ConnectorAccessControl (presto-spi 0.278 API)

```
public interface ConnectorAccessControl
```

Method Summary

All Methods Instance Methods Default Methods
Modifier and Type	Method and Description
`default void`	`checkCanAddColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to add columns to the specified table in this catalog.
`default void`	`checkCanCreateRole(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String role, Optional<PrestoPrincipal> grantor)`
`default void`	`checkCanCreateSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)` Check if identity is allowed to create the specified schema in this catalog.
`default void`	`checkCanCreateTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to create the specified table in this catalog.
`default void`	`checkCanCreateView(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName)` Check if identity is allowed to create the specified view in this catalog.
`default void`	`checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<String> columnNames)` Check if identity is allowed to create a view that selects from the specified columns in a relation.
`default void`	`checkCanDeleteFromTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to delete from the specified table in this catalog.
`default void`	`checkCanDropColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to drop columns from the specified table in this catalog.
`default void`	`checkCanDropRole(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String role)`
`default void`	`checkCanDropSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)` Check if identity is allowed to drop the specified schema in this catalog.
`default void`	`checkCanDropTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to drop the specified table in this catalog.
`default void`	`checkCanDropView(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName)` Check if identity is allowed to drop the specified view in this catalog.
`default void`	`checkCanGrantRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean withAdminOption, Optional<PrestoPrincipal> grantor, String catalogName)`
`default void`	`checkCanGrantTablePrivilege(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal grantee, boolean withGrantOption)` Check if identity is allowed to grant to any other user the specified privilege on the specified table.
`default void`	`checkCanInsertIntoTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to insert into the specified table in this catalog.
`default void`	`checkCanRenameColumn(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to rename a column in the specified table in this catalog.
`default void`	`checkCanRenameSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName, String newSchemaName)` Check if identity is allowed to rename the specified schema in this catalog.
`default void`	`checkCanRenameTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, SchemaTableName newTableName)` Check if identity is allowed to rename the specified table in this catalog.
`default void`	`checkCanRevokeRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOptionFor, Optional<PrestoPrincipal> grantor, String catalogName)`
`default void`	`checkCanRevokeTablePrivilege(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal revokee, boolean grantOptionFor)` Check if identity is allowed to revoke the specified privilege on the specified table from any user.
`default void`	`checkCanSelectFromColumns(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName, Set<Subfield> columnOrSubfieldNames)` Check if identity is allowed to select from the specified columns.
`default void`	`checkCanSetCatalogSessionProperty(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String propertyName)` Check if identity is allowed to set the specified property in this catalog.
`default void`	`checkCanSetRole(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext accessControlContext, String role, String catalogName)`
`default void`	`checkCanShowCurrentRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String catalogName)` Check if identity is allowed to show current roles on the specified catalog.
`default void`	`checkCanShowRoleGrants(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String catalogName)` Check if identity is allowed to show its own role grants on the specified catalog.
`default void`	`checkCanShowRoles(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String catalogName)` Check if identity is allowed to show roles on the specified catalog.
`default void`	`checkCanShowSchemas(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context)` Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
`default void`	`checkCanShowTablesMetadata(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName)` Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc.
`default void`	`checkCanTruncateTable(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName tableName)` Check if identity is allowed to truncate the specified table in this catalog.
`default Set<String>`	`filterSchemas(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<String> schemaNames)` Filter the list of schemas to those visible to the identity.
`default Set<SchemaTableName>`	`filterTables(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, Set<SchemaTableName> tableNames)` Filter the list of tables and views to those visible to the identity.

Method Detail

checkCanCreateSchema

default void checkCanCreateSchema(ConnectorTransactionHandle transactionHandle,
                                  ConnectorIdentity identity,
                                  AccessControlContext context,
                                  String schemaName)

Check if identity is allowed to create the specified schema in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanDropSchema

default void checkCanDropSchema(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                String schemaName)

Check if identity is allowed to drop the specified schema in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanRenameSchema

default void checkCanRenameSchema(ConnectorTransactionHandle transactionHandle,
                                  ConnectorIdentity identity,
                                  AccessControlContext context,
                                  String schemaName,
                                  String newSchemaName)

Check if identity is allowed to rename the specified schema in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowSchemas
```
default void checkCanShowSchemas(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context)
```
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterSchemas(com.facebook.presto.spi.connector.ConnectorTransactionHandle, com.facebook.presto.spi.security.ConnectorIdentity, com.facebook.presto.spi.security.AccessControlContext, java.util.Set<java.lang.String>) method must handle filter all results for unauthorized users, since there are multiple way to list schemas.

