Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter out values from system.metadata tables using access control #14197

Merged
merged 1 commit into from
Nov 17, 2022
Merged

Filter out values from system.metadata tables using access control #14197

merged 1 commit into from
Nov 17, 2022

Conversation

huberty89
Copy link
Contributor

@huberty89 huberty89 commented Sep 19, 2022
edited
Loading

Description

This PR filter out values using configured access control from tables:

  • analyze_properties
  • column_properties
  • materialized_view_properties
  • schema_properties
  • table_properties

Related issues, pull requests, and links

Non-technical explanation

Do not leak configured catalogs names when user does not have an access to them

Release notes

( ) This is not user-visible and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Security
* Filter out values from system.metadata tables to which user has no access ({issue}`14000`)

@cla-bot cla-bot bot added the cla-signed label Sep 19, 2022
raunaqmorarka
raunaqmorarka reviewed Sep 20, 2022
View reviewed changes
Copy link
Member

@raunaqmorarka raunaqmorarka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix lgtm, can we add tests ?

ksobolew
ksobolew reviewed Sep 20, 2022
View reviewed changes
Copy link
Contributor

@ksobolew ksobolew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, tests please :)

kokosing
kokosing reviewed Sep 20, 2022
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use io.trino.security.TestAccessControl for testing

@huberty89 huberty89 force-pushed the hubert/fix-system-metadata-access branch from 29deef9 to d3d89fb Compare November 16, 2022 18:26
@huberty89
Copy link
Contributor Author

@raunaqmorarka @ksobolew @kokosing Added tests, please take a look

@huberty89 huberty89 force-pushed the hubert/fix-system-metadata-access branch from d3d89fb to 28a3cc6 Compare November 16, 2022 18:30
@kokosing kokosing merged commit 62d9211 into trinodb:master Nov 17, 2022
@kokosing
Copy link
Member

@huberty89 Thanks! Merged.

@github-actions github-actions bot added this to the 404 milestone Nov 17, 2022
@colebow colebow mentioned this pull request Nov 21, 2022
Merged
@huberty89 huberty89 mentioned this pull request Nov 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kokosing kokosing kokosing approved these changes

@ksobolew ksobolew ksobolew approved these changes

@raunaqmorarka raunaqmorarka raunaqmorarka approved these changes

@dain dain Awaiting requested review from dain

@electrum electrum Awaiting requested review from electrum

Assignees
No one assigned
Labels
cla-signed
Milestone
405
Development

Successfully merging this pull request may close these issues.

Not all tables from system.metadata are access control aware
4 participants
@huberty89 @kokosing @raunaqmorarka @ksobolew