New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add readOnly access level to file-based system access control #1153
Add readOnly access level to file-based system access control #1153
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bill-warshaw this is nice. Some early feedback.
private final Optional<Pattern> userRegex; | ||
private final Optional<Pattern> catalogRegex; | ||
|
||
@JsonCreator | ||
public CatalogAccessControlRule( | ||
@JsonProperty("allow") boolean allow, | ||
@JsonProperty("readOnly") boolean readOnly, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we think of any other access modes in the future? If yes, this would be an enum.
Then in JSON this could look like:
"access": "READ_ONLY",
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @electrum
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't come up with any future extensions so in JSON this may be represented as "readOnly": true
(as implemented), but maybe @electrum has some other thoughts.
presto-main/src/main/java/io/prestosql/security/CatalogAccessControlRule.java
Outdated
Show resolved
Hide resolved
a3f4469
to
536c3eb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bill-warshaw thanks for updating the code and sorry for the review delay.
A couple of editorial comments.
presto-main/src/main/java/io/prestosql/security/CatalogAccessControlRule.java
Outdated
Show resolved
Hide resolved
presto-main/src/main/java/io/prestosql/security/CatalogAccessControlRule.java
Outdated
Show resolved
Hide resolved
presto-main/src/main/java/io/prestosql/security/FileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
presto-main/src/main/java/io/prestosql/security/FileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
presto-main/src/main/java/io/prestosql/security/FileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
private final Optional<Pattern> userRegex; | ||
private final Optional<Pattern> catalogRegex; | ||
|
||
@JsonCreator | ||
public CatalogAccessControlRule( | ||
@JsonProperty("allow") boolean allow, | ||
@JsonProperty("readOnly") boolean readOnly, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't come up with any future extensions so in JSON this may be represented as "readOnly": true
(as implemented), but maybe @electrum has some other thoughts.
fcf2d39
to
cb3d97a
Compare
@findepi comments addressed, and this passes tests for me locally. Thanks for the review! Should I also update the docs as well? Or is there a more formal process for doc updates? |
cb3d97a
to
da0f528
Compare
Yes, please update the docs as part of the same commit (in the |
da0f528
to
431e5b3
Compare
initial docs added, also renamed it to |
4d3136a
to
047d4bf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change looks good to me. I'd like to hear from others on the approach before merging.
@JsonProperty("user") Optional<Pattern> userRegex, | ||
@JsonProperty("catalog") Optional<Pattern> catalogRegex) | ||
{ | ||
this.allow = allow; | ||
this.readOnly = readOnly; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we enforce that readOnly
can only be set when allow
is set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sense. Or we could turn allow
into a tri-state flag "allow" | "deny" | "read-only"
with true | false
as legacy options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the thought process, but these names look strange:
"allow": "allow"
"allow": "deny"
Maybe "all" | "read-only" | "none"
Or keep true/false and add read-only
as the third option. (having multiple values for the same state is easy with an enum)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want different names than booleans, we could do something like
enum AccessMode
{
ALL("all", "true"),
READ_ONLY("read-only"),
NONE("none", "false"),
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be great! And, as I understand, you need something like
@JsonCreator
public static AccessMode fromString(String value) { ... }
right?
Since this can be managed by hand, I prefer a simplified model (no access | full access | read-only). |
presto-docs/src/main/sphinx/security/built-in-system-access-control.rst
Outdated
Show resolved
Hide resolved
presto-docs/src/main/sphinx/security/built-in-system-access-control.rst
Outdated
Show resolved
Hide resolved
@JsonProperty("user") Optional<Pattern> userRegex, | ||
@JsonProperty("catalog") Optional<Pattern> catalogRegex) | ||
{ | ||
this.allow = allow; | ||
this.readOnly = readOnly; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the thought process, but these names look strange:
"allow": "allow"
"allow": "deny"
Maybe "all" | "read-only" | "none"
Or keep true/false and add read-only
as the third option. (having multiple values for the same state is easy with an enum)
@JsonProperty("user") Optional<Pattern> userRegex, | ||
@JsonProperty("catalog") Optional<Pattern> catalogRegex) | ||
{ | ||
this.allow = allow; | ||
this.readOnly = readOnly; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want different names than booleans, we could do something like
enum AccessMode
{
ALL("all", "true"),
READ_ONLY("read-only"),
NONE("none", "false"),
...
}
@bill-warshaw What do you think about @electrum's suggestion to change |
@dain I would be open to it, but I'm not entirely sure how to do it cleanly. We'd end up with a JSON field that could be of either type
Is there an easy way to model this kind of union type with Jackson annotations? |
Edit: fixed it to support real booleans :) @bill-warshaw This should do it: https://gist.github.com/dain/720382a08898e4c54f80ff80bdd8b9d3 |
047d4bf
to
786a748
Compare
786a748
to
74b7432
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(not full review; i didn't review tests,docs)
presto-main/src/test/java/io/prestosql/security/TestFileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
...plugin-toolkit/src/main/java/io/prestosql/plugin/base/security/CatalogAccessControlRule.java
Outdated
Show resolved
Hide resolved
...plugin-toolkit/src/main/java/io/prestosql/plugin/base/security/CatalogAccessControlRule.java
Outdated
Show resolved
Hide resolved
...plugin-toolkit/src/main/java/io/prestosql/plugin/base/security/CatalogAccessControlRule.java
Show resolved
Hide resolved
...in-toolkit/src/main/java/io/prestosql/plugin/base/security/FileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
...in-toolkit/src/main/java/io/prestosql/plugin/base/security/FileBasedSystemAccessControl.java
Show resolved
Hide resolved
@bill-warshaw FYI
(+2 other fails in the class) |
74b7432
to
905f770
Compare
@findepi comments addressed, open question on whether or not Tests passed locally for me with the most recent changes. I thought they worked locally the last time I pushed but I've had some weirdness with my local build so I might have been running against stale code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (not full review; i didn't review tests,docs)
@dain ?
905f770
to
775cf45
Compare
There is a test failure that looks related:
Here is a stack:
|
@dain I'm working on reproducing this locally, but all of the tests under I could have sworn I saw all I'll post again once I figure it out. |
775cf45
to
27ec530
Compare
@dain figured it out - there are two test classes named To fix these tests I just updated one of the resource files under |
@kokosing can you please comment?
even if we decide to merge the classes, I'd rather have it in a separate (follow-up) PR |
Please don't. The test file based access control on two different levels. Directly and via access control manager. There is a contract between these two, like access control manager is not going to ask to access control for access to a table if it is known that there is no access to schema to which given table belongs. |
|
||
@JsonValue | ||
@Override | ||
public String toString() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer not to override toString()
(nor name()
) and have a dedicated method for this. Maybe getStringValue()
.
@electrum WDYT?
* adds a `read-only` option to the file-based system access control mechanism * three roles exist for `allow`: `all`, `read-only`, `none` * legacy `allow` values of `true | false` map to `all` and `none` * `allow` can be set to `all | read-only | none`
27ec530
to
ab6001c
Compare
* create, rename and drop schema operations can now be controlled by the file-based SystemAccessControl mechanism * enabled when allow is set to `all`, disabled when `allow` is set to `none` or `read-only`
ab6001c
to
2f02151
Compare
Merged, thanks! |
read-only
field to the file-based system access control mechanismfalse
if not specifiedread-only
field explicitly set will be honored, from top to bottomhttps://prestosql.io/docs/current/security/built-in-system-access-control.html