[trino] Update spi to v427

Incorporates following changes:

Add query start to SystemSecurityContext
trinodb/trino#19141
trinodb/trino@925f7e4

Distinguish SystemAccessControl methods not exposing query id
trinodb/trino#18973
trinodb/trino@1f46063

Signed-off-by: Utkarsh Saxena <[email protected]>

Author: utk-spartan

plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java

@@ -293,18 +293,18 @@ public Set<SchemaTableName> filterTables(SystemSecurityContext context, String c
   /** SYSTEM **/
 
   @Override
-  public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
-    if (!hasPermission(createSystemPropertyResource(propertyName), context, TrinoAccessType.ALTER)) {
+  public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
+    if (!hasPermission(createSystemPropertyResource(propertyName), identity, TrinoAccessType.ALTER)) {
       LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
       AccessDeniedException.denySetSystemSessionProperty(propertyName);
     }
   }
 
   @Override
-  public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
-    if (!hasPermission(createUserResource(userName), context, TrinoAccessType.IMPERSONATE)) {
+  public void checkCanImpersonateUser(Identity identity, String userName) {
+    if (!hasPermission(createUserResource(userName), identity, TrinoAccessType.IMPERSONATE)) {
       LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied");
-      AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName);
+      AccessDeniedException.denyImpersonateUser(identity.getUser(), userName);
     }
   }
 
@@ -660,49 +660,49 @@ public Set<String> filterColumns(SystemSecurityContext context, CatalogSchemaTab
 
   /**
    * This is a NOOP. Everyone can execute a query
-   * @param context
+   * @param identity
    */
   @Override
-  public void checkCanExecuteQuery(SystemSecurityContext context) {
+  public void checkCanExecuteQuery(Identity identity) {
   }
 
   @Override
-  public void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) {
-    if (!hasPermission(createUserResource(queryOwner.getUser()), context, TrinoAccessType.IMPERSONATE)) {
+  public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) {
+    if (!hasPermission(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
       LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied");
-      AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner.getUser());
+      AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser());
     }
   }
 
   /**
    * This is a NOOP, no filtering is applied
    */
   @Override
-  public Collection<Identity> filterViewQueryOwnedBy(SystemSecurityContext context, Collection<Identity> queryOwners) {
+  public Collection<Identity> filterViewQueryOwnedBy(Identity identity, Collection<Identity> queryOwners) {
     return queryOwners;
   }
 
   @Override
-  public void checkCanKillQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) {
-    if (!hasPermission(createUserResource(queryOwner.getUser()), context, TrinoAccessType.IMPERSONATE)) {
+  public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) {
+    if (!hasPermission(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
       LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied");
-      AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner.getUser());
+      AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser());
     }
   }
 
   @Override
-  public void checkCanReadSystemInformation(SystemSecurityContext context) {
-    if (!hasPermission(createUserResource(context.getIdentity().getUser()), context, TrinoAccessType.IMPERSONATE)) {
-      LOG.debug("RangerSystemAccessControl.checkCanReadSystemInformation(" + context.getIdentity().getUser() + ") denied");
-      AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), "trino");
+  public void checkCanReadSystemInformation(Identity identity) {
+    if (!hasPermission(createUserResource(identity.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
+      LOG.debug("RangerSystemAccessControl.checkCanReadSystemInformation(" + identity.getUser() + ") denied");
+      AccessDeniedException.denyImpersonateUser(identity.getUser(), "trino");
     }
   }
 
   @Override
-  public void checkCanWriteSystemInformation(SystemSecurityContext context) {
-    if (!hasPermission(createUserResource(context.getIdentity().getUser()), context, TrinoAccessType.IMPERSONATE)) {
-      LOG.debug("RangerSystemAccessControl.checkCanWriteSystemInformation(" + context.getIdentity().getUser() + ") denied");
-      AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), "trino");
+  public void checkCanWriteSystemInformation(Identity identity) {
+    if (!hasPermission(createUserResource(identity.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
+      LOG.debug("RangerSystemAccessControl.checkCanWriteSystemInformation(" + identity.getUser() + ") denied");
+      AccessDeniedException.denyImpersonateUser(identity.getUser(), "trino");
     }
   }
 
@@ -766,25 +766,29 @@ public void checkCanExecuteTableProcedure(
   /** HELPER FUNCTIONS **/
 
   private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) {
+    return createAccessRequest(resource, context.getIdentity(), accessType);
+  }
+
+  private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) {
     Set<String> userGroups = null;
 
     if (useUgi) {
-      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(identity.getUser());
 
       String[] groups = ugi != null ? ugi.getGroupNames() : null;
 
       if (groups != null && groups.length > 0) {
         userGroups = new HashSet<>(Arrays.asList(groups));
       }
     } else {
-      userGroups = context.getIdentity().getGroups();
+      userGroups = identity.getGroups();
     }
 
     RangerTrinoAccessRequest request = new RangerTrinoAccessRequest(
-      resource,
-      context.getIdentity().getUser(),
-      userGroups,
-      accessType
+            resource,
+            identity.getUser(),
+            userGroups,
+            accessType
     );
 
     return request;
@@ -803,6 +807,19 @@ private boolean hasPermission(RangerTrinoResource resource, SystemSecurityContex
     return ret;
   }
 
