Check catalog & schema access in USE statement #14209
Conversation
| throw new TrinoException(NOT_FOUND, "Catalog does not exist: " + catalog); | ||
| } | ||
|
|
||
| String schema = statement.getSchema().getValue().toLowerCase(ENGLISH); | ||
|
|
||
| CatalogSchemaName name = new CatalogSchemaName(catalog, schema); | ||
| if (!metadata.schemaExists(session, name)) { | ||
| if (hasSchemaAccess(securityContext, catalog, schema) || | ||
| !metadata.schemaExists(session, name)) { | ||
| throw new TrinoException(NOT_FOUND, "Schema does not exist: " + name); |
There was a problem hiding this comment.
I think the error message has to be different and so the error code should be different between not existing case or access denied case.
There was a problem hiding this comment.
IMO error message needs to be unambiguous. With different error messages there will be no difference what we have today.
There was a problem hiding this comment.
That is the way Trino works today. For example see io.trino.sql.analyzer.StatementAnalyzer.Visitor#visitUpdate if you use not existing table you will get different error than when using a table without an access.
There was a problem hiding this comment.
Ok, I check if catalog/schema exists first, then I check if user has an access to those
huberty89
force-pushed
the
hubert/add-use-access-checks
branch
from
2be8124
to
efef211
Compare
| @Test | ||
| public void testUseStatementAccessControl() | ||
| { | ||
| executeExclusively(() -> { |
There was a problem hiding this comment.
I have a feeling that executeExclusively is overused in this class. If we're using entities with random names, and make sure that the deny rules in the TestingAccessControlManager only reference these random names, then they should be able to run concurrently. That's out of scope for this change, though.
There was a problem hiding this comment.
Here I also change the behavior via TestingAccessControlManager so this executeExclusively prevent to break other tests
| assertThatThrownBy(() -> getQueryRunner().execute("USE not_exists_catalog.tiny")) | ||
| .hasMessageMatching("Catalog does not exist: not_exists_catalog"); |
There was a problem hiding this comment.
Do we need a test where we deny access to a not existing catalog/schema and see that the message is "catalog/schema does not exist" instead of "access denied"? Is this part of the contract or just a consistency thing? @kokosing
| getQueryRunner().getAccessControl().denyCatalogs(catalog -> !catalog.equals("tpch")); | ||
| assertThatThrownBy(() -> getQueryRunner().execute("USE tpch.tiny")) | ||
| .hasMessageMatching("Access Denied: Cannot access catalog tpch"); | ||
| assertThatThrownBy(() -> getQueryRunner().execute("USE tpch.not_exists_schema")) | ||
| .hasMessageMatching("Access Denied: Cannot access catalog tpch"); |
There was a problem hiding this comment.
There also needs to be a test that allows access to catalog but denies access to a schema
There was a problem hiding this comment.
Is it possible to add such a test?
| @@ -617,4 +617,32 @@ public void testSetViewAuthorizationWithSecurityInvoker() | |||
| { | |||
| assertQuerySucceeds("ALTER VIEW mock.default.test_view_invoker SET AUTHORIZATION some_other_user"); | |||
| } | |||
|
|
|||
| @Test | |||
| public void testUseStatementAccessControl() | |||
There was a problem hiding this comment.
nit: We can divide this test method into few smaller ones.
There was a problem hiding this comment.
Spitted into 3 test methods
huberty89
force-pushed
the
hubert/add-use-access-checks
branch
from
efef211
to
e5550be
Compare
huberty89
force-pushed
the
hubert/add-use-access-checks
branch
from
e5550be
to
18343e4
Compare
|
Merged, thanks! |
Description
This PR add checks if user has an access to catalog and schema in
USEstatement.Related issues, pull requests, and links
Non-technical explanation
There was a lack of check in
USEstatement if user has an access to catalog or schema.Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text: