trino
trino copied to clipboard
trinodb
Add table functions support to File-based access control
Description
This PR adds File-based access control support for table functions. Before this PR with File-based access control enabled every table functions was denied.
By default every rule kind (access to catalogs, schemas, tables) is allow when user does not specify any rule.
The same behavior is also here. After upgrading Trino to newer version and without making any changes to access rules, access to every table function will change and by default it will be allow. Is that good behavior? Maybe in case of table functions new default should be deny but this makes those new rules inconsistent with the rest.
Examples System-level access control file
- Allow
postgresql.system.queryforadminuser.
{
"functions": [
{
"function_kinds": [
"SCALAR",
"AGGREGATE",
"WINDOW"
],
"privileges": [
"EXECUTE"
]
},
{
"user": "admin",
"catalog": "postgresql",
"schema": "system",
"function_kinds": [
"TABLE"
],
"function": "query",
"privileges": [
"EXECUTE"
]
}
]
}
- Allow
querytable function from every catalog & schema foradminuser.
{
"functions": [
{
"function_kinds": [
"SCALAR",
"AGGREGATE",
"WINDOW"
],
"privileges": [
"EXECUTE"
]
},
{
"user": "admin",
"function_kinds": [
"TABLE"
],
"function": "query",
"privileges": [
"EXECUTE"
]
}
]
}
- Deny
mysql.system.queryfor anyone.
{
"functions": [
{
"function_kinds": [
"SCALAR",
"AGGREGATE",
"WINDOW"
],
"privileges": [
"EXECUTE"
]
},
{
"catalog": "mysql",
"schema": "system",
"function_kinds": [
"TABLE"
],
"function": "query",
"privileges": []
}
]
}
- Deny any table function for anyone - so this restore original behavior
{
"functions": [
{
"function_kinds": [
"SCALAR",
"AGGREGATE",
"WINDOW"
],
"privileges": [
"EXECUTE"
]
},
{
"function_kinds": [
"TABLE"
],
"privileges": []
}
]
}
- Possible
privilegesvalues:EXECUTEandGRANT_EXECUTE- it would be nice to merge this PR https://github.com/trinodb/trino/pull/13944 before this PR so I would add access checks for table functions used in views withsecurity definer - Possible
function_kindsvalues:SCALAR,AGGREGATE,WINDOWandTABLES
What's missing:
- tests - I will add those after preliminary approval is this a good approach
- docs examples
Documentation
( ) No documentation is needed. ( ) Sufficient documentation is included in this PR. ( ) Documentation PR is available with #prnumber. ( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
( ) No release notes entries required. ( ) Release notes entries required with the following suggested text:
# Section
* Fix some things. ({issue}`issuenumber`)
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Hubert Łojek. This is most likely caused by a git client misconfiguration; please make sure to:
- check if your git client is configured with an email to sign commits
git config --list | grep email - If not, set it up using
git config --global user.email [email protected] - Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails
![cla-bot[bot] avatar](https://avatars.githubusercontent.com/in/2404?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Hubert Łojek. This is most likely caused by a git client misconfiguration; please make sure to:
- check if your git client is configured with an email to sign commits
git config --list | grep email - If not, set it up using
git config --global user.email [email protected] - Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails
I finally got to reviewing this PR ;) As I understand it, it's blocked on adding additional methods to the access control interfaces, right?
Also, tests will be needed.
I added more real case scenario test TestViewsWithPtfFileBasedSystemAccessControl