diff --git a/.gitignore b/.gitignore index 65e3686fbcb9..9f22cd8fdf2f 100644 --- a/.gitignore +++ b/.gitignore @@ -29,8 +29,8 @@ settings.xml .checkstyle # netbeans -nb-configuration.xml -*/nb-configuration.xml +**/nb-configuration.xml +**/nbproject .mvn/wrapper/maven-wrapper.jar diff --git a/core/pom.xml b/core/pom.xml index 0da66e6f056d..d2fd08e502ca 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -197,6 +197,11 @@ limitations under the License. sqlline test + + org.mockito + mockito-core + test + diff --git a/core/src/main/java/org/apache/calcite/access/AlwaysPassAuthorization.java b/core/src/main/java/org/apache/calcite/access/AlwaysPassAuthorization.java new file mode 100644 index 000000000000..dbc44a5114e5 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/AlwaysPassAuthorization.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +/** + * Dummy guard that ensures backward compatibility where all access is granted to schema + */ +public class AlwaysPassAuthorization implements Authorization { + + public static final Authorization INSTANCE = new AlwaysPassAuthorization(); + + @Override public boolean accessGranted(AuthorizationRequest request) { + return true; + } + +} + +// End AlwaysPassAuthorization.java diff --git a/core/src/main/java/org/apache/calcite/access/Authorization.java b/core/src/main/java/org/apache/calcite/access/Authorization.java new file mode 100644 index 000000000000..462f8f3113f2 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/Authorization.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +/** + * Guard for checking against access types of schema tables or other elements + */ +public interface Authorization { + + boolean accessGranted(AuthorizationRequest request); + +} + +// End Authorization.java diff --git a/core/src/main/java/org/apache/calcite/access/AuthorizationFactory.java b/core/src/main/java/org/apache/calcite/access/AuthorizationFactory.java new file mode 100644 index 000000000000..6faf2b016bb0 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/AuthorizationFactory.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import java.util.Map; + +/** + * + * Factory that creates AuthorisationGuard + */ +public interface AuthorizationFactory { + + /** + * Populates this factory with configuration. It is assured that this method is called first, + * before any others on this factory. + */ + void init(Map operand); + + /** + * Creates guard instancee for specific schema configuration + */ + Authorization create(Map operand); + +} + +// End AuthorizationFactory.java diff --git a/core/src/main/java/org/apache/calcite/access/AuthorizationRequest.java b/core/src/main/java/org/apache/calcite/access/AuthorizationRequest.java new file mode 100644 index 000000000000..a7c099cc7bf7 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/AuthorizationRequest.java @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.apache.calcite.sql.SqlAccessEnum; +import org.apache.calcite.sql.SqlNode; +import org.apache.calcite.sql.validate.SqlValidatorCatalogReader; +import org.apache.calcite.sql.validate.SqlValidatorTable; + +import java.util.List; + +/** + * Wraps data needed for guard to decide whether access should be granted or not. + */ +public class AuthorizationRequest { + + private final SqlAccessEnum requiredAccess; + private final SqlNode node; + private final SqlValidatorTable table; + private final List objectPath; + private final SqlValidatorCatalogReader catalogReader; + + public AuthorizationRequest( + SqlAccessEnum requiredAccess, + SqlNode node, + SqlValidatorTable table, + List objectPath, + SqlValidatorCatalogReader catalogReader) { + this.requiredAccess = requiredAccess; + this.node = node; + this.table = table; + this.objectPath = objectPath; + this.catalogReader = catalogReader; + } + + public SqlAccessEnum getRequiredAccess() { + return requiredAccess; + } + + public SqlNode getNode() { + return node; + } + + public SqlValidatorTable getTable() { + return table; + } + + public List getObjectPath() { + return objectPath; + } + + public SqlValidatorCatalogReader getCatalogReader() { + return catalogReader; + } + +} + +// End AuthorizationRequest.java diff --git a/core/src/main/java/org/apache/calcite/access/CalcitePrincipal.java b/core/src/main/java/org/apache/calcite/access/CalcitePrincipal.java new file mode 100644 index 000000000000..decf2a05dd58 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/CalcitePrincipal.java @@ -0,0 +1,27 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +/** + * Responsible handling principal and its access to schemas + */ +public interface CalcitePrincipal { + + String getName(); +} + +// End CalcitePrincipal.java diff --git a/core/src/main/java/org/apache/calcite/access/CalcitePrincipalFairy.java b/core/src/main/java/org/apache/calcite/access/CalcitePrincipalFairy.java new file mode 100644 index 000000000000..2f00707339ec --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/CalcitePrincipalFairy.java @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +/** + * Simple placeholder for principal currently "logged in through connection" + */ +public class CalcitePrincipalFairy { + + public static final CalcitePrincipalFairy INSTANCE = new CalcitePrincipalFairy(); + + private static final ThreadLocal THREAD_LOCAL + = new ThreadLocal(); + + public void register(CalcitePrincipal principal) { + THREAD_LOCAL.set(principal); + } + + public CalcitePrincipal get() { + return THREAD_LOCAL.get(); + } +} + +// End CalcitePrincipalFairy.java diff --git a/core/src/main/java/org/apache/calcite/access/CalcitePrincipalImpl.java b/core/src/main/java/org/apache/calcite/access/CalcitePrincipalImpl.java new file mode 100644 index 000000000000..79a47cf895bb --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/CalcitePrincipalImpl.java @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.apache.commons.lang3.StringUtils; + +/** + * + */ +public class CalcitePrincipalImpl implements CalcitePrincipal { + + public static CalcitePrincipal fromName(String user) { + return StringUtils.isNotBlank(user) ? new CalcitePrincipalImpl(user) : null; + } + + private final String name; + + private CalcitePrincipalImpl(String name) { + this.name = name; + } + + @Override public String getName() { + return name; + } + +} + +// End CalcitePrincipalImpl.java diff --git a/core/src/main/java/org/apache/calcite/access/PrincipalBasedAuthFactory.java b/core/src/main/java/org/apache/calcite/access/PrincipalBasedAuthFactory.java new file mode 100644 index 000000000000..71f6675c378d --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/PrincipalBasedAuthFactory.java @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.apache.calcite.sql.SqlAccessType; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.regex.Pattern; + +/** + * Factory of principal based access + */ +public class PrincipalBasedAuthFactory implements AuthorizationFactory { + + private static final Pattern OWNER_PATTERN = Pattern.compile("\\s*OWNER\\s*"); + + @Override public void init(Map operand) { + } + + @Override public Authorization create(Map operand) { + Map accessMap = new HashMap<>(); + Set owners = new HashSet<>(); + convert(operand, accessMap, owners); + return new PrincipalBasedAuthorization(CalcitePrincipalFairy.INSTANCE, accessMap, owners); + } + + private void convert( + Map operand, + Map accessMap, + Set owners) { + for (Map.Entry entry : operand.entrySet()) { + if (OWNER_PATTERN.matcher(entry.getValue()).matches()) { + owners.add(entry.getKey()); + } else { + accessMap.put(entry.getKey(), SqlAccessType.create(entry.getValue())); + } + } + } + +} + +// End PrincipalBasedAuthFactory.java diff --git a/core/src/main/java/org/apache/calcite/access/PrincipalBasedAuthorization.java b/core/src/main/java/org/apache/calcite/access/PrincipalBasedAuthorization.java new file mode 100644 index 000000000000..e18b44908119 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/PrincipalBasedAuthorization.java @@ -0,0 +1,94 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.apache.calcite.jdbc.CalciteSchema; +import org.apache.calcite.sql.SqlAccessType; +import org.apache.calcite.sql.validate.SqlValidatorUtil; + +import com.google.common.collect.ImmutableSet; + +import java.util.List; +import java.util.Map; +import java.util.Set; + +/** + * Guard that checks whether principal has required access to schema + */ +public class PrincipalBasedAuthorization implements Authorization { + + private final Map accessMap; + private final Set owners; + private final CalcitePrincipalFairy fairy; + + public PrincipalBasedAuthorization( + CalcitePrincipalFairy fairy, + Map accessMap, + Set owners) { + this.accessMap = accessMap; + this.fairy = fairy; + this.owners = ImmutableSet.copyOf(owners); + } + + @Override public boolean accessGranted(AuthorizationRequest request) { + CalcitePrincipal principal = fairy.get(); + return accessGranted(principal, request); + } + + private boolean accessGranted(CalcitePrincipal principal, AuthorizationRequest request) { + // If no principal - this authorization assumes no access granted + if (principal == null) { + return false; + } + // owners are always authorized to all requests + if (owners.contains(principal.getName())) { + return true; + } + // otherwise check in user to access type map + if (accessMap.getOrDefault(principal.getName(), SqlAccessType.NONE) + .allowsAccess(request.getRequiredAccess())) { + return