Add table functions support to File-based access control

[huberty89]

Description

This PR adds File-based access control support for table functions.
Before this PR with File-based access control enabled every table functions was denied.

By default every rule kind (access to catalogs, schemas, tables) is allow when user does not specify any rule.
The same behavior is also here. After upgrading Trino to newer version and without making any changes to access rules, access to every table function will change and by default it will be allow. To restore previous behavior user needs to add:

{
    "functions": [
        {
            "function_kinds": [
                "SCALAR",
                "AGGREGATE",
                "WINDOW"
            ],
            "privileges": [
                "EXECUTE",
                "GRANT_EXECUTE"
            ]
        },
        {
            "function_kinds": [
                "TABLE"
            ],
            "privileges": []
        }
    ]
}

Examples System-level access control file

1. Allow postgresql.system.query for admin user.

{
    "functions": [
        {
            "function_kinds": [
                "SCALAR",
                "AGGREGATE",
                "WINDOW"
            ],
            "privileges": [
                "EXECUTE",
                "GRANT_EXECUTE"
            ]
        },
        {
            "user": "admin",
            "catalog": "postgresql",
            "schema": "system",
            "function_kinds": [
                "TABLE"
            ],
            "function": "query",
            "privileges": [
                "EXECUTE",
                "GRANT_EXECUTE"
            ]
        }
    ]
}

2. Allow query table function from every catalog & schema for admin user.

{
    "functions": [
        {
            "function_kinds": [
                "SCALAR",
                "AGGREGATE",
                "WINDOW"
            ],
            "privileges": [
                "EXECUTE",
                "GRANT_EXECUTE"
            ]
        },
        {
            "user": "admin",
            "function_kinds": [
                "TABLE"
            ],
            "function": "query",
            "privileges": [
                "EXECUTE",
                "GRANT_EXECUTE"
            ]
        }
    ]
}

3. Deny mysql.system.query for anyone.

{
    "functions": [
        {
            "function_kinds": [
                "SCALAR",
                "AGGREGATE",
                "WINDOW"
            ],
            "privileges": [
                "EXECUTE",
                "GRANT_EXECUTE"
            ]
        },
        {
            "catalog": "mysql",
            "schema": "system",
            "function_kinds": [
                "TABLE"
            ],
            "function": "query",
            "privileges": []
        }
    ]
}

• Possible privileges values: EXECUTE and GRANT_EXECUTE - the second one allows to execute a function from SECURITY DEFINER view
• Possible function_kinds values: SCALAR, AGGREGATE, WINDOW and TABLES, it's required to provide at least one value, also when user define a rule for AGGREGATE, SCALAR or WINDOW function, catalog and schema are disallowed

Documentation

( ) No documentation is needed.
( ) Sufficient documentation is included in this PR.
(x) Documentation PR is available with #14774.
( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

( ) No release notes entries required.
(x) Release notes entries required with the following suggested text:

# Section
* Add support for PTF in File-based access control. ({issue}`13713`)

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Hubert Łojek.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email email@example.com
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Hubert Łojek.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email email@example.com
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[kokosing]

I think you can continue with testing.

looks good to me

[kokosing]

This is breaking change. Previously it was denied by default.

However I think it is safe to go this way as it is coherent with other access control checks here and so far I think nobody used file based access control to use table functions.

CC: @kasiafi @dain

[ssheikin]

May be that's good enough for table functions, but IIRC the eventual goal is to use CatalogSchemaRoutineName for functionName for other FunctionKinds too.

The proposed config syntax is too specific to table functions too:

{
    "table_functions": [
        {
            "user": "admin",
            "catalog": "postgresql",
            "schema": "system",
            "table_function": "query"
        }
    ]
}

I think it worth to go with something like

{
    "function": [
        {
            "user": "admin",
            "function_kind": "TABLE",
            "catalog": "postgresql",
            "schema": "system",
            "function": "query"
        }
    ]
}

I'd base code for functions on the code for tables, e.g.

