563,7 +563,7 @@ See below for an example.
"privileges": ["SELECT"]
}
],
"sessionProperties": [
"session_properties": [
{
"property": "force_local_scheduling",
"allow": true
Expand Down
147 changes: 105 additions & 42 deletions presto-docs/src/main/sphinx/security/file-system-access-control.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,67 @@ Presto restart. The refresh period is specified in the ``etc/access-control.prop

security.refresh-period=1s

Catalog, Schema, and Table Access
---------------------------------

Access to catalogs, schemas, tables, and views is controlled by the catalog, schema, and table
rules. The catalog rules are course grained rules used to restrict all access or write
access to catalogs. They do not explicitly grant any specific schema or table permissions.
The table and schema rules are used to specify who can can create, drop, alter, select, insert,
Comment thread
dain marked this conversation as resolved.
Outdated
delete, etc. for schemas and tables.

For each rule set, permission is based on the first matching rule read from top to bottom. If
Comment thread
dain marked this conversation as resolved.
Outdated
no rule matches, access is denied. If no rules are provided at all, then access is granted.

The following table summarizes the permissions required for each SQL command:

==================================== ========== ======= ==================== ===================================================
SQL Command Catalog Schema Table Note
==================================== ========== ======= ==================== ===================================================
SHOW CATALOGS Always allowed
SHOW SCHEMAS read-only any* any* Allowed if catalog is :ref:`visible<visibility>`
SHOW TABLES read-only any* any* Allowed if schema :ref:`visible<visibility>`
CREATE SCHEMA read-only owner
DROP SCHEMA all owner
SHOW CREATE SCHEMA all owner
ALTER SCHEMA ... RENAME TO all owner* Ownership is required on both old and new schemas
ALTER SCHEMA ... SET AUTHORIZATION all owner
CREATE TABLE all owner
DROP TABLE all owner
ALTER TABLE ... RENAME TO all owner* Ownership is required on both old and new tables
CREATE VIEW all owner
DROP VIEW all owner
ALTER VIEW ... RENAME TO all owner* Ownership is required on both old and new views
COMMENT ON TABLE all owner
COMMENT ON COLUMN all owner
ALTER TABLE ... ADD COLUMN all owner
ALTER TABLE ... DROP COLUMN all owner
ALTER TABLE ... RENAME COLUMN all owner
SHOW COLUMNS all any
SELECT FROM table read-only select
SELECT FROM view read-only select, grant_select
INSERT INTO all insert
DELETE FROM all delete
==================================== ========== ======= ==================== ===================================================

.. _visibility:

Visibility
^^^^^^^^^^

For a catalog, schema, or table to be visible in a ``SHOW`` command, the user must have
Comment thread
dain marked this conversation as resolved.
Outdated
at least one permission on the item or any nested item. The nested items do not
need to already exist as any potential permission makes the item visible. Specifically:

* catalog: Visible if user is the owner of any nested schema, has permissions on any nested
table, or has permissions to set session properties in the catalog.
* schema: Visible if the user is the owner of the schema, or has permissions on any nested table.
* table: Visible if the user has any permissions on the table.

Catalog Rules
-------------
^^^^^^^^^^^^^

These rules govern the catalogs particular users can access. The user is
granted access to a catalog, based on the first matching rule read from top to
bottom. If no rule matches, access is denied. Each rule is composed of the
following fields:
Each catalog rule is composed of the following fields:

* ``user`` (optional): regex to match against user name. Defaults to ``.*``.
* ``group`` (optional): regex to match against group names. Defaults to ``.*``.
Expand All @@ -56,6 +110,9 @@ specified in ``user`` attribute.
For group names, a rule can be applied if at least one group name of this user
matches the ``group`` regular expression.

The ``all`` value for ``allow`` means these rules do not restrict access in any way,
but the schema and table rules can restrict access.

.. note::

By default, all users have access to the ``system`` catalog. You can
Expand Down Expand Up @@ -104,33 +161,24 @@ For group-based rules to match, users need to be assigned to groups by a
:doc:`/develop/group-provider`.

Schema Rules
------------
^^^^^^^^^^^^

These rules allow you to grant ownership of a schema. Having ownership of an
schema allows users to execute ``DROP SCHEMA``, ``ALTER SCHEMA`` (both renaming
and setting authorization) and ``SHOW CREATE SCHEMA``. The user is granted
ownership of a schema, based on the first matching rule read from top to
bottom. If no rule matches, ownership is not granted. Each rule is composed of
the following fields:
Each schema rule is composed of the following fields:

* ``user`` (optional): regex to match against user name. Defaults to ``.*``.
* ``group`` (optional): regex to match against group names. Defaults to ``.*``.
* ``catalog`` (optional): regex to match against catalog name. Defaults to ``.*``.
* ``schema`` (optional): regex to match against schema name. Defaults to ``.*``.
* ``owner`` (required): boolean indicating whether the user is to be considered
an owner of the schema. Defaults to ``false``.

