FileBasedAccessControl.java
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.facebook.presto.plugin.base.security;
import com.facebook.presto.common.Subfield;
import com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege;
import com.facebook.presto.spi.ColumnMetadata;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.ConnectorIdentity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.Privilege;
import com.facebook.presto.spi.security.ViewExpression;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import javax.inject.Inject;
import java.nio.file.Paths;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import static com.facebook.presto.plugin.base.JsonUtils.parseJson;
import static com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege.DELETE;
import static com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege.GRANT_SELECT;
import static com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege.INSERT;
import static com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege.OWNERSHIP;
import static com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege.SELECT;
import static com.facebook.presto.plugin.base.security.TableAccessControlRule.TablePrivilege.UPDATE;
import static com.facebook.presto.spi.security.AccessDeniedException.denyAddColumn;
import static com.facebook.presto.spi.security.AccessDeniedException.denyAddConstraint;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateSchema;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateView;
import static com.facebook.presto.spi.security.AccessDeniedException.denyCreateViewWithSelect;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDeleteTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropColumn;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropConstraint;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropSchema;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyDropView;
import static com.facebook.presto.spi.security.AccessDeniedException.denyGrantTablePrivilege;
import static com.facebook.presto.spi.security.AccessDeniedException.denyInsertTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameColumn;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameSchema;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRenameView;
import static com.facebook.presto.spi.security.AccessDeniedException.denyRevokeTablePrivilege;
import static com.facebook.presto.spi.security.AccessDeniedException.denySelectTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denySetTableProperties;
import static com.facebook.presto.spi.security.AccessDeniedException.denyShowColumnsMetadata;
import static com.facebook.presto.spi.security.AccessDeniedException.denyShowCreateTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyTruncateTable;
import static com.facebook.presto.spi.security.AccessDeniedException.denyUpdateTableColumns;
public class FileBasedAccessControl
implements ConnectorAccessControl
{
private static final String INFORMATION_SCHEMA_NAME = "information_schema";
private final List<SchemaAccessControlRule> schemaRules;
private final List<TableAccessControlRule> tableRules;
private final List<SessionPropertyAccessControlRule> sessionPropertyRules;
@Inject
public FileBasedAccessControl(FileBasedAccessControlConfig config)
{
AccessControlRules rules = parseJson(Paths.get(config.getConfigFile()), AccessControlRules.class);
this.schemaRules = rules.getSchemaRules();
this.tableRules = rules.getTableRules();
this.sessionPropertyRules = rules.getSessionPropertyRules();
}
@Override
public void checkCanCreateSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)
{
denyCreateSchema(schemaName);
}
@Override
public void checkCanDropSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)
{
denyDropSchema(schemaName);
}
@Override
public void checkCanRenameSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName, String newSchemaName)
{
denyRenameSchema(schemaName, newSchemaName);
}
@Override
public void checkCanShowSchemas(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context)
{
}
@Override
public Set<String> filterSchemas(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> schemaNames)
{
return schemaNames;
}
@Override
public void checkCanShowCreateTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, SELECT)) {
denyShowCreateTable(tableName.toString());
}
}
@Override
public void checkCanCreateTable(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!isDatabaseOwner(identity, tableName.getSchemaName())) {
denyCreateTable(tableName.toString());
}
}
@Override
public void checkCanSetTableProperties(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Map<String, Object> properties)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denySetTableProperties(tableName.toString());
}
}
@Override
public void checkCanDropTable(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyDropTable(tableName.toString());
}
}
@Override
public void checkCanShowTablesMetadata(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)
{
}
@Override
public Set<SchemaTableName> filterTables(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<SchemaTableName> tableNames)
{
return tableNames;
}
@Override
public void checkCanShowColumnsMetadata(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, SELECT)) {
denyShowColumnsMetadata(tableName.toString());
}
}
@Override
public List<ColumnMetadata> filterColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, List<ColumnMetadata> columns)
{
if (!checkTablePermission(identity, tableName, SELECT)) {
return ImmutableList.of();
}
return columns;
}
@Override
public void checkCanRenameTable(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, SchemaTableName newTableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyRenameTable(tableName.toString(), newTableName.toString());
}
}
@Override
public void checkCanAddColumn(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyAddColumn(tableName.toString());
}
}
@Override