true; + } + // otherwise check if view and check authorization for owner of view schema + if (request.getObjectPath() != null && !request.getObjectPath().isEmpty()) { + List path = request.getObjectPath().subList(0, request.getObjectPath().size() - 1); + CalciteSchema schema = SqlValidatorUtil.getSchema( + request.getCatalogReader().getRootSchema(), + path, + request.getCatalogReader().nameMatcher()); + PrincipalBasedAuthorization authorization + = (PrincipalBasedAuthorization) schema.getAuthorization(); + for (String ownerName : authorization.getOwners()) { + if (accessGranted(mockedPrincipal(ownerName), request)) { + return true; + } + } + } + return false; + } + + public Set getOwners() { + return owners; + } + + private CalcitePrincipal mockedPrincipal(String ownerName) { + return CalcitePrincipalImpl.fromName(ownerName); + } + +} + +// End PrincipalBasedAuthorization.java diff --git a/core/src/main/java/org/apache/calcite/access/package-info.java b/core/src/main/java/org/apache/calcite/access/package-info.java new file mode 100644 index 000000000000..4fe67277ad82 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/access/package-info.java @@ -0,0 +1,26 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Authorization and identity logic is here. + */ +@PackageMarker +package org.apache.calcite.access; + +import org.apache.calcite.avatica.util.PackageMarker; + +// End package-info.java diff --git a/core/src/main/java/org/apache/calcite/adapter/enumerable/RexImpTable.java b/core/src/main/java/org/apache/calcite/adapter/enumerable/RexImpTable.java index ada433324d5d..f3c198e4b32e 100644 --- a/core/src/main/java/org/apache/calcite/adapter/enumerable/RexImpTable.java +++ b/core/src/main/java/org/apache/calcite/adapter/enumerable/RexImpTable.java @@ -16,6 +16,8 @@ */ package org.apache.calcite.adapter.enumerable; +import org.apache.calcite.access.CalcitePrincipal; +import org.apache.calcite.access.CalcitePrincipalFairy; import org.apache.calcite.avatica.util.DateTimeUtils; import org.apache.calcite.avatica.util.TimeUnit; import org.apache.calcite.avatica.util.TimeUnitRange; @@ -483,11 +485,12 @@ public Expression implement(RexToLixTranslator translator, new MethodImplementor(BuiltInMethod.IS_JSON_SCALAR.method)), false); // System functions - final SystemFunctionImplementor systemFunctionImplementor = - new SystemFunctionImplementor(); - map.put(USER, systemFunctionImplementor); - map.put(CURRENT_USER, systemFunctionImplementor); - map.put(SESSION_USER, systemFunctionImplementor); + final UserFunctionImplementor userFunctionImplementor = new UserFunctionImplementor(); + map.put(USER, userFunctionImplementor); + map.put(CURRENT_USER, userFunctionImplementor); + map.put(SESSION_USER, userFunctionImplementor); + final SystemFunctionImplementor systemFunctionImplementor + = new SystemFunctionImplementor(); map.put(SYSTEM_USER, systemFunctionImplementor); map.put(CURRENT_PATH, systemFunctionImplementor); map.put(CURRENT_ROLE, systemFunctionImplementor); @@ -2483,11 +2486,7 @@ public Expression implement( } final SqlOperator op = call.getOperator(); final Expression root = translator.getRoot(); - if (op == CURRENT_USER - || op == SESSION_USER - || op == USER) { - return Expressions.constant("sa"); - } else if (op == SYSTEM_USER) { + if (op == SYSTEM_USER) { return Expressions.constant(System.getProperty("user.name")); } else if (op == CURRENT_PATH || op == CURRENT_ROLE @@ -2511,8 +2510,25 @@ public Expression implement( } } - /** Implements "IS XXX" operations such as "IS NULL" - * or "IS NOT TRUE". + /** + * Implementation of user functions which deduce user from connection properties + */ + private static class UserFunctionImplementor implements CallImplementor { + + @Override public Expression implement( + RexToLixTranslator translator, + RexCall call, + NullAs nullAs) { + CalcitePrincipal principal = CalcitePrincipalFairy.INSTANCE.get(); + return principal != null + ? Expressions.constant(principal.getName()) + : Expressions.constant(System.getProperty("user.name")); + } + + } + + /** + * Implements "IS XXX" operations such as "IS NULL" or "IS NOT TRUE". * *

What these operators have in common:

* 1. They return TRUE or FALSE, never NULL. diff --git a/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfig.java b/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfig.java index b366aeac291c..f709d47f4832 100644 --- a/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfig.java +++ b/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfig.java @@ -70,6 +70,10 @@ public interface CalciteConnectionConfig extends ConnectionConfig { T typeSystem(Class typeSystemClass, T defaultTypeSystem); /** @see CalciteConnectionProperty#CONFORMANCE */ SqlConformance conformance(); + /** + * @see CalciteConnectionProperty#USER + */ + String user(); } // End CalciteConnectionConfig.java diff --git a/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfigImpl.java b/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfigImpl.java index 6c176b8669de..a103bd10b5c5 100644 --- a/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfigImpl.java +++ b/core/src/main/java/org/apache/calcite/config/CalciteConnectionConfigImpl.java @@ -86,6 +86,12 @@ public NullCollation defaultNullCollation() { .getEnum(NullCollation.class, NullCollation.HIGH); } + public String user() { + return CalciteConnectionProperty.USER + .wrap(properties) + .getString(); + } + public T fun(Class operatorTableClass, T defaultOperatorTable) { final String fun = CalciteConnectionProperty.FUN.wrap(properties).getString(); diff --git a/core/src/main/java/org/apache/calcite/config/CalciteConnectionProperty.java b/core/src/main/java/org/apache/calcite/config/CalciteConnectionProperty.java index dea9200ac770..f259afd38558 100644 --- a/core/src/main/java/org/apache/calcite/config/CalciteConnectionProperty.java +++ b/core/src/main/java/org/apache/calcite/config/CalciteConnectionProperty.java @@ -141,7 +141,9 @@ public enum CalciteConnectionProperty implements ConnectionProperty { TYPE_SYSTEM("typeSystem", Type.PLUGIN, null, false), /** SQL conformance level. */ - CONFORMANCE("conformance", Type.ENUM, SqlConformanceEnum.DEFAULT, false); + CONFORMANCE("conformance", Type.ENUM, SqlConformanceEnum.DEFAULT, false), + + USER("user", Type.STRING, null, false); private final String camelName; private final Type type; diff --git a/core/src/main/java/org/apache/calcite/jdbc/CachingCalciteSchema.java b/core/src/main/java/org/apache/calcite/jdbc/CachingCalciteSchema.java index 486f0d2650f6..76af92992cb0 100644 --- a/core/src/main/java/org/apache/calcite/jdbc/CachingCalciteSchema.java +++ b/core/src/main/java/org/apache/calcite/jdbc/CachingCalciteSchema.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.jdbc; +import org.apache.calcite.access.Authorization; import org.apache.calcite.rel.type.RelProtoDataType; import org.apache.calcite.schema.Function; import org.apache.calcite.schema.Schema; @@ -252,6 +253,7 @@ protected CalciteSchema snapshot(CalciteSchema parent, SchemaVersion version) { CalciteSchema subSchemaSnapshot = subSchema.snapshot(snapshot, version); snapshot.subSchemaMap.put(subSchema.name, subSchemaSnapshot); } + snapshot.setGuard(getAuthorization()); return snapshot; } @@ -327,8 +329,7 @@ private static class SubSchemaCache { private SubSchemaCache(final CalciteSchema calciteSchema, Set names) { this.names = NameSet.immutableCopyOf(names); - this.cache = CacheBuilder.newBuilder().build( - new CacheLoader() { + this.cache = CacheBuilder.newBuilder().build(new CacheLoader() { @SuppressWarnings("NullableProblems") @Override public CalciteSchema load(String schemaName) { final Schema subSchema = @@ -337,7 +338,14 @@ private SubSchemaCache(final CalciteSchema calciteSchema, throw new RuntimeException("sub-schema " + schemaName + " not found"); } - return new CachingCalciteSchema(calciteSchema, subSchema, schemaName); + CachingCalciteSchema cache + = new CachingCalciteSchema(calciteSchema, subSchema, schemaName); + try { + Authorization guard + = calciteSchema.subSchemaMap.map().get(schemaName).getAuthorization(); + cache.setGuard(guard); + } catch (NullPointerException e) { } + return cache; } }); } diff --git a/core/src/main/java/org/apache/calcite/jdbc/CalciteConnectionImpl.java b/core/src/main/java/org/apache/calcite/jdbc/CalciteConnectionImpl.java index 7df8c3ee5133..67e68900e3ab 100644 --- a/core/src/main/java/org/apache/calcite/jdbc/CalciteConnectionImpl.java +++ b/core/src/main/java/org/apache/calcite/jdbc/CalciteConnectionImpl.java @@ -17,6 +17,9 @@ package org.apache.calcite.jdbc; import org.apache.calcite.DataContext; +import org.apache.calcite.access.CalcitePrincipal; +import org.apache.calcite.access.CalcitePrincipalFairy; +import org.apache.calcite.access.CalcitePrincipalImpl; import org.apache.calcite.adapter.java.JavaTypeFactory; import org.apache.calcite.avatica.AvaticaConnection; import org.apache.calcite.avatica.AvaticaFactory; @@ -82,6 +85,8 @@ import java.util.TimeZone; import java.util.concurrent.atomic.AtomicBoolean; +import static org.apache.commons.lang3.StringUtils.isBlank; + /** * Implementation of JDBC connection * in the Calcite engine. @@ -143,6 +148,10 @@ protected CalciteConnectionImpl(Driver driver, AvaticaFactory factory, this.properties.put(InternalProperty.UNQUOTED_CASING, cfg.unquotedCasing()); this.properties.put(InternalProperty.QUOTED_CASING, cfg.quotedCasing()); this.properties.put(InternalProperty.QUOTING, cfg.quoting()); + String