RangerBasedAccessControl (presto-hive 0.285.1 API)

java.lang.Object
- com.facebook.presto.hive.security.ranger.RangerBasedAccessControl

All Implemented Interfaces:

ConnectorAccessControl
```
public class RangerBasedAccessControl
extends Object
implements ConnectorAccessControl
```
Connector access control which uses existing Ranger policies for authorizations

Constructor Summary

Constructors
Constructor and Description

RangerBasedAccessControl(RangerBasedAccessControlConfig config, com.facebook.airlift.http.client.HttpClient httpClient)

Constructors
Constructor and Description
`RangerBasedAccessControl(RangerBasedAccessControlConfig config, com.facebook.airlift.http.client.HttpClient httpClient)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`checkCanAddColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to add columns to the specified table in this catalog.
`void`	`checkCanCreateSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)` Check if identity is allowed to create the specified schema in this catalog.
`void`	`checkCanCreateTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to create the specified table in this catalog.
`void`	`checkCanCreateView(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName)` Check if identity is allowed to create the specified view in this catalog.
`void`	`checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<String> columnNames)` Check if identity is allowed to create a view that selects from the specified columns in a relation.
`void`	`checkCanDeleteFromTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to delete from the specified table in this catalog.
`void`	`checkCanDropColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to drop columns from the specified table in this catalog.
`void`	`checkCanDropSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)` Check if identity is allowed to drop the specified schema in this catalog.
`void`	`checkCanDropTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to drop the specified table in this catalog.
`void`	`checkCanDropView(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName)` Check if identity is allowed to drop the specified view in this catalog.
`void`	`checkCanInsertIntoTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to insert into the specified table in this catalog.
`void`	`checkCanRenameColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to rename a column in the specified table in this catalog.
`void`	`checkCanRenameTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, SchemaTableName newTableName)` Check if identity is allowed to rename the specified table in this catalog.
`void`	`checkCanSelectFromColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<Subfield> columnOrSubfieldNames)` Check if identity is allowed to select from the specified columns in a relation.
`void`	`checkCanSetCatalogSessionProperty(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String propertyName)` Check if identity is allowed to set the specified property in this catalog.
`void`	`checkCanShowSchemas(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context)` Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
`void`	`checkCanShowTablesMetadata(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)` Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc.
`Set<String>`	`filterSchemas(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> schemaNames)` Filter the list of schemas to those visible to the identity.
`Set<SchemaTableName>`	`filterTables(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<SchemaTableName> tableNames)` Filter the list of tables and views to those visible to the identity.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.facebook.presto.spi.connector.ConnectorAccessControl
checkCanCreateRole, checkCanDropRole, checkCanGrantRoles, checkCanGrantTablePrivilege, checkCanRenameSchema, checkCanRevokeRoles, checkCanRevokeTablePrivilege, checkCanSetRole, checkCanShowCurrentRoles, checkCanShowRoleGrants, checkCanShowRoles, checkCanTruncateTable

Constructor Detail

RangerBasedAccessControl

@Inject
public RangerBasedAccessControl(RangerBasedAccessControlConfig config,
                                        com.facebook.airlift.http.client.HttpClient httpClient)

Method Detail

checkCanCreateSchema

public void checkCanCreateSchema(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context,
                                 String schemaName)

Check if identity is allowed to create the specified schema in this catalog.

Specified by:: checkCanCreateSchema in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanDropSchema

public void checkCanDropSchema(ConnectorTransactionHandle transactionHandle,
                               ConnectorIdentity identity,
                               AccessControlContext context,
                               String schemaName)

Check if identity is allowed to drop the specified schema in this catalog.

Specified by:: checkCanDropSchema in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanShowSchemas
```
public void checkCanShowSchemas(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context)
```
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterSchemas(com.facebook.presto.spi.connector.ConnectorTransactionHandle, com.facebook.presto.spi.security.ConnectorIdentity, com.facebook.presto.spi.security.AccessControlContext, java.util.Set<java.lang.String>) method must handle filter all results for unauthorized users, since there are multiple way to list schemas.

Specified by:

checkCanShowSchemas in interface ConnectorAccessControl

Throws:

AccessDeniedException - if not allowed

filterSchemas

public Set<String> filterSchemas(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context,
                                 Set<String> schemaNames)

Filter the list of schemas to those visible to the identity.

Specified by:: filterSchemas in interface ConnectorAccessControl

checkCanCreateTable

public void checkCanCreateTable(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                SchemaTableName tableName)

Check if identity is allowed to create the specified table in this catalog.

Specified by:: checkCanCreateTable in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

filterTables

public Set<SchemaTableName> filterTables(ConnectorTransactionHandle transactionHandle,
                                         ConnectorIdentity identity,
                                         AccessControlContext context,
                                         Set<SchemaTableName> tableNames)

Filter the list of tables and views to those visible to the identity.