For example, to provide ownership of all schemas to user ``admin``, treat all
users as owners of ``default`` schema and prevent user ``guest`` from ownership
of any schema, you can use the following rules:
users as owners of the ``default.default`` schema and prevent user ``guest`` from
ownership of any schema, you can use the following rules:

.. code-block:: json

{
"catalogs": [
{
"allow": true
}
],
Comment thread
dain marked this conversation as resolved.
Outdated
"schemas": [
{
"user": "admin",
Expand All @@ -142,22 +190,21 @@ of any schema, you can use the following rules:
"owner": false
},
{
"catalog": "default",
"schema": "default",
"owner": true
}
]
}

Table Rules
-----------
^^^^^^^^^^^

These rules define the privileges for table access for users. If no table rules
are specified, all users are treated as having all privileges by default. The
user is granted privileges based on the first matching rule read from top to
bottom. Each rule is composed of the following fields:
Each table rule is composed of the following fields:

* ``user`` (optional): regex to match against user name. Defaults to ``.*``.
* ``group`` (optional): regex to match against group names. Defaults to ``.*``.
* ``catalog`` (optional): regex to match against catalog name. Defaults to ``.*``.
* ``schema`` (optional): regex to match against schema name. Defaults to ``.*``.
* ``table`` (optional): regex to match against table names. Defaults to ``.*``.
* ``privileges`` (required): zero or more of ``SELECT``, ``INSERT``,
Expand All @@ -171,16 +218,11 @@ The example below defines the following table access policy:

* User ``admin`` has all privileges across all tables and schemas
* User ``banned_user`` has no privileges
* All users have ``SELECT`` privileges on all tables in ``default`` schema
* All users have ``SELECT`` privileges on all tables in the ``default.default`` schema

.. code-block:: json

{
"catalogs": [
{
"allow": true
}
],
"tables": [
{
"user": "admin",
Expand All @@ -191,13 +233,44 @@ The example below defines the following table access policy:
"privileges": []
},
{
"catalog": "default",
"schema": "default",
"table": ".*",
"privileges": ["SELECT"]
}
]
}

.. _session_property_rules:

Session Property Rules
----------------------

These rules control the ability of a user to set system and catalog session properties. The
user is granted or denied access, based on the first matching rule, read from top to bottom.
If no rules are specified, all users are allowed set any session property. If no rule matches,
setting the session property is denied. System session property rules are composed of the
following fields:

* ``user`` (optional): regex to match against user name. Defaults to ``.*``.
* ``group`` (optional): regex to match against group names. Defaults to ``.*``.
* ``property`` (optional): regex to match against the property name. Defaults to ``.*``.
* ``allow`` (required): boolean indicating if the setting the session property should be allowed.

The catalog session property rules have the additional field:

* ``catalog`` (optional): regex to match against catalog name. Defaults to ``.*``.

The example below defines the following table access policy:

* User ``admin`` can set all session property
* User ``banned_user`` can not set any session properties
* All users can set the ``resource_overcommit`` system session property, and the
``bucket_execution_enabled`` session property in the ``hive`` catalog.

.. literalinclude:: session-property-access.json
:language: json

.. _query_rules:

Query Rules
Expand Down Expand Up @@ -245,8 +318,8 @@ defined, impersonation is not allowed.

Each impersonation rule is composed of the following fields:

* ``originalUser`` (required): regex to match against the user requesting the impersonation.
* ``newUser`` (required): regex to match against the user that will be impersonated.
* ``original_user`` (required): regex to match against the user requesting the impersonation.
* ``new_user`` (required): regex to match against the user that will be impersonated.
* ``allow`` (optional): boolean indicating if the authentication should be allowed.

The following example allows the two admins, ``alice`` and ``bob``, to impersonate
Expand Down Expand Up @@ -295,11 +368,6 @@ and Kerberos authentication:
.. code-block:: json

{
"catalogs": [
{
"allow": true
}
],
"principals": [
{
"principal": "(.*)",
Expand All @@ -321,11 +389,6 @@ name, and allow ``alice`` and ``bob`` to use a group principal named as
.. code-block:: json

{
"catalogs": [
{
"allow": true
}
],
"principals": [
{
"principal": "([^/]+)/?.*@example.net",
Expand Down
5 changes: 0 additions & 5 deletions presto-docs/src/main/sphinx/security/query-access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
{
"catalogs": [
{
"allow": true
}
],
"queries": [
{
"user": "admin",
Expand Down
31 changes: 31 additions & 0 deletions presto-docs/src/main/sphinx/security/session-property-access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"system_session_properties": [
{
"user": "admin",
"allow": true
},
{
"user": "banned_user",
"allow": false
},
{
"property": "resource_overcommit",
"allow": true
}
],
"catalog_session_properties": [
{
"user": "admin",
"allow": true
},
{
"user": "banned_user",
"allow": false
},
{
"catalog": "hive",
"property": "bucket_execution_enabled",
"allow": true
}
]
}
5 changes: 0 additions & 5 deletions presto-docs/src/main/sphinx/security/system-information-access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
{
"catalogs": [
{
"allow": true
}
],
"system_information": [
{
"user": "admin",
Expand Down
21 changes: 8 additions & 13 deletions presto-docs/src/main/sphinx/security/user-impersonation.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,22 @@
{
"catalogs": [
{
"allow": true
}
],
"impersonation": [
{
"originalUser": "alice",
"newUser": "bob",
"original_user": "alice",
"new_user": "bob",
"allow": false
},
{
"originalUser": "bob",
"newUser": "alice",
"original_user": "bob",
"new_user": "alice",
"allow": false
},
{
"originalUser": "alice|bob",
"newUser": ".*"
"original_user": "alice|bob",
"new_user": ".*"
},
{
"originalUser": ".*",
"newUser": "test"
"original_user": ".*",
"new_user": "test"
}
]
}
6 changes: 3 additions & 3 deletions presto-hive/src/test/resources/io/prestosql/plugin/hive/security.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@
{
"user": "hive",
"privileges": [
"SELECT"
"SELECT",
"OWNERSHIP"
]
}
],
"schemas": [
{
"user": "hive",
"owner": true
"owner": false
}
]
}
Expand Down
Loading