username = cfg.user(); + if (!isBlank(username)) { + CalcitePrincipalFairy.INSTANCE.register(CalcitePrincipalImpl.fromName(username)); + } } CalciteMetaImpl meta() { @@ -552,6 +561,10 @@ public CalcitePrepare.SparkHandler spark() { final boolean enable = config().spark(); return CalcitePrepare.Dummy.getSparkHandler(enable); } + + public CalcitePrincipal getPrincipal() { + return CalcitePrincipalImpl.fromName(connection.config().user()); + } } /** Implementation of {@link DataContext} that has few variables and is diff --git a/core/src/main/java/org/apache/calcite/jdbc/CalcitePrepare.java b/core/src/main/java/org/apache/calcite/jdbc/CalcitePrepare.java index afc5252ae379..2ac66a0c43d6 100644 --- a/core/src/main/java/org/apache/calcite/jdbc/CalcitePrepare.java +++ b/core/src/main/java/org/apache/calcite/jdbc/CalcitePrepare.java @@ -127,6 +127,7 @@ interface Context { /** Gets a runner; it can execute a relational expression. */ RelRunner getRelRunner(); + } /** Callback to register Spark as the main engine. */ diff --git a/core/src/main/java/org/apache/calcite/jdbc/CalciteSchema.java b/core/src/main/java/org/apache/calcite/jdbc/CalciteSchema.java index fa25f695dfc6..3c25d3b43880 100644 --- a/core/src/main/java/org/apache/calcite/jdbc/CalciteSchema.java +++ b/core/src/main/java/org/apache/calcite/jdbc/CalciteSchema.java @@ -16,6 +16,8 @@ */ package org.apache.calcite.jdbc; +import org.apache.calcite.access.AlwaysPassAuthorization; +import org.apache.calcite.access.Authorization; import org.apache.calcite.linq4j.function.Experimental; import org.apache.calcite.linq4j.tree.Expression; import org.apache.calcite.materialize.Lattice; @@ -68,6 +70,7 @@ public abstract class CalciteSchema { protected final NameMap nullaryFunctionMap; protected final NameMap subSchemaMap; private List> path; + private Authorization guard = AlwaysPassAuthorization.INSTANCE; protected CalciteSchema(CalciteSchema parent, Schema schema, String name, NameMap subSchemaMap, @@ -538,6 +541,14 @@ public boolean removeType(String name) { return typeMap.remove(name) != null; } + public void setGuard(Authorization guard) { + this.guard = guard; + } + + public Authorization getAuthorization() { + return guard; + } + /** * Entry in a schema, such as a table or sub-schema. * @@ -717,6 +728,10 @@ public void add(String name, RelProtoDataType type) { public void add(String name, Lattice lattice) { CalciteSchema.this.add(name, lattice); } + + @Override public void setAuthorization(Authorization guard) { + CalciteSchema.this.setGuard(guard); + } } /** diff --git a/core/src/main/java/org/apache/calcite/model/JsonAuthorization.java b/core/src/main/java/org/apache/calcite/model/JsonAuthorization.java new file mode 100644 index 000000000000..4c5ced627476 --- /dev/null +++ b/core/src/main/java/org/apache/calcite/model/JsonAuthorization.java @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.model; + +import java.util.Map; + +/** + * JSON element that represents access definition to defined schema + */ +public class JsonAuthorization { + /** Name of the factory class implementing Access level logic to schema + * + *

Required + */ + public String factory; + + /** Contains attributes to be passed to the factory. + * + *

May be a JSON object (represented as Map) or null. + */ + public Map operand; + + public void accept(ModelHandler modelHandler) { + modelHandler.visit(this); + } +} + +// End JsonAuthorization.java diff --git a/core/src/main/java/org/apache/calcite/model/JsonRoot.java b/core/src/main/java/org/apache/calcite/model/JsonRoot.java index 7d45013d9d53..b13d8ea0919f 100644 --- a/core/src/main/java/org/apache/calcite/model/JsonRoot.java +++ b/core/src/main/java/org/apache/calcite/model/JsonRoot.java @@ -60,6 +60,11 @@ public class JsonRoot { */ public String defaultSchema; + /** + * Factory for authorization logic + */ + public JsonAuthorization authorization; + /** List of schema elements. * *

The list may be empty. diff --git a/core/src/main/java/org/apache/calcite/model/JsonSchema.java b/core/src/main/java/org/apache/calcite/model/JsonSchema.java index ce9c8013faa5..e9e79948fbea 100644 --- a/core/src/main/java/org/apache/calcite/model/JsonSchema.java +++ b/core/src/main/java/org/apache/calcite/model/JsonSchema.java @@ -21,6 +21,7 @@ import java.util.ArrayList; import java.util.List; +import java.util.Map; /** * Schema schema element. @@ -61,6 +62,11 @@ public abstract class JsonSchema { */ public List path; + /** + * Config with authorization definition for this schema, used by AuthorizationFactory + */ + public Map authConfig; + /** * List of tables in this schema that are materializations of queries. * diff --git a/core/src/main/java/org/apache/calcite/model/ModelHandler.java b/core/src/main/java/org/apache/calcite/model/ModelHandler.java index afd11f46e004..f97a35ce5268 100644 --- a/core/src/main/java/org/apache/calcite/model/ModelHandler.java +++ b/core/src/main/java/org/apache/calcite/model/ModelHandler.java @@ -16,6 +16,8 @@ */ package org.apache.calcite.model; +import org.apache.calcite.access.Authorization; +import org.apache.calcite.access.AuthorizationFactory; import org.apache.calcite.adapter.jdbc.JdbcSchema; import org.apache.calcite.avatica.AvaticaUtils; import org.apache.calcite.jdbc.CalciteConnection; @@ -75,6 +77,7 @@ public class ModelHandler { private final CalciteConnection connection; private final Deque> schemaStack = new ArrayDeque<>(); private final String modelUri; + private AuthorizationFactory authFactory; Lattice.Builder latticeBuilder; Lattice.TileBuilder tileBuilder; @@ -204,6 +207,10 @@ public void visit(JsonRoot jsonRoot) { final Pair pair = Pair.of(null, connection.getRootSchema()); schemaStack.push(pair); + if (jsonRoot.authorization != null) { + // not the real visitor pattern, but better readability + visit(jsonRoot.authorization); + } for (JsonSchema schema : jsonRoot.schemas) { schema.accept(this); } @@ -218,6 +225,13 @@ public void visit(JsonRoot jsonRoot) { } } + public void visit(JsonAuthorization authorization) { + authFactory = AvaticaUtils.instantiatePlugin( + AuthorizationFactory.class, + authorization.factory); + authFactory.init(authorization.operand); + } + public void visit(JsonMapSchema jsonSchema) { checkRequiredAttributes(jsonSchema, "name"); final SchemaPlus parentSchema = currentMutableSchema("schema"); @@ -269,6 +283,11 @@ private void populateSchema(JsonSchema jsonSchema, SchemaPlus schema) { jsonSchema.visitChildren(this); final Pair p = schemaStack.pop(); assert p == pair; + if (authFactory != null) { + Authorization authorization = authFactory.create( + jsonSchema == null ? Collections.emptyMap() : jsonSchema.authConfig); + schema.setAuthorization(authorization); + } } public void visit(JsonCustomSchema jsonSchema) { diff --git a/core/src/main/java/org/apache/calcite/plan/RelOptSchema.java b/core/src/main/java/org/apache/calcite/plan/RelOptSchema.java index 1b682fff027b..17bccd1ab67f 100644 --- a/core/src/main/java/org/apache/calcite/plan/RelOptSchema.java +++ b/core/src/main/java/org/apache/calcite/plan/RelOptSchema.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.plan; +import org.apache.calcite.access.Authorization; import org.apache.calcite.rel.type.RelDataTypeFactory; import java.util.List; @@ -51,6 +52,9 @@ public interface RelOptSchema { * {@link RelOptPlanner#registerSchema}. */ void registerRules(RelOptPlanner planner) throws Exception; + + /** Access guard configured for this schema */ + Authorization getAuthorization(); } // End RelOptSchema.java diff --git a/core/src/main/java/org/apache/calcite/prepare/CalciteCatalogReader.java b/core/src/main/java/org/apache/calcite/prepare/CalciteCatalogReader.java index 968523900a65..2f5a80f7536f 100644 --- a/core/src/main/java/org/apache/calcite/prepare/CalciteCatalogReader.java +++ b/core/src/main/java/org/apache/calcite/prepare/CalciteCatalogReader.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.prepare; +import org.apache.calcite.access.Authorization; import org.apache.calcite.config.CalciteConnectionConfig; import org.apache.calcite.jdbc.CalciteSchema; import org.apache.calcite.jdbc.JavaTypeFactoryImpl; @@ -409,6 +410,10 @@ public SqlNameMatcher nameMatcher() { } return null; } + + @Override public Authorization getAuthorization() { + return rootSchema.getAuthorization(); + } } // End CalciteCatalogReader.java diff --git a/core/src/main/java/org/apache/calcite/prepare/CalcitePrepareImpl.java b/core/src/main/java/org/apache/calcite/prepare/CalcitePrepareImpl.java index 90979c4938f3..2367a54efd8f 100644 --- a/core/src/main/java/org/apache/calcite/prepare/CalcitePrepareImpl.java +++ b/core/src/main/java/org/apache/calcite/prepare/CalcitePrepareImpl.