    @Override
    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName function)
    {
        // TODO config to disable for old function kinds
        AccessMode requiredCatalogAccess = FunctionKind.TABLE.equals(functionKind) ? ALL : READ_ONLY;
        if (!checkFunctionPermission(systemSecurityContext, function, requiredCatalogAccess, FunctionPrivilege.SELECT)) {
            denyExecuteFunction(function.toString());
        }
    }

    private boolean checkFunctionPermission(SystemSecurityContext context, CatalogSchemaRoutineName function, AccessMode requiredCatalogAccess, FunctionPrivilege checkPrivilege)
    {

        if (!canAccessCatalog(context, function.getCatalogName(), requiredCatalogAccess)) {
            return false;
        }

        if (INFORMATION_SCHEMA_NAME.equals(function.getSchemaName())) {
            return true;
        }

        Identity identity = context.getIdentity();
        for (CatalogFunctionAccessControlRule rule : functionRules) {
            if (rule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), function)) {
                return rule.getPrivileges().contains(checkPrivilege);
            }
        }
        return false;
    }

[lukasz-walkiewicz]

I think it's a valid concern. If the plan is to have other catalog/schema function kinds in the future then the current syntax would require backward incompatible change or keeping TABLE as the default function kind. Neither of which is desired.

[kasiafi]

@lukasz-walkiewicz I confirm that the discussed method checkCanExecuteFunction() will be used for all function kinds in the future.

@ssheikin, regarding this part:

AccessMode requiredCatalogAccess = FunctionKind.TABLE.equals(functionKind) ? ALL : READ_ONLY;
        if (!checkFunctionPermission(systemSecurityContext, function, requiredCatalogAccess, FunctionPrivilege.SELECT)) {
            denyExecuteFunction(function.toString());
        }

requiring catalog access ALL is safe, but might be unnecessarily restrictive for some Table Functions (think: sequence generator, random generator etc. which do not access any data even for reading).

I also wonder how it fits the future model where all built-in functions are provided by the Global catalog. The built-in table functions should be easily available to anyone, without granting them that level of access to the catalog.

Ideally, the required catalog access should be set for each table function independently.

What does FunctionPrivilege.SELECT refer to?

[ssheikin]

Ugly initial draft based on file based access control of tables: #13903 . NOT to review. Only for sake of history.

[kasiafi]

@dain your suggestions would be very helpful here:

1. What catalog access should we require for table functions? How about the built-in functions provided by the Global catalog?
2. Could we possibly specify the required access per table function? Some functions read data (query pass-through), some might modify the catalog, and some don't touch anything (sequence).

[huberty89]

I add support for every function kind

[huberty89]

@kasiafi

Ideally, the required catalog access should be set for each table function independently.

Now I think this makes sense in case of UDFs as well.
I will take a look into it.

[huberty89]

In theory user might prepare UDF which will make some modifications - this is such edge case probably we should not take care of this. Also we do not have an information which catalog would be modified in such UDF.

[ssheikin]

I guess it's time for that eventually #12544 (comment)

[ssheikin]

or at least

this is such edge case probably we should not take care of this

.... YET

[ssheikin]

This PR resolves #12833

[ssheikin]

Before this PR with File-based access control enabled every table functions was denied.

By default every rule kind (access to catalogs, schemas, tables) is allow when user does not specify any rule.
The same behavior is also here. After upgrading Trino to newer version and without making any changes to access rules, access to every table function will change and by default it will be allow. Is that good behavior? Maybe in case of table functions new default should be deny but this makes those new rules inconsistent with the rest.

Let's discuss this in the separate thread.

Before this PR with File-based access control enabled every table functions was denied.

I think it's a correct implementation, fast one, but which was not really thought that deep to be very compatible with FBAC.

Maybe in case of table functions new default should be deny but this makes those new rules inconsistent with the rest.

I guess access to ptf should obey the same rules as other entities of FBAC do.

By default every rule kind (access to catalogs, schemas, tables) is allow when user does not specify any rule.
The same behavior is also here. After upgrading Trino to newer version and without making any changes to access rules, access to every table function will change and by default it will be allow. Is that good behavior?

ptf were just introduced and with only one built in ptf.Query function. It's questionable if there are cases where FBAC with PTF is used by someone.

Consistency it's a long term thing.

[ksobolew]

I finally got to reviewing this PR ;) As I understand it, it's blocked on adding additional methods to the access control interfaces, right?

Also, tests will be needed.

[huberty89]

@dain @findepi @kasiafi Would you like to take a look?

[huberty89]

I added more real case scenario test TestViewsWithPtfFileBasedSystemAccessControl

[ssheikin]

inline everywhere except where it is reused.

[lukasz-walkiewicz]

LGTM

[lukasz-walkiewicz]

That's an interesting behaviour, that Bob himself can actually query the view but no one else can. It's probably because view owner = view invoker.

[lukasz-walkiewicz]

io.trino.sql.analyzer.StatementAnalyzer.Visitor#analyzeView

[ssheikin]

🎉