+  private boolean hasPermission(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) {
+    boolean ret = false;
+
+    RangerTrinoAccessRequest request = createAccessRequest(resource, identity, accessType);
+
+    RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
+    if (result != null && result.getIsAllowed()) {
+      ret = true;
+    }
+
+    return ret;
+  }
+
   private static RangerTrinoResource createUserResource(String userName) {
     RangerTrinoResource res = new RangerTrinoResource();
     res.setValue(RangerTrinoResource.KEY_USER, userName);

plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java

@@ -19,6 +19,7 @@
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import io.trino.spi.QueryId;
 import io.trino.spi.connector.CatalogSchemaName;
 import io.trino.spi.connector.CatalogSchemaRoutineName;
 import io.trino.spi.connector.CatalogSchemaTableName;
@@ -39,6 +40,7 @@
 import org.junit.Test;
 
 import javax.security.auth.kerberos.KerberosPrincipal;
+import java.time.Instant;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -77,16 +79,16 @@ public static void setUpBeforeClass() throws Exception {
   @SuppressWarnings("PMD")
   public void testCanSetUserOperations() {
     try {
-      accessControlManager.checkCanImpersonateUser(context(alice), bob.getUser());
+      accessControlManager.checkCanImpersonateUser(alice, bob.getUser());
       throw new AssertionError("expected AccessDeniedExeption");
     }
     catch (AccessDeniedException expected) {
     }
 
-    accessControlManager.checkCanImpersonateUser(context(admin), bob.getUser());
+    accessControlManager.checkCanImpersonateUser(admin, bob.getUser());
 
     try {
-      accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice), bob.getUser());
+      accessControlManager.checkCanImpersonateUser(kerberosInvalidAlice, bob.getUser());
       throw new AssertionError("expected AccessDeniedExeption");
     }
     catch (AccessDeniedException expected) {
@@ -174,7 +176,7 @@ public void testMisc()
   {
     assertEquals(
             accessControlManager.filterViewQueryOwnedBy(
-                    context(alice),
+                    alice,
                     queryOwners.stream().map(Identity::ofUser).collect(toImmutableSet())),
             queryOwners.stream().map(Identity::ofUser).collect(toImmutableSet())
     );
@@ -197,7 +199,8 @@ public void testMisc()
     accessControlManager.checkCanExecuteProcedure(context(alice), aliceProcedure);
   }
 
+  // TODO: Fix it
   private SystemSecurityContext context(Identity id) {
-    return new SystemSecurityContext(id, Optional.empty());
+    return new SystemSecurityContext(id, QueryId.valueOf("dummy"), Instant.now());
   }
 }

pom.xml

@@ -169,7 +169,7 @@
         <noggit.version>0.8</noggit.version>
         <owasp-java-html-sanitizer.version>r239</owasp-java-html-sanitizer.version>
         <paranamer.version>2.3</paranamer.version>
-        <trino.version>426</trino.version>
+        <trino.version>427</trino.version>
         <poi.version>4.1.2</poi.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <protobuf-java.version>2.5.0</protobuf-java.version>

ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java

@@ -65,10 +65,10 @@ public RangerSystemAccessControl(RangerConfig config) {
   }
 
   @Override
-  public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
+  public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName);
+      systemAccessControlImpl.checkCanSetSystemSessionProperty(identity, propertyName);
     } finally {
       deactivatePluginClassLoader();
     }
@@ -375,72 +375,72 @@ public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, Str
   }
 
   @Override
-  public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
+  public void checkCanImpersonateUser(Identity identity, String userName) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanImpersonateUser(context, userName);
+      systemAccessControlImpl.checkCanImpersonateUser(identity, userName);
     } finally {
       deactivatePluginClassLoader();
     }
   }
 
   @Override
-  public void checkCanExecuteQuery(SystemSecurityContext context) {
+  public void checkCanExecuteQuery(Identity identity) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanExecuteQuery(context);
+      systemAccessControlImpl.checkCanExecuteQuery(identity);
     } finally {
       deactivatePluginClassLoader();
     }
   }
 
   @Override
-  public void checkCanViewQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) {
+  public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner);
+      systemAccessControlImpl.checkCanViewQueryOwnedBy(identity, queryOwner);
     } finally {
       deactivatePluginClassLoader();
     }
   }
 
   @Override
-  public Collection<Identity> filterViewQueryOwnedBy(SystemSecurityContext context, Collection<Identity> queryOwners) {
+  public Collection<Identity> filterViewQueryOwnedBy(Identity identity, Collection<Identity> queryOwners) {
     Collection<Identity> filteredQueryOwners;
     try {
       activatePluginClassLoader();
-      filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners);
+      filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(identity, queryOwners);
     } finally {
       deactivatePluginClassLoader();
     }
     return filteredQueryOwners;
   }
 
   @Override
-  public void checkCanKillQueryOwnedBy(SystemSecurityContext context, Identity queryOwner) {
+  public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanKillQueryOwnedBy(context, queryOwner);
+      systemAccessControlImpl.checkCanKillQueryOwnedBy(identity, queryOwner);
     } finally {
       deactivatePluginClassLoader();
     }
   }
 
   @Override
-  public void checkCanReadSystemInformation(SystemSecurityContext context) {
+  public void checkCanReadSystemInformation(Identity identity) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanReadSystemInformation(context);
+      systemAccessControlImpl.checkCanReadSystemInformation(identity);
     } finally {
       deactivatePluginClassLoader();
     }
   }
 
   @Override
-  public void checkCanWriteSystemInformation(SystemSecurityContext context) {
+  public void checkCanWriteSystemInformation(Identity identity) {
     try {
       activatePluginClassLoader();
-      systemAccessControlImpl.checkCanWriteSystemInformation(context);
+      systemAccessControlImpl.checkCanWriteSystemInformation(identity);
     } finally {
       deactivatePluginClassLoader();
     }