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.prepare; +import org.apache.calcite.DataContext; import org.apache.calcite.adapter.enumerable.EnumerableBindable; import org.apache.calcite.adapter.enumerable.EnumerableCalc; import org.apache.calcite.adapter.enumerable.EnumerableConvention; @@ -132,6 +133,7 @@ import org.apache.calcite.sql2rel.SqlToRelConverter; import org.apache.calcite.sql2rel.StandardConvertletTable; import org.apache.calcite.tools.Frameworks; +import org.apache.calcite.tools.RelRunner; import org.apache.calcite.util.ImmutableIntList; import org.apache.calcite.util.Pair; import org.apache.calcite.util.Util; @@ -849,7 +851,7 @@ private SqlValidator createSqlValidator(Context context, final JavaTypeFactory typeFactory = context.getTypeFactory(); final SqlConformance conformance = context.config().conformance(); return new CalciteSqlValidator(opTab, catalogReader, typeFactory, - conformance); + conformance, context.getObjectPath()); } private List getColumnMetaDataList( @@ -1178,7 +1180,8 @@ private PreparedResult prepare_(Supplier fn, // View may have different schema path than current connection. final CatalogReader catalogReader = this.catalogReader.withSchemaPath(schemaPath); - SqlValidator validator = createSqlValidator(catalogReader); + Context expandViewContext = createExpandViewContext(context, viewPath); + SqlValidator validator = createSqlValidator(catalogReader, expandViewContext); final SqlToRelConverter.Config config = SqlToRelConverter.configBuilder() .withTrimUnusedFields(true).build(); SqlToRelConverter sqlToRelConverter = @@ -1190,14 +1193,15 @@ private PreparedResult prepare_(Supplier fn, return root; } - protected SqlValidator createSqlValidator(CatalogReader catalogReader) { - return prepare.createSqlValidator(context, - (CalciteCatalogReader) catalogReader); + protected SqlValidator createSqlValidator( + CatalogReader catalogReader, + CalcitePrepare.Context context) { + return prepare.createSqlValidator(context, (CalciteCatalogReader) catalogReader); } @Override protected SqlValidator getSqlValidator() { if (sqlValidator == null) { - sqlValidator = createSqlValidator(catalogReader); + sqlValidator = createSqlValidator(catalogReader, context); } return sqlValidator; } @@ -1288,6 +1292,46 @@ public Type getElementType() { @Override protected List getLattices() { return Schemas.getLatticeEntries(schema); } + + private Context createExpandViewContext(final Context context, final List viewPath) { + return new Context() { + @Override public JavaTypeFactory getTypeFactory() { + return context.getTypeFactory(); + } + + @Override public CalciteSchema getRootSchema() { + return context.getRootSchema(); + } + + @Override public CalciteSchema getMutableRootSchema() { + return context.getMutableRootSchema(); + } + + @Override public List getDefaultSchemaPath() { + return context.getDefaultSchemaPath(); + } + + @Override public CalciteConnectionConfig config() { + return context.config(); + } + + @Override public SparkHandler spark() { + return context.spark(); + } + + @Override public DataContext getDataContext() { + return context.getDataContext(); + } + + @Override public List getObjectPath() { + return viewPath; + } + + @Override public RelRunner getRelRunner() { + return context.getRelRunner(); + } + }; + } } /** An {@code EXPLAIN} statement, prepared and ready to execute. */ diff --git a/core/src/main/java/org/apache/calcite/prepare/CalciteSqlValidator.java b/core/src/main/java/org/apache/calcite/prepare/CalciteSqlValidator.java index 4445f4363cf3..e4543d43ff8d 100644 --- a/core/src/main/java/org/apache/calcite/prepare/CalciteSqlValidator.java +++ b/core/src/main/java/org/apache/calcite/prepare/CalciteSqlValidator.java @@ -23,12 +23,23 @@ import org.apache.calcite.sql.validate.SqlConformance; import org.apache.calcite.sql.validate.SqlValidatorImpl; +import java.util.List; + /** Validator. */ class CalciteSqlValidator extends SqlValidatorImpl { + + private final List objectPath; + CalciteSqlValidator(SqlOperatorTable opTab, CalciteCatalogReader catalogReader, JavaTypeFactory typeFactory, - SqlConformance conformance) { + SqlConformance conformance, + List objectPath) { super(opTab, catalogReader, typeFactory, conformance); + this.objectPath = objectPath; + } + + @Override protected List getObjectPath() { + return objectPath; } @Override protected RelDataType getLogicalSourceRowType( diff --git a/core/src/main/java/org/apache/calcite/prepare/PlannerImpl.java b/core/src/main/java/org/apache/calcite/prepare/PlannerImpl.java index 382b2d790817..a7a35dafb4db 100644 --- a/core/src/main/java/org/apache/calcite/prepare/PlannerImpl.java +++ b/core/src/main/java/org/apache/calcite/prepare/PlannerImpl.java @@ -55,6 +55,7 @@ import com.google.common.collect.ImmutableList; +import java.util.Collections; import java.util.List; import java.util.Properties; @@ -181,7 +182,7 @@ public SqlNode validate(SqlNode sqlNode) throws ValidationException { final CalciteCatalogReader catalogReader = createCatalogReader(); this.validator = new CalciteSqlValidator(operatorTable, catalogReader, typeFactory, - conformance); + conformance, Collections.emptyList()); this.validator.setIdentifierExpansion(true); try { validatedSqlNode = validator.validate(sqlNode); @@ -273,7 +274,7 @@ public RelRoot expandView(RelDataType rowType, String queryString, createCatalogReader().withSchemaPath(schemaPath); final SqlValidator validator = new CalciteSqlValidator(operatorTable, catalogReader, typeFactory, - conformance); + conformance, viewPath); validator.setIdentifierExpansion(true); final RexBuilder rexBuilder = createRexBuilder(); diff --git a/core/src/main/java/org/apache/calcite/prepare/RelOptTableImpl.java b/core/src/main/java/org/apache/calcite/prepare/RelOptTableImpl.java index aeeca3d17a49..96b9761eba3e 100644 --- a/core/src/main/java/org/apache/calcite/prepare/RelOptTableImpl.java +++ b/core/src/main/java/org/apache/calcite/prepare/RelOptTableImpl.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.prepare; +import org.apache.calcite.access.Authorization; import org.apache.calcite.adapter.enumerable.EnumerableTableScan; import org.apache.calcite.jdbc.CalciteSchema; import org.apache.calcite.linq4j.tree.Expression; @@ -51,7 +52,6 @@ import org.apache.calcite.schema.Table; import org.apache.calcite.schema.TranslatableTable; import org.apache.calcite.schema.Wrapper; -import org.apache.calcite.sql.SqlAccessType; import org.apache.calcite.sql.validate.SqlModality; import org.apache.calcite.sql.validate.SqlMonotonicity; import org.apache.calcite.sql2rel.InitializerExpressionFactory; @@ -345,10 +345,6 @@ public SqlMonotonicity getMonotonicity(String columnName) { return SqlMonotonicity.NOT_MONOTONIC; } - public SqlAccessType getAllowedAccess() { - return SqlAccessType.ALL; - } - /** Helper for {@link #getColumnStrategies()}. */ public static List columnStrategies(final RelOptTable table) { final int fieldCount = table.getRowType().getFieldCount(); @@ -517,6 +513,10 @@ public static MySchemaPlus create(Path path) { @Override public Schema snapshot(SchemaVersion version) { throw new UnsupportedOperationException(); } + + @Override public void setAuthorization(Authorization guard) { + throw new UnsupportedOperationException("Not supported yet."); + } } } diff --git a/core/src/main/java/org/apache/calcite/schema/SchemaPlus.java b/core/src/main/java/org/apache/calcite/schema/SchemaPlus.java index 7e966fc5c127..fe5bf8165376 100644 --- a/core/src/main/java/org/apache/calcite/schema/SchemaPlus.java +++ b/core/src/main/java/org/apache/calcite/schema/SchemaPlus.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.schema; +import org.apache.calcite.access.Authorization; import org.apache.calcite.materialize.Lattice; import org.apache.calcite.rel.type.RelProtoDataType; @@ -85,6 +86,9 @@ public interface SchemaPlus extends Schema { void setCacheEnabled(boolean cache); boolean isCacheEnabled(); + + /** Registers guard for this schema */ + void setAuthorization(Authorization authorization); } // End SchemaPlus.java diff --git a/core/src/main/java/org/apache/calcite/schema/Schemas.java b/core/src/main/java/org/apache/calcite/schema/Schemas.java index b3033584d9b1..15d8ebddc0d2 100644 --- a/core/src/main/java/org/apache/calcite/schema/Schemas.java +++ b/core/src/main/java/org/apache/calcite/schema/Schemas.java @@ -420,6 +420,7 @@ public CalcitePrepare.SparkHandler spark() { final boolean enable = config().spark(); return CalcitePrepare.Dummy.getSparkHandler(enable); } + }; } diff --git a/core/src/main/java/org/apache/calcite/schema/impl/MaterializedViewTable.java b/core/src/main/java/org/apache/calcite/schema/impl/MaterializedViewTable.java index 5121221f3046..a1f2d502e605 100644 --- a/core/src/main/java/org/apache/calcite/schema/impl/MaterializedViewTable.java +++ b/core/src/main/java/org/apache/calcite/schema/impl/MaterializedViewTable.java @@ -35,6 +35,7 @@ import java.sql.SQLException; import java.util.List; import java.util.Objects; +import java.util.Properties; /** * Table that is a materialized view. @@ -56,7 +57,9 @@ public class MaterializedViewTable extends ViewTable { static { try { - MATERIALIZATION_CONNECTION = DriverManager.getConnection("jdbc:calcite:") + final Properties info = new Properties(); + info.setProperty("caseSensitive", "false"); + MATERIALIZATION_CONNECTION = DriverManager.getConnection("jdbc:calcite:", info) .unwrap(CalciteConnection.class); } catch (SQLException e) { throw new RuntimeException(e); diff --git a/core/src/main/java/org/apache/calcite/sql/SqlAccessEnum.java b/core/src/main/java/org/apache/calcite/sql/SqlAccessEnum.java index fbbfc2577122..64691103eaf1 100644 --- a/core/src/main/java/org/apache/calcite/sql/SqlAccessEnum.java +++ b/core/src/main/java/org/apache/calcite/sql/SqlAccessEnum.java @@ -20,7 +20,7 @@ * Enumeration representing different access types */ public enum SqlAccessEnum { - SELECT, UPDATE, INSERT, DELETE; + SELECT, UPDATE, INSERT, DELETE } // End SqlAccessEnum.java diff --git