-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SQL syntax for GRANT/REVOKE on schema #4396
Conversation
Resolves #4327 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need some connector independent tests. Maybe you could use MockConnector
for that. It would be nice to make sure it works end to end, before we start using this for connectors. What do you think?
Looks good in general. Few comments.
presto-main/src/main/java/io/prestosql/execution/GrantTask.java
Outdated
Show resolved
Hide resolved
presto-main/src/main/java/io/prestosql/execution/RevokeTask.java
Outdated
Show resolved
Hide resolved
presto-parser/src/main/antlr4/io/prestosql/sql/parser/SqlBase.g4
Outdated
Show resolved
Hide resolved
presto-parser/src/main/antlr4/io/prestosql/sql/parser/SqlBase.g4
Outdated
Show resolved
Hide resolved
presto-parser/src/main/java/io/prestosql/sql/tree/GrantOnType.java
Outdated
Show resolved
Hide resolved
@martint Can you please double check the syntax? |
ebc9049
to
e6d5adf
Compare
e6d5adf
to
092907d
Compare
I do not quite understand the point of this. We do not have any connector that can support this, and it's not even clear to how to add it existing connectors:
Don't get me wrong. I'd love to add this for Hive and other connectors. It would make our lives easier here, just not clear how to splice this through to the connectors. |
We are thinking about implementing this in Starburst.
I am not sure I followed the previous discussion. I think we can revisit adding this to Hive SQL standard authorization.
I didn't think hard about this, but to me it would simply translate to Postgres equivalent statements of GRANT and REVOKE to SCHEMA.
The best would be to use impersonation, credentials passthrough or extra credentials so user
I don't. I appreciate when someone is questioning the idea before implementation. It could save hours of work. |
73b3488
to
d0ec877
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks nice. Few comments.
presto-main/src/main/java/io/prestosql/execution/RevokeTask.java
Outdated
Show resolved
Hide resolved
presto-hive/src/main/java/io/prestosql/plugin/hive/security/LegacyAccessControl.java
Show resolved
Hide resolved
presto-main/src/test/java/io/prestosql/connector/MockConnectorSchemaAccessControl.java
Outdated
Show resolved
Hide resolved
presto-main/src/test/java/io/prestosql/connector/MockConnectorSchemaAccessControl.java
Outdated
Show resolved
Hide resolved
presto-main/src/test/java/io/prestosql/connector/SchemaGrants.java
Outdated
Show resolved
Hide resolved
presto-tests/src/test/java/io/prestosql/execution/TestGrant.java
Outdated
Show resolved
Hide resolved
presto-tests/src/test/java/io/prestosql/execution/TestGrant.java
Outdated
Show resolved
Hide resolved
presto-tests/src/test/java/io/prestosql/execution/TestGrant.java
Outdated
Show resolved
Hide resolved
presto-tests/src/test/java/io/prestosql/execution/TestGrant.java
Outdated
Show resolved
Hide resolved
presto-tests/src/test/java/io/prestosql/execution/TestGrant.java
Outdated
Show resolved
Hide resolved
ce59eb0
to
0f7700b
Compare
Syntax-wise, this is not in the SQL spec, but it's consistent with it:
What I think needs to be discussed are the semantics of this operation, given that it introduces a behavior on hierarchical objects that isn't contemplated by the spec. I.e., does revoking a privilege on a schema imply a revocation of privileges over all tables in the schema? Does performing a SELECT require checking permissions both on the table and the schema? Etc... For reference, the spec describes SELECT permissions as applying to columns, not tables. Doing a
It records the privilege in a table privilege descriptor for the purpose of applying the privilege to columns that are added afterwards, but only the column privilege descriptors are consulted when querying. From section "6.7 ":
|
What does it mean?
Schema privilege is to me independent to other privileges. So revoking should not affect any other privileges that user currently has. So
So doing
No, because the above (GRANT SELECT ON SCHEMA translates to grant SELECT on columns).
One more point. We try to follow data source semantics when writing connectors. So Hive connector should behave like Hive. So should we do the same thing here for access control. For example should allow to have different semantics when |
f359386
to
c7792cd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks decent. Nice! Just few comments otherwise looks good.
@martint Please take a look
...o-plugin-toolkit/src/main/java/io/prestosql/plugin/base/security/FileBasedAccessControl.java
Show resolved
Hide resolved
...in-toolkit/src/main/java/io/prestosql/plugin/base/security/FileBasedSystemAccessControl.java
Show resolved
Hide resolved
presto-tests/src/test/java/io/prestosql/execution/TestGrant.java
Outdated
Show resolved
Hide resolved
import static org.assertj.core.api.Assertions.assertThat; | ||
import static org.assertj.core.api.Assertions.assertThatThrownBy; | ||
|
||
public class TestGrant |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also add tests for SHOW GRANTS and information_schema.table_privileges
while using GRANT/REVOKE ON SCHEMA
presto-tests/src/test/java/io/prestosql/execution/TestRevoke.java
Outdated
Show resolved
Hide resolved
c7792cd
to
a8bd7fc
Compare
91a6a37
to
f718e6e
Compare
f718e6e
to
43a51b3
Compare
43a51b3
to
16454a4
Compare
* Remove Tpch usages * Add missing handles * Extract inner classes
16454a4
to
7fee5fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martint Would you like to take a look?
}; | ||
} | ||
|
||
private static Session sessionOf(String username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just session
?
}; | ||
} | ||
|
||
private static Session sessionOf(String username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
session?
Merged, thanks! |
No description provided.