diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index 08dd4c33658dd..0b1df4f88a003 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -1165,8 +1165,8 @@ public List getRowFilters(SecurityContext context, QualifiedObje CatalogAccessControlEntry entry = getConnectorAccessControl(context.getTransactionId(), tableName.getCatalogName()); if (entry != null) { - entry.getAccessControl().getRowFilter(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName()) - .ifPresent(filters::add); + entry.getAccessControl().getRowFilters(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName()) + .forEach(filters::add); } for (SystemAccessControl systemAccessControl : getSystemAccessControls()) { @@ -1188,8 +1188,8 @@ public List getColumnMasks(SecurityContext context, QualifiedObj // connector-provided masks take precedence over global masks CatalogAccessControlEntry entry = getConnectorAccessControl(context.getTransactionId(), tableName.getCatalogName()); if (entry != null) { - entry.getAccessControl().getColumnMask(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName(), columnName, type) - .ifPresent(masks::add); + entry.getAccessControl().getColumnMasks(entry.toConnectorSecurityContext(context), tableName.asSchemaTableName(), columnName, type) + .forEach(masks::add); } for (SystemAccessControl systemAccessControl : getSystemAccessControls()) { diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index 9ef20a4cd92f5..a825110157cf9 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.security; +import com.google.common.collect.ImmutableList; import io.trino.metadata.QualifiedObjectName; import io.trino.spi.TrinoException; import io.trino.spi.connector.CatalogSchemaName; @@ -26,6 +27,7 @@ import io.trino.spi.security.ViewExpression; import io.trino.spi.type.Type; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -445,21 +447,21 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { checkArgument(context == null, "context must be null"); if (accessControl.getRowFilters(securityContext, new QualifiedObjectName(catalogName, tableName.getSchemaName(), tableName.getTableName())).isEmpty()) { - return Optional.empty(); + return ImmutableList.of(); } throw new TrinoException(NOT_SUPPORTED, "Row filtering not supported"); } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { checkArgument(context == null, "context must be null"); if (accessControl.getColumnMasks(securityContext, new QualifiedObjectName(catalogName, tableName.getSchemaName(), tableName.getTableName()), columnName, type).isEmpty()) { - return Optional.empty(); + return ImmutableList.of(); } throw new TrinoException(NOT_SUPPORTED, "Column masking not supported"); } diff --git a/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java b/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java index 9f96b9d4e7791..dd50b7d68311d 100644 --- a/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/connector/MockConnectorAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.connector; +import com.google.common.collect.ImmutableList; import io.trino.plugin.base.security.AllowAllAccessControl; import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaTableName; @@ -23,6 +24,7 @@ import io.trino.spi.type.Type; import java.util.Arrays; +import java.util.List; import java.util.Optional; import java.util.Set; import java.util.function.BiFunction; @@ -120,15 +122,19 @@ public void checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privi } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { - return Optional.ofNullable(rowFilters.apply(tableName)); + return Optional.ofNullable(rowFilters.apply(tableName)) + .map(ImmutableList::of) + .orElseGet(ImmutableList::of); } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { - return Optional.ofNullable(columnMasks.apply(tableName, columnName)); + return Optional.ofNullable(columnMasks.apply(tableName, columnName)) + .map(ImmutableList::of) + .orElseGet(ImmutableList::of); } public void grantSchemaPrivileges(String schemaName, Set privileges, TrinoPrincipal grantee, boolean grantOption) diff --git a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java index b8268298c82b3..f127aabc22f88 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java +++ b/core/trino-main/src/test/java/io/trino/security/TestAccessControlManager.java @@ -224,9 +224,9 @@ public void checkCanSetSystemSessionProperty(SystemSecurityContext context, Stri accessControlManager.addCatalogAccessControl(new CatalogName("catalog"), new ConnectorAccessControl() { @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String column, Type type) { - return Optional.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask")); + return ImmutableList.of(new ViewExpression("user", Optional.empty(), Optional.empty(), "connector mask")); } @Override diff --git a/core/trino-main/src/test/java/io/trino/security/TestInjectedConnectorAccessControl.java b/core/trino-main/src/test/java/io/trino/security/TestInjectedConnectorAccessControl.java index 151424cf0f733..3e2e0c0bc626a 100644 --- a/core/trino-main/src/test/java/io/trino/security/TestInjectedConnectorAccessControl.java +++ b/core/trino-main/src/test/java/io/trino/security/TestInjectedConnectorAccessControl.java @@ -13,7 +13,11 @@ */ package io.trino.security; +import com.google.common.collect.ImmutableSet; import io.trino.spi.connector.ConnectorAccessControl; +import io.trino.spi.connector.ConnectorSecurityContext; +import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.type.Type; import