a/core/src/main/java/org/apache/calcite/sql/SqlAccessType.java b/core/src/main/java/org/apache/calcite/sql/SqlAccessType.java index 5efab8405be8..e7f0aab3ff80 100644 --- a/core/src/main/java/org/apache/calcite/sql/SqlAccessType.java +++ b/core/src/main/java/org/apache/calcite/sql/SqlAccessType.java @@ -31,6 +31,8 @@ public class SqlAccessType { new SqlAccessType(EnumSet.of(SqlAccessEnum.SELECT)); public static final SqlAccessType WRITE_ONLY = new SqlAccessType(EnumSet.of(SqlAccessEnum.INSERT)); + public static final SqlAccessType NONE = + new SqlAccessType(EnumSet.noneOf(SqlAccessEnum.class)); //~ Instance fields -------------------------------------------------------- diff --git a/core/src/main/java/org/apache/calcite/sql/validate/DelegatingSqlValidatorTable.java b/core/src/main/java/org/apache/calcite/sql/validate/DelegatingSqlValidatorTable.java index 2a3e352e5200..e42d9add70cf 100644 --- a/core/src/main/java/org/apache/calcite/sql/validate/DelegatingSqlValidatorTable.java +++ b/core/src/main/java/org/apache/calcite/sql/validate/DelegatingSqlValidatorTable.java @@ -17,7 +17,6 @@ package org.apache.calcite.sql.validate; import org.apache.calcite.rel.type.RelDataType; -import org.apache.calcite.sql.SqlAccessType; import java.util.List; @@ -49,9 +48,6 @@ public SqlMonotonicity getMonotonicity(String columnName) { return table.getMonotonicity(columnName); } - public SqlAccessType getAllowedAccess() { - return table.getAllowedAccess(); - } } // End DelegatingSqlValidatorTable.java diff --git a/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorImpl.java b/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorImpl.java index 626399f3307f..884531712818 100644 --- a/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorImpl.java +++ b/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorImpl.java @@ -16,6 +16,8 @@ */ package org.apache.calcite.sql.validate; +import org.apache.calcite.access.Authorization; +import org.apache.calcite.access.AuthorizationRequest; import org.apache.calcite.config.NullCollation; import org.apache.calcite.jdbc.CalciteSchema; import org.apache.calcite.linq4j.Ord; @@ -44,7 +46,6 @@ import org.apache.calcite.sql.JoinConditionType; import org.apache.calcite.sql.JoinType; import org.apache.calcite.sql.SqlAccessEnum; -import org.apache.calcite.sql.SqlAccessType; import org.apache.calcite.sql.SqlAggFunction; import org.apache.calcite.sql.SqlBasicCall; import org.apache.calcite.sql.SqlCall; @@ -956,10 +957,7 @@ public void validateQuery(SqlNode node, SqlValidatorScope scope, if (node == top) { validateModality(node); } - validateAccess( - node, - ns.getTable(), - SqlAccessEnum.SELECT); + validateAccess(node, ns.getTable(), SqlAccessEnum.SELECT); } /** @@ -4613,23 +4611,45 @@ public void validateMerge(SqlMerge call) { /** * Validates access to a table. * - * @param table Table + * @param table Table * @param requiredAccess Access requested on table */ private void validateAccess( - SqlNode node, - SqlValidatorTable table, - SqlAccessEnum requiredAccess) { + SqlNode node, + SqlValidatorTable table, + SqlAccessEnum requiredAccess) { if (table != null) { - SqlAccessType access = table.getAllowedAccess(); - if (!access.allowsAccess(requiredAccess)) { + List path = table.getQualifiedName(); + path = path.subList(0, path.size() - 1); + CalciteSchema schema = SqlValidatorUtil.getSchema( + catalogReader.getRootSchema(), + path, + catalogReader.nameMatcher()); + Authorization guard = schema.getAuthorization(); + if (!guard.accessGranted(createAuthorizationRequest(requiredAccess, node, table))) { throw newValidationError(node, - RESOURCE.accessNotAllowed(requiredAccess.name(), - table.getQualifiedName().toString())); + RESOURCE.accessNotAllowed(requiredAccess.name(), + table.getQualifiedName().toString())); } } } + private AuthorizationRequest createAuthorizationRequest( + SqlAccessEnum requiredAccess, + SqlNode node, + SqlValidatorTable table) { + return new AuthorizationRequest( + requiredAccess, + node, + table, + getObjectPath(), + catalogReader); + } + + protected List getObjectPath() { + return Collections.emptyList(); + } + /** * Validates a VALUES clause. * diff --git a/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorTable.java b/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorTable.java index b6600507b0c3..4f80e4dec083 100644 --- a/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorTable.java +++ b/core/src/main/java/org/apache/calcite/sql/validate/SqlValidatorTable.java @@ -18,7 +18,6 @@ import org.apache.calcite.rel.type.RelDataType; import org.apache.calcite.schema.Wrapper; -import org.apache.calcite.sql.SqlAccessType; import org.apache.calcite.sql2rel.InitializerContext; import java.util.List; @@ -41,11 +40,6 @@ public interface SqlValidatorTable extends Wrapper { */ SqlMonotonicity getMonotonicity(String columnName); - /** - * Returns the access type of the table - */ - SqlAccessType getAllowedAccess(); - boolean supportsModality(SqlModality modality); /** @@ -54,7 +48,6 @@ public interface SqlValidatorTable extends Wrapper { @Deprecated // to be removed before 2.0 boolean columnHasDefaultValue(RelDataType rowType, int ordinal, InitializerContext initializerContext); - } // End SqlValidatorTable.java diff --git a/core/src/test/java/org/apache/calcite/access/AlwaysPassGuardTest.java b/core/src/test/java/org/apache/calcite/access/AlwaysPassGuardTest.java new file mode 100644 index 000000000000..e22081d5af72 --- /dev/null +++ b/core/src/test/java/org/apache/calcite/access/AlwaysPassGuardTest.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.apache.calcite.sql.SqlAccessEnum; + +import org.junit.Assert; +import org.junit.Test; + +/** + * Test for default guard implementation + */ +public class AlwaysPassGuardTest { + + private final AlwaysPassAuthorization tested = new AlwaysPassAuthorization(); + + @Test public void testShouldAlwaysPassAnySqlAccess() { + // given + boolean result = true; + // when + for (SqlAccessEnum access : SqlAccessEnum.values()) { + result &= tested.accessGranted(new AuthorizationRequest(access, null, null, null, null)); + } + // then + Assert.assertTrue("Access should be always granted", result); + } + +} + +// End AlwaysPassGuardTest.java diff --git a/core/src/test/java/org/apache/calcite/access/CalcitePrincipalFairyTest.java b/core/src/test/java/org/apache/calcite/access/CalcitePrincipalFairyTest.java new file mode 100644 index 000000000000..0dc68e2c1553 --- /dev/null +++ b/core/src/test/java/org/apache/calcite/access/CalcitePrincipalFairyTest.java @@ -0,0 +1,49 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.junit.Assert; +import org.junit.Test; + +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; + +/** + * Testing against thread local implementation of fairy + */ +public class CalcitePrincipalFairyTest { + + private final CalcitePrincipalFairy tested = CalcitePrincipalFairy.INSTANCE; + + @Test public void testSouldRegisterPrincipalOnCurrentThreadOnly() { + // given + CalcitePrincipal principal = mock(CalcitePrincipal.class); + given(principal.getName()).willReturn("SOME_USER"); + // when + tested.register(principal); + // then + Assert.assertEquals("Principal should be the same", principal, tested.get()); + new Thread() { + @Override public void run() { + Assert.assertNull("Principal should be empty in another thread", tested.get()); + } + + }.start(); + } +} + +// End CalcitePrincipalFairyTest.java diff --git a/core/src/test/java/org/apache/calcite/access/PrincipalBasedAuthorizationTest.java b/core/src/test/java/org/apache/calcite/access/PrincipalBasedAuthorizationTest.java new file mode 100644 index 000000000000..10bd10fe0e4b --- /dev/null +++ b/core/src/test/java/org/apache/calcite/access/PrincipalBasedAuthorizationTest.java @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.access; + +import org.apache.calcite.sql.SqlAccessEnum; +import org.apache.calcite.sql.SqlAccessType; + +import org.junit.Assert; +import org.junit.Test; + +import java.util.Collections; +import java.util.HashMap; + +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; + +/** + * Tests against mocked principal + */ +public class PrincipalBasedAuthorizationTest { + + private final CalcitePrincipalFairy fairyMock = mock(CalcitePrincipalFairy.class); + private final HashMap accessMapMock = new HashMap(); + private final PrincipalBasedAuthorization tested = + new PrincipalBasedAuthorization(fairyMock, accessMapMock, Collections.emptySet()); + private final CalcitePrincipal principalMock = mock(CalcitePrincipal.class); + + @Test public void testShouldNotGrantAccessWhenNoPrincipal() { + // given + accessMapMock.clear(); + accessMapMock.put("someuser", SqlAccessType.ALL); + given(fairyMock.get()).willReturn(null); + // when + boolean result = tested.accessGranted(toRequest(SqlAccessEnum.UPDATE)); + // then + Assert.assertFalse("Access should not be granted when no principal", result); + } + + @Test public void testShouldNotGrantAccessWhenNoPrincipalAndEmptyMap() { + // given + accessMapMock.clear(); + given(fairyMock.get()).willReturn(null); + // when + boolean result = tested.accessGranted(toRequest(SqlAccessEnum.UPDATE)); + // then + Assert.assertFalse("Access should not be granted when no principal and empty map", result); + } + + @Test public void testShouldNotGrantAccessWhenNoPrincipalNotMapped() { + // given + accessMapMock.clear(); + accessMapMock.put("someuser", SqlAccessType.ALL); + given(fairyMock.get()).willReturn(principalMock); + given(principalMock.getName()).willReturn("someOTHERuser"); + // when + boolean result = tested.accessGranted(toRequest(SqlAccessEnum.UPDATE)); + // then + Assert.assertFalse("Access should not be granted when principal not mapped", result); + } + + @Test public void testShouldNotGrantAccessWhenNoPrincipalMappedWithOtherAccessTypes() { + // given + accessMapMock.clear(); + accessMapMock.put("someuser", SqlAccessType.WRITE_ONLY); + given(fairyMock.get()).willReturn(principalMock); + given(principalMock.getName()).willReturn("someuser"); + // when + boolean result = tested.accessGranted(toRequest(SqlAccessEnum.UPDATE)); + // then + Assert.assertFalse("Access should not be granted when principal mapped to other types", result); + } + + @Test public void testShouldGrantAccess() { + // given + accessMapMock.clear(); + accessMapMock.put("someuser", SqlAccessType.READ_ONLY); + given(fairyMock.get()).willReturn(principalMock); + given(principalMock.getName()).willReturn("someuser"); + // when + boolean result = tested.accessGranted(toRequest(SqlAccessEnum.SELECT)); + // then + Assert.assertTrue("Access should be granted", result); + } + + private AuthorizationRequest toRequest(SqlAccessEnum sqlAccessEnum) { + return new AuthorizationRequest(sqlAccessEnum, null, null, null, null); + } + +} + +// End PrincipalBasedAuthorizationTest.java diff --git a/core/src/test/java/org/apache/calcite/sql/test/SqlOperatorBaseTest.java b/core/src/test/java/org/apache/calcite/sql/test/SqlOperatorBaseTest.java index 78a2fb71374d..6baa087ff3cb 100644 --- a/core/src/test/java/org/apache/calcite/sql/test/SqlOperatorBaseTest.java +++ b/core/src/test/java/org/apache/calcite/sql/test/SqlOperatorBaseTest.java @@ -16,6 +16,7 @@ */ package org.apache.calcite.sql.test; +import org.apache.calcite.access.CalcitePrincipalFairy; import org.apache.calcite.avatica.util.DateTimeUtils; import org.apache.calcite.config.CalciteConnectionProperty; import org.apache.calcite.linq4j.Linq4j; @@ -65,6 +66,7 @@ import java.math.BigDecimal; import java.sql.Connection; +import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -76,6 +78,7 @@ import java.util.Iterator; import java.util.List; import java.util.Locale; +import java.util.Properties; import java.util.TimeZone; import java.util.function.Consumer; import java.util.regex.Pattern; @@ -302,6 +305,7 @@ protected SqlOperatorBaseTest(boolean enable, SqlTester tester) { @Before public void setUp() throws Exception { tester.setFor(null); + CalcitePrincipalFairy.INSTANCE.register(null); } protected SqlTester oracleTester() { @@ -5270,16 +5274,62 @@ private void checkNullOperand(SqlTester tester, String op) { tester.checkString("USER", "sa", "VARCHAR(2000) NOT NULL"); } + @Test public void testUserFuncWithNotDefaultUser() { + testFuncWithNotDefaultUser("USER"); + } + + @Test public void testUserFuncWithNoUserLogged() { + testFuncWithNoUserLogged("USER"); + } + + private void testFuncWithNoUserLogged(String userFunc) { + tester.setFor(SqlStdOperatorTable.USER, VM_FENNEL); + String user = System.getProperty("user.name"); // e.g. "jhyde" + tester.withConnectionFactory(new CalciteAssert.ConnectionFactory() { + @Override public Connection createConnection() throws SQLException { + final Properties info = new Properties(); + return DriverManager.getConnection("jdbc:calcite:", info); + } + }).checkString(userFunc, user, "VARCHAR(2000) NOT NULL"); + } + + private void testFuncWithNotDefaultUser(String userFunc) { + tester.setFor(SqlStdOperatorTable.USER, VM_FENNEL); + tester.withConnectionFactory(new CalciteAssert.ConnectionFactory() { + @Override public Connection createConnection() throws SQLException { + final Properties info = new Properties(); + info.put("user", "somenotdefaultuser"); + return DriverManager.getConnection("jdbc:calcite:", info); + } + }).checkString(userFunc, "somenotdefaultuser", "VARCHAR(2000) NOT NULL"); + } + @Test public void testCurrentUserFunc() { tester.setFor(SqlStdOperatorTable.CURRENT_USER, VM_FENNEL); tester.checkString("CURRENT_USER", "sa", "VARCHAR(2000) NOT NULL"); } + @Test public void testCurrenUserFuncWithNotDefaultUser() { + testFuncWithNotDefaultUser("CURRENT_USER"); + } + + @Test public void testCurrentUserFuncWithNoUserLogged() { + testFuncWithNoUserLogged("CURRENT_USER"); + } + @Test public void testSessionUserFunc() { tester.setFor(SqlStdOperatorTable.SESSION_USER, VM_FENNEL); tester.checkString("SESSION_USER", "sa", "VARCHAR(2000) NOT NULL"); } + @Test public void testSessionUserFuncWithNotDefaultUser() { + testFuncWithNotDefaultUser("SESSION_USER"); + } + + @Test public void testSessionUserFuncWithNoUserLogged() { + testFuncWithNoUserLogged("SESSION_USER"); + } + @Test public void testSystemUserFunc() { tester.setFor(SqlStdOperatorTable.SYSTEM_USER, VM_FENNEL); String user = System.getProperty("user.name"); // e.g. "jhyde" diff --git a/core/src/test/java/org/apache/calcite/test/CalciteAssert.java b/core/src/test/java/org/apache/calcite/test/CalciteAssert.java index da7518bfd080..bc056b5c177e 100644 --- a/core/src/test/java/org/apache/calcite/test/CalciteAssert.java +++ b/core/src/test/java/org/apache/calcite/test/CalciteAssert.java @@ -1318,6 +1318,7 @@ private MapConnectionFactory(ImmutableMap map, public Connection createConnection() throws SQLException { final Properties info = new Properties(); + info.put("user", "sa"); for (Map.Entry entry : map.entrySet()) { info.setProperty(entry.getKey(), entry.getValue()); } diff --git a/core/src/test/java/org/apache/calcite/test/SqlToRelTestBase.java b/core/src/test/java/org/apache/calcite/test/SqlToRelTestBase.java index d6e3f711d57d..a066838673a2 100644 --- a/core/src/test/java/org/apache/calcite/test/SqlToRelTestBase.java +++ b/core/src/test/java/org/apache/calcite/test/SqlToRelTestBase.java @@ -16,6 +16,8 @@ */ package org.apache.calcite.test; +import org.apache.calcite.access.AlwaysPassAuthorization; +import org.apache.calcite.access.Authorization; import org.apache.calcite.config.CalciteConnectionConfig; import org.apache.calcite.linq4j.tree.Expression; import org.apache.calcite.plan.Context; @@ -359,6 +361,10 @@ public RelDataTypeFactory getTypeFactory() { public void registerRules(RelOptPlanner planner) throws Exception { } + @Override public Authorization getAuthorization() { + return AlwaysPassAuthorization.INSTANCE; + } + /** Mock column set. */ protected class MockColumnSet implements RelOptTable { private final List names; diff --git a/core/src/test/java/org/apache/calcite/test/SqlValidatorAccessTest.java b/core/src/test/java/org/apache/calcite/test/SqlValidatorAccessTest.java new file mode 100644 index 000000000000..80cb48b3e891 --- /dev/null +++ b/core/src/test/java/org/apache/calcite/test/SqlValidatorAccessTest.java @@ -0,0 +1,228 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.test; + +import org.apache.calcite.access.Authorization; +import org.apache.calcite.access.AuthorizationRequest; +import org.apache.calcite.adapter.java.ReflectiveSchema; +import org.apache.calcite.jdbc.CalciteConnection; +import org.apache.calcite.schema.SchemaPlus; +import org.apache.calcite.schema.impl.AbstractSchema; +import org.apache.calcite.schema.impl.ViewTable; +import org.apache.calcite.sql.SqlAccessEnum; + +import com.google.common.collect.ImmutableList; + +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.mockito.ArgumentCaptor; +import org.mockito.Mockito; + +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.util.Properties; +import java.util.regex.Pattern; + +import static org.apache.commons.lang3.StringUtils.isNotBlank; + +import static org.mockito.ArgumentCaptor.forClass; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.BDDMockito.atLeastOnce; +import static org.mockito.BDDMockito.given; +import static org.mockito.BDDMockito.mock; +import static org.mockito.BDDMockito.verify; + +/** + * Concrete child class of {@link SqlValidatorTestCase}, containing tests for validating access + */ +public class SqlValidatorAccessTest { + + private final Authorization hrGuardMock = mock(Authorization.class); + private final Authorization wrapperGuardMock = mock(Authorization.class); + private final ArgumentCaptor hrRequestCaptor + = forClass(AuthorizationRequest.class); + + private String user; + + @Before public void init() { + Mockito.reset(hrGuardMock, wrapperGuardMock); + } + + @Test public void testShouldWorkWithoutUser() { + // given + givenIsUser(null); + given(hrGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + // when + Then then = when("select * from HR.DEPTS"); + // then + then.executedProperly(); + verify(hrGuardMock).accessGranted(hrRequestCaptor.capture()); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + } + + @Test public void testShouldWorkWithUserAndAccessGranted() { + // given + givenIsUser("someuser"); + given(hrGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + // when + Then then = when("select * from HR.DEPTS"); + // then + then.executedProperly(); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + verify(hrGuardMock).accessGranted(hrRequestCaptor.capture()); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + } + + @Test public void testShouldNotWorkWithUserButForbiddenAccess() { + // given + givenIsUser("someuser"); + given(hrGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(false); + // when + Then then = when("select * from HR.DEPTS"); + // then + then.exceptionInStack("Not allowed to perform SELECT on \\[HR, depts\\]"); + verify(hrGuardMock).accessGranted(hrRequestCaptor.capture()); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + } + + @Test public void testShouldWorkWithoutUserOnWrapper() { + // given + givenIsUser(null); + given(wrapperGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + given(hrGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + // when + Then then = when("select * from WRAPPER.WRAPPEDDEPTS"); + // then + then.executedProperly(); + verify(hrGuardMock, atLeastOnce()).accessGranted(hrRequestCaptor.capture()); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + } + + @Test public void testShouldWorkWithUserAndAccessGrantedOnWrapper() { + // given + givenIsUser("someuser"); + given(wrapperGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + given(hrGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + // when + Then then = when("select * from WRAPPER.WRAPPEDDEPTS"); + // then + then.executedProperly(); + verify(hrGuardMock, atLeastOnce()).accessGranted(hrRequestCaptor.capture()); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + } + + @Test public void testShouldNotWorkWithUserButForbiddenAccessOnWrapper() { + // given + givenIsUser("someuser"); + given(wrapperGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(true); + given(hrGuardMock.accessGranted(any(AuthorizationRequest.class))).willReturn(false); + // when + Then then = when("select * from WRAPPER.WRAPPEDDEPTS"); + // then + then.exceptionInStack("Not allowed to perform INDIRECT_SELECT on \\[HR, depts\\]"); + verify(hrGuardMock, atLeastOnce()).accessGranted(hrRequestCaptor.capture()); + Assert.assertEquals("Should be select requested", + hrRequestCaptor.getValue().getRequiredAccess(), + SqlAccessEnum.SELECT); + } + + private Then when(String query) { + try { + ResultSet rs = createConnection().prepareStatement(query).executeQuery(); + return new Then(rs, null); + } catch (SQLException ex) { + return new Then(null, ex); + } + } + + private void givenIsUser(String username) { + this.user = username; + } + + /** + * Syntactic sugar for more descriptive and fluent tests + */ + private static class Then { + + private final ResultSet rs; + private final SQLException exception; + + private Then(ResultSet rs, SQLException exception) { + this.rs = rs; + this.exception = exception; + } + + private void executedProperly() { + Assert.assertTrue("Execution should be ok", rs != null && exception == null); + } + + private void exceptionInStack(String pattern) { + Throwable t = exception; + while (t != null) { + if (Pattern.matches(pattern, t.getMessage())) { + return; + } + t = t.getCause(); + } + Assert.fail("No desired exception on stack"); + } + } + + private Connection createConnection() throws SQLException { + final Properties info = new Properties(); + info.setProperty("lex", "MYSQL"); + info.setProperty("caseSensitive", "false"); + if (isNotBlank(user)) { + info.setProperty("user", user); + } + Connection connection = DriverManager.getConnection("jdbc:calcite:", info); + CalciteConnection con = connection.unwrap(CalciteConnection.class); + SchemaPlus rootSchema = con.getRootSchema(); + SchemaPlus hrSchema = rootSchema.add("HR", new ReflectiveSchema(new JdbcTest.HrSchema())); + hrSchema.setAuthorization(hrGuardMock); + SchemaPlus wrapperSchema = rootSchema.add("WRAPPER", new AbstractSchema()); + wrapperSchema.setAuthorization(wrapperGuardMock); + wrapperSchema.add( + "WRAPPEDDEPTS", + ViewTable.viewMacro(wrapperSchema, "select * from HR.DEPTS", + ImmutableList.of(), ImmutableList.of("WRAPPER", "WRAPPEDDEPTS"), + null)); + return connection; + } + + private void givenIsUser(Object object) { + this.user = user; + } + +} + +// End SqlValidatorAccessTest.java diff --git a/plus/src/main/java/org/apache/calcite/chinook/CalciteConnectionProvider.java b/plus/src/main/java/org/apache/calcite/chinook/CalciteConnectionProvider.java index ad9aab88fd9e..f5e304fe8cc2 100644 --- a/plus/src/main/java/org/apache/calcite/chinook/CalciteConnectionProvider.java +++ b/plus/src/main/java/org/apache/calcite/chinook/CalciteConnectionProvider.java @@ -32,22 +32,26 @@ */ public class CalciteConnectionProvider { + public static final String USER_SA = "sa"; + public static final String USER_SPECIFIC = "specificuser"; + public static final String DRIVER_URL = "jdbc:calcite:"; - public Connection connection() throws IOException, SQLException { - return DriverManager.getConnection(DRIVER_URL, provideConnectionInfo()); + public Connection connection(String user) throws IOException, SQLException { + return DriverManager.getConnection(DRIVER_URL, provideConnectionInfo(user)); } - public Properties provideConnectionInfo() throws IOException { + public Properties provideConnectionInfo(String user) throws IOException { Properties info = new Properties(); info.setProperty("lex", "MYSQL"); info.setProperty("model", "inline:" + provideSchema()); + info.setProperty("user", user); return info; } private String provideSchema() throws IOException { final InputStream stream = - getClass().getResourceAsStream("/chinook/chinook.json"); + getClass().getResourceAsStream("/chinook/chinook.json"); return CharStreams.toString(new InputStreamReader(stream, Charsets.UTF_8)); } diff --git a/plus/src/main/java/org/apache/calcite/chinook/ChinookAvaticaServer.java b/plus/src/main/java/org/apache/calcite/chinook/ChinookAvaticaServer.java index 6b24ae79bcbc..fdf98d241b7a 100644 --- a/plus/src/main/java/org/apache/calcite/chinook/ChinookAvaticaServer.java +++ b/plus/src/main/java/org/apache/calcite/chinook/ChinookAvaticaServer.java @@ -68,7 +68,7 @@ private static JdbcMeta getInstance() { if (instance == null) { try { instance = new JdbcMeta(CalciteConnectionProvider.DRIVER_URL, - CONNECTION_PROVIDER.provideConnectionInfo()); + CONNECTION_PROVIDER.provideConnectionInfo(CONNECTION_PROVIDER.USER_SA)); } catch (SQLException | IOException e) { throw new RuntimeException(e); } diff --git a/plus/src/main/java/org/apache/calcite/chinook/ConnectionFactory.java b/plus/src/main/java/org/apache/calcite/chinook/ConnectionFactory.java index cd0ef013a481..8212987a2d81 100644 --- a/plus/src/main/java/org/apache/calcite/chinook/ConnectionFactory.java +++ b/plus/src/main/java/org/apache/calcite/chinook/ConnectionFactory.java @@ -30,23 +30,35 @@ public class ConnectionFactory implements Quidem.ConnectionFactory { private static final CalciteConnectionProvider CALCITE = new CalciteConnectionProvider(); public Connection connect(String db, boolean bln) throws Exception { - return DatabaseWrapper.valueOf(db).connection(); + return DBWrapper.valueOf(db).connection(); } /** * Wrapping with Fairy environmental decoration */ - public enum DatabaseWrapper { - CALCITE_AS_ADMIN { + public enum DBWrapper { + CALCITE_WITH_GENERAL_CONDITION { @Override public Connection connection() throws Exception { - EnvironmentFairy.login(EnvironmentFairy.User.ADMIN); - return CALCITE.connection(); + EnvironmentFairy.setCondition(EnvironmentFairy.Condition.GENERAL_CONDITION); + return CALCITE.connection(CalciteConnectionProvider.USER_SA); } }, - CALCITE_AS_SPECIFIC_USER { + CALCITE_WITH_GENERAL_CONDITION_SPECIFICUSER { @Override public Connection connection() throws Exception { - EnvironmentFairy.login(EnvironmentFairy.User.SPECIFIC_USER); - return CALCITE.connection(); + EnvironmentFairy.setCondition(EnvironmentFairy.Condition.GENERAL_CONDITION); + return CALCITE.connection(CalciteConnectionProvider.USER_SPECIFIC); + } + }, + CALCITE_WITH_SPECIFIC_CONDITION { + @Override public Connection connection() throws Exception { + EnvironmentFairy.setCondition(EnvironmentFairy.Condition.SPECIFIC_CONDITION); + return CALCITE.connection(CalciteConnectionProvider.USER_SA); + } + }, + CALCITE_WITH_SPECIFIC_CONDITION_SPECIFICUSER { + @Override public Connection connection() throws Exception { + EnvironmentFairy.setCondition(EnvironmentFairy.Condition.SPECIFIC_CONDITION); + return CALCITE.connection(CalciteConnectionProvider.USER_SPECIFIC); } }, RAW { diff --git a/plus/src/main/java/org/apache/calcite/chinook/EnvironmentFairy.java b/plus/src/main/java/org/apache/calcite/chinook/EnvironmentFairy.java index 48965127538b..66f999c63dcb 100644 --- a/plus/src/main/java/org/apache/calcite/chinook/EnvironmentFairy.java +++ b/plus/src/main/java/org/apache/calcite/chinook/EnvironmentFairy.java @@ -26,25 +26,28 @@ */ public class EnvironmentFairy { - private static final ThreadLocal USER = - ThreadLocal.withInitial(() -> User.ADMIN); + private static final ThreadLocal CONDITION = new ThreadLocal() { + @Override protected Condition initialValue() { + return Condition.GENERAL_CONDITION; + } + }; private EnvironmentFairy() { } - public static User getUser() { - return USER.get(); + public static void setCondition(Condition condition) { + CONDITION.set(condition); } - public static void login(User user) { - USER.set(user); + public static Condition getCondition() { + return CONDITION.get(); } /** * Who is emulated to being logged in? */ - public enum User { - ADMIN, SPECIFIC_USER + public enum Condition { + GENERAL_CONDITION, SPECIFIC_CONDITION } } diff --git a/plus/src/main/java/org/apache/calcite/chinook/PreferredAlbumsTableFactory.java b/plus/src/main/java/org/apache/calcite/chinook/PreferredAlbumsTableFactory.java index 73496108bc7b..8e2c70baf56a 100644 --- a/plus/src/main/java/org/apache/calcite/chinook/PreferredAlbumsTableFactory.java +++ b/plus/src/main/java/org/apache/calcite/chinook/PreferredAlbumsTableFactory.java @@ -36,8 +36,9 @@ * Factory for the table of albums preferred by the current user. */ public class PreferredAlbumsTableFactory implements TableFactory { - private static final Integer[] SPECIFIC_USER_PREFERRED_ALBUMS = - {4, 56, 154, 220, 321}; + + private static final Integer[] SPECIFIC_CONDITION_ALBUMS + = new Integer[]{4, 56, 154, 220, 321}; private static final int FIRST_ID = 1; private static final int LAST_ID = 347; @@ -61,8 +62,8 @@ public class PreferredAlbumsTableFactory implements TableFactory fetchPreferredAlbums() { - if (EnvironmentFairy.getUser() == EnvironmentFairy.User.SPECIFIC_USER) { - return Linq4j.asEnumerable(SPECIFIC_USER_PREFERRED_ALBUMS).asQueryable(); + if (EnvironmentFairy.getCondition() == EnvironmentFairy.Condition.SPECIFIC_CONDITION) { + return Linq4j.asEnumerable(SPECIFIC_CONDITION_ALBUMS).asQueryable(); } else { final ContiguousSet set = ContiguousSet.create(Range.closed(FIRST_ID, LAST_ID), diff --git a/plus/src/main/java/org/apache/calcite/chinook/PreferredGenresTableFactory.java b/plus/src/main/java/org/apache/calcite/chinook/PreferredGenresTableFactory.java index 28e043eddef1..e5e54d358aa4 100644 --- a/plus/src/main/java/org/apache/calcite/chinook/PreferredGenresTableFactory.java +++ b/plus/src/main/java/org/apache/calcite/chinook/PreferredGenresTableFactory.java @@ -61,7 +61,7 @@ public class PreferredGenresTableFactory implements TableFactory fetchPreferredGenres() { - if (EnvironmentFairy.getUser() == EnvironmentFairy.User.SPECIFIC_USER) { + if (EnvironmentFairy.getCondition() == EnvironmentFairy.Condition.SPECIFIC_CONDITION) { return Linq4j.asEnumerable(SPECIFIC_USER_PREFERRED_GENRES).asQueryable(); } else { final ContiguousSet set = diff --git a/plus/src/main/resources/chinook/chinook.json b/plus/src/main/resources/chinook/chinook.json index afec90892bde..2b86f8edd6ef 100644 --- a/plus/src/main/resources/chinook/chinook.json +++ b/plus/src/main/resources/chinook/chinook.json @@ -17,6 +17,10 @@ { "version": "1.0", "defaultSchema": "ENHANCED", + "authorization": { + "factory": "org.apache.calcite.access.PrincipalBasedAuthFactory", + "operand": {} + }, "schemas": [ { "name": "CHINOOK", @@ -24,13 +28,20 @@ "jdbcDriver": "org.hsqldb.jdbc.JDBCDriver", "jdbcUrl": "jdbc:hsqldb:res:chinook", "jdbcUser": "sa", - "jdbcPassword": "" + "jdbcPassword": "", + "authConfig": { + "sa": "SELECT" + } }, { "name": "ENHANCED", "type": "custom", "factory": "org.apache.calcite.schema.impl.AbstractSchema$Factory", "operand": {}, + "authConfig": { + "sa": "OWNER", + "specificuser" : "SELECT" + }, "tables": [ { "name": "PREFERRED_TRACKS", @@ -77,6 +88,9 @@ "type": "custom", "factory": "org.apache.calcite.schema.impl.AbstractSchema$Factory", "operand": {}, + "authConfig": { + "sa": "SELECT" + }, "functions": [ { "name": "CODES", @@ -90,6 +104,9 @@ "type": "custom", "factory": "org.apache.calcite.schema.impl.AbstractSchema$Factory", "operand": {}, + "authConfig": { + "sa": "SELECT" + }, "tables": [ { "name": "CODED_EMAILS", diff --git a/plus/src/test/java/org/apache/calcite/chinook/EndToEndTest.java b/plus/src/test/java/org/apache/calcite/chinook/EndToEndTest.java index 5e72ec3f0277..6bc70733fa9c 100644 --- a/plus/src/test/java/org/apache/calcite/chinook/EndToEndTest.java +++ b/plus/src/test/java/org/apache/calcite/chinook/EndToEndTest.java @@ -53,7 +53,7 @@ public static void main(String[] args) throws Exception { public static Collection data() { // Start with a test file we know exists, then find the directory and list // its files. - final String first = "sql/basic.iq"; + final String first = "sql/basic_test.iq"; return data(first); } diff --git a/plus/src/test/java/org/apache/calcite/chinook/RemotePreparedStatementParametersTest.java b/plus/src/test/java/org/apache/calcite/chinook/RemotePreparedStatementParametersTest.java index ac391499f055..8e77bb0657aa 100644 --- a/plus/src/test/java/org/apache/calcite/chinook/RemotePreparedStatementParametersTest.java +++ b/plus/src/test/java/org/apache/calcite/chinook/RemotePreparedStatementParametersTest.java @@ -16,23 +16,26 @@ */ package org.apache.calcite.chinook; +import org.junit.Ignore; import org.junit.Test; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; +import java.util.Properties; /** * Tests against parameters in prepared statement when using underlying jdbc subschema */ public class RemotePreparedStatementParametersTest { - @Test public void testSimpleStringParameterShouldWorkWithCalcite() throws Exception { + // Server is launched and request served on various threads - uncomment when impl is ready + @Ignore @Test public void testSimpleStringParameterShouldWorkWithCalcite() throws Exception { // given ChinookAvaticaServer server = new ChinookAvaticaServer(); server.startWithCalcite(); - Connection connection = DriverManager.getConnection(server.getURL()); + Connection connection = DriverManager.getConnection(server.getURL(), props()); // when PreparedStatement pS = connection.prepareStatement("select * from chinook.artist where name = ?"); @@ -42,11 +45,17 @@ public class RemotePreparedStatementParametersTest { server.stop(); } - @Test public void testSeveralParametersShouldWorkWithCalcite() throws Exception { + private Properties props() { + Properties props = new Properties(); + props.setProperty("user", "sa"); + return props; + } + + @Ignore @Test public void testSeveralParametersShouldWorkWithCalcite() throws Exception { // given ChinookAvaticaServer server = new ChinookAvaticaServer(); server.startWithCalcite(); - Connection connection = DriverManager.getConnection(server.getURL()); + Connection connection = DriverManager.getConnection(server.getURL(), props()); // when PreparedStatement pS = connection.prepareStatement( diff --git a/plus/src/test/resources/sql/access_as_sa_test.iq b/plus/src/test/resources/sql/access_as_sa_test.iq new file mode 100644 index 000000000000..a9f0fbb0dfca --- /dev/null +++ b/plus/src/test/resources/sql/access_as_sa_test.iq @@ -0,0 +1,39 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +!use CALCITE_WITH_GENERAL_CONDITION +!set outputformat mysql + +# count returns number of rows in table +SELECT COUNT(*) as C1 FROM chinook.album; ++-----+ +| C1 | ++-----+ +| 347 | ++-----+ +(1 row) + +!ok + +# count returns number of rows in table +SELECT COUNT(*) as C1 FROM enhanced.preferred_tracks; ++------+ +| C1 | ++------+ +| 3503 | ++------+ +(1 row) + +!ok diff --git a/plus/src/test/resources/sql/access_as_specificuser_test.iq b/plus/src/test/resources/sql/access_as_specificuser_test.iq new file mode 100644 index 000000000000..7a6a26e4cd41 --- /dev/null +++ b/plus/src/test/resources/sql/access_as_specificuser_test.iq @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +!use CALCITE_WITH_GENERAL_CONDITION_SPECIFICUSER +!set outputformat mysql + +# count returns number of rows in table +SELECT COUNT(*) as C1 FROM chinook.album; + java.sql.SQLException: Error while executing SQL "SELECT COUNT(*) as C1 FROM chinook.album": From line 1, column 28 to line 1, column 40: Not allowed to perform SELECT on [CHINOOK, ALBUM] + +!error + +# count returns number of rows in table +SELECT COUNT(*) as C1 FROM enhanced.preferred_tracks; ++------+ +| C1 | ++------+ +| 3503 | ++------+ +(1 row) + +!ok diff --git a/plus/src/test/resources/sql/basic.iq b/plus/src/test/resources/sql/basic_test.iq similarity index 99% rename from plus/src/test/resources/sql/basic.iq rename to plus/src/test/resources/sql/basic_test.iq index b936b0708a07..21be0edf837d 100644 --- a/plus/src/test/resources/sql/basic.iq +++ b/plus/src/test/resources/sql/basic_test.iq @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -!use CALCITE_AS_ADMIN +!use CALCITE_WITH_GENERAL_CONDITION !set outputformat mysql # count returns number of rows in table diff --git a/plus/src/test/resources/sql/cross-join-lateral.iq b/plus/src/test/resources/sql/cross-join-lateral.iq index 98928e547192..a952e7e87e45 100644 --- a/plus/src/test/resources/sql/cross-join-lateral.iq +++ b/plus/src/test/resources/sql/cross-join-lateral.iq @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -!use CALCITE_AS_ADMIN +!use CALCITE_WITH_GENERAL_CONDITION !set outputformat mysql # Checks whether CROSS JOIN LATERAL works diff --git a/plus/src/test/resources/sql/functions.iq b/plus/src/test/resources/sql/functions.iq index 9d437627596e..0609888257ac 100644 --- a/plus/src/test/resources/sql/functions.iq +++ b/plus/src/test/resources/sql/functions.iq @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -!use CALCITE_AS_ADMIN +!use CALCITE_WITH_GENERAL_CONDITION !set outputformat mysql # Checks whether ASCONCATOFPARAMS function is properly computed and not passed to subschema, like jdbc diff --git a/plus/src/test/resources/sql/preferred-for-specific-user.iq b/plus/src/test/resources/sql/specific_condition_as_sa_test.iq similarity index 98% rename from plus/src/test/resources/sql/preferred-for-specific-user.iq rename to plus/src/test/resources/sql/specific_condition_as_sa_test.iq index 982288107cc0..50169c96edc3 100644 --- a/plus/src/test/resources/sql/preferred-for-specific-user.iq +++ b/plus/src/test/resources/sql/specific_condition_as_sa_test.iq @@ -12,7 +12,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -!use CALCITE_AS_SPECIFIC_USER +!use CALCITE_WITH_SPECIFIC_CONDITION !set outputformat mysql # Preferred genres