Throws:

AccessDeniedException - if not allowed

filterSchemas

default Set<String> filterSchemas(ConnectorTransactionHandle transactionHandle,
                                  ConnectorIdentity identity,
                                  AccessControlContext context,
                                  Set<String> schemaNames)

Filter the list of schemas to those visible to the identity.

checkCanCreateTable

default void checkCanCreateTable(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context,
                                 SchemaTableName tableName)

Check if identity is allowed to create the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanDropTable

default void checkCanDropTable(ConnectorTransactionHandle transactionHandle,
                               ConnectorIdentity identity,
                               AccessControlContext context,
                               SchemaTableName tableName)

Check if identity is allowed to drop the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanRenameTable

default void checkCanRenameTable(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context,
                                 SchemaTableName tableName,
                                 SchemaTableName newTableName)

Check if identity is allowed to rename the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowTablesMetadata
```
default void checkCanShowTablesMetadata(ConnectorTransactionHandle transactionHandle,
                                        ConnectorIdentity identity,
                                        AccessControlContext context,
                                        String schemaName)
```
Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterTables(com.facebook.presto.spi.connector.ConnectorTransactionHandle, com.facebook.presto.spi.security.ConnectorIdentity, com.facebook.presto.spi.security.AccessControlContext, java.util.Set<com.facebook.presto.spi.SchemaTableName>) method must filter all results for unauthorized users, since there are multiple ways to list tables.

Throws:

AccessDeniedException - if not allowed

filterTables

default Set<SchemaTableName> filterTables(ConnectorTransactionHandle transactionHandle,
                                          ConnectorIdentity identity,
                                          AccessControlContext context,
                                          Set<SchemaTableName> tableNames)

Filter the list of tables and views to those visible to the identity.

checkCanAddColumn

default void checkCanAddColumn(ConnectorTransactionHandle transactionHandle,
                               ConnectorIdentity identity,
                               AccessControlContext context,
                               SchemaTableName tableName)

Check if identity is allowed to add columns to the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanDropColumn

default void checkCanDropColumn(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                SchemaTableName tableName)

Check if identity is allowed to drop columns from the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanRenameColumn

default void checkCanRenameColumn(ConnectorTransactionHandle transactionHandle,
                                  ConnectorIdentity identity,
                                  AccessControlContext context,
                                  SchemaTableName tableName)

Check if identity is allowed to rename a column in the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanSelectFromColumns

default void checkCanSelectFromColumns(ConnectorTransactionHandle transactionHandle,
                                       ConnectorIdentity identity,
                                       AccessControlContext context,
                                       SchemaTableName tableName,
                                       Set<Subfield> columnOrSubfieldNames)

Check if identity is allowed to select from the specified columns. For columns with type row, subfields are provided. The column set can be empty. For example, "SELECT col1.field, col2 from table" will have: columnOrSubfieldNames = [col1.field, col2] Implementations can choose which to use

Throws:: AccessDeniedException - if not allowed

checkCanInsertIntoTable

default void checkCanInsertIntoTable(ConnectorTransactionHandle transactionHandle,
                                     ConnectorIdentity identity,
                                     AccessControlContext context,
                                     SchemaTableName tableName)

Check if identity is allowed to insert into the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanDeleteFromTable

default void checkCanDeleteFromTable(ConnectorTransactionHandle transactionHandle,
                                     ConnectorIdentity identity,
                                     AccessControlContext context,
                                     SchemaTableName tableName)

Check if identity is allowed to delete from the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanTruncateTable

default void checkCanTruncateTable(ConnectorTransactionHandle transactionHandle,
                                   ConnectorIdentity identity,
                                   AccessControlContext context,
                                   SchemaTableName tableName)