org.testng.annotations.Test; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; @@ -22,7 +26,10 @@ public class TestInjectedConnectorAccessControl { @Test public void testEverythingImplemented() + throws NoSuchMethodException { - assertAllMethodsOverridden(ConnectorAccessControl.class, InjectedConnectorAccessControl.class); + assertAllMethodsOverridden(ConnectorAccessControl.class, InjectedConnectorAccessControl.class, ImmutableSet.of( + InjectedConnectorAccessControl.class.getMethod("getRowFilter", ConnectorSecurityContext.class, SchemaTableName.class), + InjectedConnectorAccessControl.class.getMethod("getColumnMask", ConnectorSecurityContext.class, SchemaTableName.class, String.class, Type.class))); } } diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 441b6a2470729..3bdb9f1a7340b 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -18,6 +18,7 @@ import io.trino.spi.security.ViewExpression; import io.trino.spi.type.Type; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -74,6 +75,7 @@ import static io.trino.spi.security.AccessDeniedException.denyShowTables; import static io.trino.spi.security.AccessDeniedException.denyTruncateTable; import static io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns; +import static java.util.Collections.emptyList; import static java.util.Collections.emptySet; public interface ConnectorAccessControl @@ -600,12 +602,26 @@ default void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sch * The filter must be a scalar SQL expression of boolean type over the columns in the table. * * @return the filter, or {@link Optional#empty()} if not applicable + * @deprecated use {@link #getRowFilters(ConnectorSecurityContext, SchemaTableName)} instead */ + @Deprecated default Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) { return Optional.empty(); } + /** + * Get row filters associated with the given table and identity. + *

+ * Each filter must be a scalar SQL expression of boolean type over the columns in the table. + * + * @return the list of filters, or empty list if not applicable + */ + default List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) + { + return emptyList(); + } + /** * Get a column mask associated with the given table, column and identity. *

@@ -613,9 +629,24 @@ default Optional getRowFilter(ConnectorSecurityContext context, * must be written in terms of columns in the table. * * @return the mask, or {@link Optional#empty()} if not applicable + * @deprecated use {@link #getColumnMasks(ConnectorSecurityContext, SchemaTableName, String, Type)} instead */ + @Deprecated default Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { return Optional.empty(); } + + /** + * Get column masks associated with the given table, column and identity. + *

+ * Each mask must be a scalar SQL expression of a type coercible to the type of the column being masked. The expression + * must be written in terms of columns in the table. + * + * @return the list of masks, or empty list if not applicable + */ + default List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + { + return emptyList(); + } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index f10be3892d880..e20d201224bc6 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -25,6 +25,7 @@ import javax.inject.Inject; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -493,18 +494,18 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { - return delegate.getRowFilter(context, tableName); + return delegate.getRowFilters(context, tableName); } } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { - return delegate.getColumnMask(context, tableName, columnName, type); + return delegate.getColumnMasks(context, tableName, columnName, type); } } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index 8ab0f2a356429..3c32116427d64 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.plugin.base.security; +import com.google.common.collect.ImmutableList; import io.trino.spi.connector.ConnectorAccessControl; import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.SchemaRoutineName; @@ -22,6 +23,7 @@ import io.trino.spi.security.ViewExpression; import io.trino.spi.type.Type; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -316,14 +318,14 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { - return Optional.empty(); + return ImmutableList.of(); } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { - return Optional.empty(); + return ImmutableList.of(); } } diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index aae17963100e7..381c0a0b95c39 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.plugin.base.security; +import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; import io.trino.plugin.base.CatalogName; import io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege; @@ -31,10 +32,10 @@ import java.util.Map; import java.util.Optional; import java.util.Set; -import java.util.function.Function; import java.util.function.Predicate; import static com.google.common.base.Preconditions.checkArgument; +import static com.google.common.collect.ImmutableList.toImmutableList; import static com.google.common.collect.ImmutableSet.toImmutableSet; import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.DELETE; import static io.trino.plugin.base.security.TableAccessControlRule.TablePrivilege.GRANT_SELECT; @@ -591,33 +592,37 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) { - return Optional.empty(); + return ImmutableList.of(); } ConnectorIdentity identity = context.getIdentity(); return