Specified by:: filterTables in interface ConnectorAccessControl

checkCanAddColumn

public void checkCanAddColumn(ConnectorTransactionHandle transactionHandle,
                              ConnectorIdentity identity,
                              AccessControlContext context,
                              SchemaTableName tableName)

Check if identity is allowed to add columns to the specified table in this catalog.

Specified by:: checkCanAddColumn in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanDropColumn

public void checkCanDropColumn(ConnectorTransactionHandle transactionHandle,
                               ConnectorIdentity identity,
                               AccessControlContext context,
                               SchemaTableName tableName)

Check if identity is allowed to drop columns from the specified table in this catalog.

Specified by:: checkCanDropColumn in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanRenameColumn

public void checkCanRenameColumn(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context,
                                 SchemaTableName tableName)

Check if identity is allowed to rename a column in the specified table in this catalog.

Specified by:: checkCanRenameColumn in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanSelectFromColumns

public void checkCanSelectFromColumns(ConnectorTransactionHandle transactionHandle,
                                      ConnectorIdentity identity,
                                      AccessControlContext context,
                                      SchemaTableName tableName,
                                      Set<Subfield> columnOrSubfieldNames)

Check if identity is allowed to select from the specified columns in a relation. The column set can be empty.

Specified by:: checkCanSelectFromColumns in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanDropTable

public void checkCanDropTable(ConnectorTransactionHandle transactionHandle,
                              ConnectorIdentity identity,
                              AccessControlContext context,
                              SchemaTableName tableName)

Check if identity is allowed to drop the specified table in this catalog.

Specified by:: checkCanDropTable in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanRenameTable

public void checkCanRenameTable(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                SchemaTableName tableName,
                                SchemaTableName newTableName)

Check if identity is allowed to rename the specified table in this catalog.

Specified by:: checkCanRenameTable in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanShowTablesMetadata
```
public void checkCanShowTablesMetadata(ConnectorTransactionHandle transactionHandle,
                                       ConnectorIdentity identity,
                                       AccessControlContext context,
                                       String schemaName)
```
Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterTables(com.facebook.presto.spi.connector.ConnectorTransactionHandle, com.facebook.presto.spi.security.ConnectorIdentity, com.facebook.presto.spi.security.AccessControlContext, java.util.Set<com.facebook.presto.spi.SchemaTableName>) method must filter all results for unauthorized users, since there are multiple ways to list tables.

Specified by:

checkCanShowTablesMetadata in interface ConnectorAccessControl

Throws:

AccessDeniedException - if not allowed

checkCanInsertIntoTable

public void checkCanInsertIntoTable(ConnectorTransactionHandle transactionHandle,
                                    ConnectorIdentity identity,
                                    AccessControlContext context,
                                    SchemaTableName tableName)

Check if identity is allowed to insert into the specified table in this catalog.

Specified by:: checkCanInsertIntoTable in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanDeleteFromTable

public void checkCanDeleteFromTable(ConnectorTransactionHandle transactionHandle,
                                    ConnectorIdentity identity,
                                    AccessControlContext context,
                                    SchemaTableName tableName)

Check if identity is allowed to delete from the specified table in this catalog.

Specified by:: checkCanDeleteFromTable in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanCreateView

public void checkCanCreateView(ConnectorTransactionHandle transactionHandle,
                               ConnectorIdentity identity,
                               AccessControlContext context,
                               SchemaTableName viewName)

Check if identity is allowed to create the specified view in this catalog.

Specified by:: checkCanCreateView in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanDropView

public void checkCanDropView(ConnectorTransactionHandle transactionHandle,
                             ConnectorIdentity identity,
                             AccessControlContext context,
                             SchemaTableName viewName)

Check if identity is allowed to drop the specified view in this catalog.

Specified by:: checkCanDropView in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanCreateViewWithSelectFromColumns

public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle transactionHandle,
                                                    ConnectorIdentity identity,
                                                    AccessControlContext context,
                                                    SchemaTableName tableName,
                                                    Set<String> columnNames)

Check if identity is allowed to create a view that selects from the specified columns in a relation.

Specified by:: checkCanCreateViewWithSelectFromColumns in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

checkCanSetCatalogSessionProperty

public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle transactionHandle,
                                              ConnectorIdentity identity,
                                              AccessControlContext context,
                                              String propertyName)

Check if identity is allowed to set the specified property in this catalog.

Specified by:: checkCanSetCatalogSessionProperty in interface ConnectorAccessControl
Throws:: AccessDeniedException - if not allowed

Class RangerBasedAccessControl

Constructor Summary