Check if identity is allowed to truncate the specified table in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanCreateView

default void checkCanCreateView(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                SchemaTableName viewName)

Check if identity is allowed to create the specified view in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanDropView

default void checkCanDropView(ConnectorTransactionHandle transactionHandle,
                              ConnectorIdentity identity,
                              AccessControlContext context,
                              SchemaTableName viewName)

Check if identity is allowed to drop the specified view in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanCreateViewWithSelectFromColumns

default void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle transactionHandle,
                                                     ConnectorIdentity identity,
                                                     AccessControlContext context,
                                                     SchemaTableName tableName,
                                                     Set<String> columnNames)

Check if identity is allowed to create a view that selects from the specified columns in a relation.

Throws:: AccessDeniedException - if not allowed

checkCanSetCatalogSessionProperty

default void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle transactionHandle,
                                               ConnectorIdentity identity,
                                               AccessControlContext context,
                                               String propertyName)

Check if identity is allowed to set the specified property in this catalog.

Throws:: AccessDeniedException - if not allowed

checkCanGrantTablePrivilege

default void checkCanGrantTablePrivilege(ConnectorTransactionHandle transactionHandle,
                                         ConnectorIdentity identity,
                                         AccessControlContext context,
                                         Privilege privilege,
                                         SchemaTableName tableName,
                                         PrestoPrincipal grantee,
                                         boolean withGrantOption)

Check if identity is allowed to grant to any other user the specified privilege on the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanRevokeTablePrivilege

default void checkCanRevokeTablePrivilege(ConnectorTransactionHandle transactionHandle,
                                          ConnectorIdentity identity,
                                          AccessControlContext context,
                                          Privilege privilege,
                                          SchemaTableName tableName,
                                          PrestoPrincipal revokee,
                                          boolean grantOptionFor)

Check if identity is allowed to revoke the specified privilege on the specified table from any user.

Throws:: AccessDeniedException - if not allowed

checkCanCreateRole

default void checkCanCreateRole(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                String role,
                                Optional<PrestoPrincipal> grantor)

checkCanDropRole

default void checkCanDropRole(ConnectorTransactionHandle transactionHandle,
                              ConnectorIdentity identity,
                              AccessControlContext context,
                              String role)

checkCanGrantRoles

default void checkCanGrantRoles(ConnectorTransactionHandle transactionHandle,
                                ConnectorIdentity identity,
                                AccessControlContext context,
                                Set<String> roles,
                                Set<PrestoPrincipal> grantees,
                                boolean withAdminOption,
                                Optional<PrestoPrincipal> grantor,
                                String catalogName)

checkCanRevokeRoles

default void checkCanRevokeRoles(ConnectorTransactionHandle transactionHandle,
                                 ConnectorIdentity identity,
                                 AccessControlContext context,
                                 Set<String> roles,
                                 Set<PrestoPrincipal> grantees,
                                 boolean adminOptionFor,
                                 Optional<PrestoPrincipal> grantor,
                                 String catalogName)

checkCanSetRole

default void checkCanSetRole(ConnectorTransactionHandle transactionHandle,
                             ConnectorIdentity identity,
                             AccessControlContext accessControlContext,
                             String role,
                             String catalogName)

checkCanShowRoles

default void checkCanShowRoles(ConnectorTransactionHandle transactionHandle,
                               ConnectorIdentity identity,
                               AccessControlContext context,
                               String catalogName)

Check if identity is allowed to show roles on the specified catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowCurrentRoles

default void checkCanShowCurrentRoles(ConnectorTransactionHandle transactionHandle,
                                      ConnectorIdentity identity,
                                      AccessControlContext context,
                                      String catalogName)

Check if identity is allowed to show current roles on the specified catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowRoleGrants

default void checkCanShowRoleGrants(ConnectorTransactionHandle transactionHandle,
                                    ConnectorIdentity identity,
                                    AccessControlContext context,
                                    String catalogName)

Check if identity is allowed to show its own role grants on the specified catalog.

Throws:: AccessDeniedException - if not allowed

Interface ConnectorAccessControl