tableRules.stream() .filter(rule -> rule.matches(identity.getUser(), identity.getEnabledSystemRoles(), identity.getGroups(), tableName)) .map(rule -> rule.getFilter(identity.getUser(), catalogName, tableName.getSchemaName())) - .findFirst() - .flatMap(Function.identity()); + .flatMap(Optional::stream) + // we return the first one we find + .limit(1) + .collect(toImmutableList()); } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) { - return Optional.empty(); + return ImmutableList.of(); } ConnectorIdentity identity = context.getIdentity(); return tableRules.stream() .filter(rule -> rule.matches(identity.getUser(), identity.getEnabledSystemRoles(), identity.getGroups(), tableName)) .map(rule -> rule.getColumnMask(identity.getUser(), catalogName, tableName.getSchemaName(), columnName)) - .findFirst() - .flatMap(Function.identity()); + .flatMap(Optional::stream) + // we return the first one we find + .limit(1) + .collect(toImmutableList()); } private boolean canSetSessionProperty(ConnectorSecurityContext context, String property) diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 1de3a6c9ef22e..7ca4f8af67bdb 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -22,6 +22,7 @@ import io.trino.spi.security.ViewExpression; import io.trino.spi.type.Type; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -391,9 +392,21 @@ public Optional getRowFilter(ConnectorSecurityContext context, S return delegate().getRowFilter(context, tableName); } + @Override + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) + { + return delegate().getRowFilters(context, tableName); + } + @Override public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { return delegate().getColumnMask(context, tableName, columnName, type); } + + @Override + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + { + return delegate().getColumnMasks(context, tableName, columnName, type); + } } diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/classloader/TestClassLoaderSafeWrappers.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/classloader/TestClassLoaderSafeWrappers.java index 39c17fa663b96..afb9a64ced674 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/classloader/TestClassLoaderSafeWrappers.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/classloader/TestClassLoaderSafeWrappers.java @@ -13,6 +13,7 @@ */ package io.trino.plugin.base.classloader; +import com.google.common.collect.ImmutableSet; import io.trino.spi.connector.ConnectorAccessControl; import io.trino.spi.connector.ConnectorMetadata; import io.trino.spi.connector.ConnectorNodePartitioningProvider; @@ -20,11 +21,14 @@ import io.trino.spi.connector.ConnectorPageSinkProvider; import io.trino.spi.connector.ConnectorPageSourceProvider; import io.trino.spi.connector.ConnectorRecordSetProvider; +import io.trino.spi.connector.ConnectorSecurityContext; import io.trino.spi.connector.ConnectorSplitManager; import io.trino.spi.connector.ConnectorSplitSource; import io.trino.spi.connector.RecordSet; +import io.trino.spi.connector.SchemaTableName; import io.trino.spi.connector.SystemTable; import io.trino.spi.eventlistener.EventListener; +import io.trino.spi.type.Type; import org.testng.annotations.Test; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; @@ -33,8 +37,11 @@ public class TestClassLoaderSafeWrappers { @Test public void testAllMethodsOverridden() + throws NoSuchMethodException { - assertAllMethodsOverridden(ConnectorAccessControl.class, ClassLoaderSafeConnectorAccessControl.class); + assertAllMethodsOverridden(ConnectorAccessControl.class, ClassLoaderSafeConnectorAccessControl.class, ImmutableSet.of( + ClassLoaderSafeConnectorAccessControl.class.getMethod("getRowFilter", ConnectorSecurityContext.class, SchemaTableName.class), + ClassLoaderSafeConnectorAccessControl.class.getMethod("getColumnMask", ConnectorSecurityContext.class, SchemaTableName.class, String.class, Type.class))); assertAllMethodsOverridden(ConnectorMetadata.class, ClassLoaderSafeConnectorMetadata.class); assertAllMethodsOverridden(ConnectorPageSink.class, ClassLoaderSafeConnectorPageSink.class); assertAllMethodsOverridden(ConnectorPageSinkProvider.class, ClassLoaderSafeConnectorPageSinkProvider.class); diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java index 5ba6e98a7570c..f53c0c0c47390 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestAllowAllAccessControl.java @@ -13,7 +13,11 @@ */ package io.trino.plugin.base.security; +import com.google.common.collect.ImmutableSet; import io.trino.spi.connector.ConnectorAccessControl; +import io.trino.spi.connector.ConnectorSecurityContext; +import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.type.Type; import org.testng.annotations.Test; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; @@ -22,7 +26,10 @@ public class TestAllowAllAccessControl { @Test public void testEverythingImplemented() + throws NoSuchMethodException { - assertAllMethodsOverridden(ConnectorAccessControl.class, AllowAllAccessControl.class); + assertAllMethodsOverridden(ConnectorAccessControl.class, AllowAllAccessControl.class, ImmutableSet.of( + AllowAllAccessControl.class.getMethod("getRowFilter", ConnectorSecurityContext.class, SchemaTableName.class), + AllowAllAccessControl.class.getMethod("getColumnMask", ConnectorSecurityContext.class, SchemaTableName.class, String.class, Type.class))); } } diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java index 2ee43c82464b0..c80a648780535 100644 --- a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/TestFileBasedAccessControl.java @@ -26,6 +26,7 @@ import io.trino.spi.security.PrincipalType; import io.trino.spi.security.Privilege; import io.trino.spi.security.TrinoPrincipal; +import io.trino.spi.type.Type; import org.testng.Assert.ThrowingRunnable; import org.testng.annotations.DataProvider; import org.testng.annotations.Test; @@ -462,8 +463,11 @@ public void testSchemaRulesForCheckCanShowTables() @Test public void testEverythingImplemented() + throws NoSuchMethodException { - assertAllMethodsOverridden(ConnectorAccessControl.class, FileBasedAccessControl.class); + assertAllMethodsOverridden(ConnectorAccessControl.class, FileBasedAccessControl.class, ImmutableSet.of( + FileBasedAccessControl.class.getMethod("getRowFilter", ConnectorSecurityContext.class, SchemaTableName.class), + FileBasedAccessControl.class.getMethod("getColumnMask", ConnectorSecurityContext.class, SchemaTableName.class, String.class, Type.class))); } private static ConnectorSecurityContext user(String name, Set groups) diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index 054430bffeca0..56dd4f1946e16 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.plugin.hive.security; +import com.google.common.collect.ImmutableList; import io.trino.plugin.hive.metastore.Table; import io.trino.spi.connector.ConnectorAccessControl; import io.trino.spi.connector.ConnectorSecurityContext; @@ -25,6 +26,7 @@ import javax.inject.Inject; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -387,14 +389,14 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { - return Optional.empty(); + return ImmutableList.of(); } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { - return Optional.empty(); + return ImmutableList.of(); } } diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index d6b49367e4c75..2cb23f9db4db9 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -13,6 +13,7 @@ */ package io.trino.plugin.hive.security; +import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; import io.trino.plugin.base.CatalogName; import io.trino.plugin.hive.metastore.Database; @@ -33,6 +34,7 @@ import javax.inject.Inject; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -568,15 +570,15 @@ public void checkCanExecuteTableProcedure(ConnectorSecurityContext context, Sche } @Override - public Optional getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName) + public List getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) { - return Optional.empty(); + return ImmutableList.of(); } @Override - public Optional getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) + public List getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type) { - return Optional.empty(); + return ImmutableList.of(); } private boolean isAdmin(ConnectorSecurityContext context) diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestLegacyAccessControl.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestLegacyAccessControl.java index ece785051db0b..cf2081b62a11b 100644 --- a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestLegacyAccessControl.java +++ b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestLegacyAccessControl.java @@ -13,7 +13,11 @@ */ package io.trino.plugin.hive.security; +import com.google.common.collect.ImmutableSet; import io.trino.spi.connector.ConnectorAccessControl; +import io.trino.spi.connector.ConnectorSecurityContext; +import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.type.Type; import org.testng.annotations.Test; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; @@ -22,7 +26,10 @@ public class TestLegacyAccessControl { @Test public void testEverythingImplemented() + throws NoSuchMethodException { - assertAllMethodsOverridden(ConnectorAccessControl.class, LegacyAccessControl.class); + assertAllMethodsOverridden(ConnectorAccessControl.class, LegacyAccessControl.class, ImmutableSet.of( + LegacyAccessControl.class.getMethod("getRowFilter", ConnectorSecurityContext.class, SchemaTableName.class), + LegacyAccessControl.class.getMethod("getColumnMask", ConnectorSecurityContext.class, SchemaTableName.class, String.class, Type.class))); } } diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestSqlStandardAccessControl.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestSqlStandardAccessControl.java index 89c36c22e38a7..b27d4fa16497f 100644 --- a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestSqlStandardAccessControl.java +++ b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/security/TestSqlStandardAccessControl.java @@ -13,7 +13,11 @@ */ package io.trino.plugin.hive.security; +import com.google.common.collect.ImmutableSet; import io.trino.spi.connector.ConnectorAccessControl; +import io.trino.spi.connector.ConnectorSecurityContext; +import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.type.Type; import org.testng.annotations.Test; import static io.trino.spi.testing.InterfaceTestUtils.assertAllMethodsOverridden; @@ -22,7 +26,10 @@ public class TestSqlStandardAccessControl { @Test public void testEverythingImplemented() + throws NoSuchMethodException { - assertAllMethodsOverridden(ConnectorAccessControl.class, SqlStandardAccessControl.class); + assertAllMethodsOverridden(ConnectorAccessControl.class, SqlStandardAccessControl.class, ImmutableSet.of( + SqlStandardAccessControl.class.getMethod("getRowFilter", ConnectorSecurityContext.class, SchemaTableName.class), + SqlStandardAccessControl.class.getMethod("getColumnMask", ConnectorSecurityContext.class, SchemaTableName.class, String.class, Type.class))); } }