public void checkCanDropColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyDropColumn(tableName.toString());
}
}
@Override
public void checkCanRenameColumn(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyRenameColumn(tableName.toString());
}
}
@Override
public void checkCanSelectFromColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<Subfield> columnOrSubfieldNames)
{
// TODO: Implement column level permissions
if (!checkTablePermission(identity, tableName, SELECT)) {
denySelectTable(tableName.toString());
}
}
@Override
public void checkCanInsertIntoTable(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, INSERT)) {
denyInsertTable(tableName.toString());
}
}
@Override
public void checkCanDeleteFromTable(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, DELETE)) {
denyDeleteTable(tableName.toString());
}
}
@Override
public void checkCanTruncateTable(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, DELETE)) {
denyTruncateTable(tableName.toString());
}
}
@Override
public void checkCanUpdateTableColumns(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<String> updatedColumns)
{
if (!checkTablePermission(identity, tableName, UPDATE)) {
denyUpdateTableColumns(tableName.toString(), updatedColumns);
}
}
@Override
public void checkCanCreateView(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName)
{
if (!isDatabaseOwner(identity, viewName.getSchemaName())) {
denyCreateView(viewName.toString());
}
}
@Override
public void checkCanRenameView(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName, SchemaTableName newViewName)
{
if (!checkTablePermission(identity, viewName, OWNERSHIP) || !checkTablePermission(identity, newViewName, OWNERSHIP)) {
denyRenameView(viewName.toString(), newViewName.toString());
}
}
@Override
public void checkCanDropView(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName)
{
if (!checkTablePermission(identity, viewName, OWNERSHIP)) {
denyDropView(viewName.toString());
}
}
@Override
public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<String> columnNames)
{
// TODO: implement column level permissions
if (!checkTablePermission(identity, tableName, SELECT)) {
denySelectTable(tableName.toString());
}
if (!checkTablePermission(identity, tableName, GRANT_SELECT)) {
denyCreateViewWithSelect(tableName.toString(), identity);
}
}
@Override
public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String propertyName)
{
if (!canSetSessionProperty(identity, propertyName)) {
denySetSessionProperty(propertyName);
}
}
@Override
public void checkCanGrantTablePrivilege(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal grantee, boolean withGrantOption)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyGrantTablePrivilege(privilege.name(), tableName.toString());
}
}
@Override
public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle transaction, ConnectorIdentity identity, AccessControlContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal revokee, boolean grantOptionFor)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyRevokeTablePrivilege(privilege.name(), tableName.toString());
}
}
@Override
public void checkCanCreateRole(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String role, Optional<PrestoPrincipal> grantor)
{
}
@Override
public void checkCanDropRole(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String role)
{
}
@Override
public void checkCanGrantRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean withAdminOption, Optional<PrestoPrincipal> grantor, String catalogName)
{
}
@Override
public void checkCanRevokeRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOptionFor, Optional<PrestoPrincipal> grantor, String catalogName)
{
}
@Override
public void checkCanSetRole(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String role, String catalogName)
{
}
@Override
public void checkCanShowRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String catalogName)
{
}
@Override
public void checkCanShowCurrentRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String catalogName)
{
}
@Override
public void checkCanShowRoleGrants(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String catalogName)
{
}
@Override
public void checkCanDropConstraint(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyDropConstraint(tableName.toString());
}
}
@Override
public void checkCanAddConstraint(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
if (!checkTablePermission(identity, tableName, OWNERSHIP)) {
denyAddConstraint(tableName.toString());
}
}
@Override
public List<ViewExpression> getRowFilters(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)
{
return ImmutableList.of();
}
@Override
public Map<ColumnMetadata, ViewExpression> getColumnMasks(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, List<ColumnMetadata> columns)
{
return ImmutableMap.of();
}
private boolean canSetSessionProperty(ConnectorIdentity identity, String property)
{
for (SessionPropertyAccessControlRule rule : sessionPropertyRules) {
Optional<Boolean> allowed = rule.match(identity.getUser(), property);
if (allowed.isPresent()) {
return allowed.get();
}
}
return false;
}
private boolean checkTablePermission(ConnectorIdentity identity, SchemaTableName tableName, TablePrivilege... requiredPrivileges)
{
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return true;
}
for (TableAccessControlRule rule : tableRules) {
Optional<Set<TablePrivilege>> tablePrivileges = rule.match(identity.getUser(), tableName);
if (tablePrivileges.isPresent()) {
return tablePrivileges.get().containsAll(ImmutableSet.copyOf(requiredPrivileges));
}
}
return false;
}
private boolean isDatabaseOwner(ConnectorIdentity identity, String schemaName)
{
for (SchemaAccessControlRule rule : schemaRules) {
Optional<Boolean> owner = rule.match(identity.getUser(), schemaName);
if (owner.isPresent()) {
return owner.get();
}
}
return false;
}
private static void denySetSessionProperty(String propertyName)
{
throw new AccessDeniedException("Cannot set catalog session property: " + propertyName);
}
}