AccessControl (presto-main 312 API)

All Known Implementing Classes:

AccessControlManager, AllowAllAccessControl, DenyAllAccessControl, TestingAccessControlManager, ViewAccessControl
```
public interface AccessControl
```

Method Summary

All Methods Instance Methods Abstract Methods
Modifier and Type	Method and Description
`void`	`checkCanAccessCatalog(Identity identity, String catalogName)` Check whether identity is allowed to access catalog
`void`	`checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to add columns to the specified table.
`void`	`checkCanCreateRole(TransactionId transactionId, Identity identity, String role, Optional<PrestoPrincipal> grantor, String catalogName)` Check if identity is allowed to create the specified role.
`void`	`checkCanCreateSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName)` Check if identity is allowed to create the specified schema.
`void`	`checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to create the specified table.
`void`	`checkCanCreateView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName)` Check if identity is allowed to create the specified view.
`void`	`checkCanCreateViewWithSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, Set<String> columnNames)` Check if identity is allowed to create a view that selects from the specified columns.
`void`	`checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to delete from the specified table.
`void`	`checkCanDropColumn(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to drop columns from the specified table.
`void`	`checkCanDropRole(TransactionId transactionId, Identity identity, String role, String catalogName)` Check if identity is allowed to drop the specified role.
`void`	`checkCanDropSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName)` Check if identity is allowed to drop the specified schema.
`void`	`checkCanDropTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to drop the specified table.
`void`	`checkCanDropView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName)` Check if identity is allowed to drop the specified view.
`void`	`checkCanGrantRoles(TransactionId transactionId, Identity identity, Set<String> roles, Set<PrestoPrincipal> grantees, boolean withAdminOption, Optional<PrestoPrincipal> grantor, String catalogName)` Check if identity is allowed to grant the specified roles to the specified principals.
`void`	`checkCanGrantTablePrivilege(TransactionId transactionId, Identity identity, Privilege privilege, QualifiedObjectName tableName, PrestoPrincipal grantee, boolean withGrantOption)` Check if identity is allowed to grant a privilege to the grantee on the specified table.
`void`	`checkCanInsertIntoTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to insert into the specified table.
`void`	`checkCanRenameColumn(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to rename a column in the specified table.
`void`	`checkCanRenameSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName, String newSchemaName)` Check if identity is allowed to rename the specified schema.
`void`	`checkCanRenameTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, QualifiedObjectName newTableName)` Check if identity is allowed to rename the specified table.
`void`	`checkCanRevokeRoles(TransactionId transactionId, Identity identity, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOptionFor, Optional<PrestoPrincipal> grantor, String catalogName)` Check if identity is allowed to revoke the specified roles from the specified principals.
`void`	`checkCanRevokeTablePrivilege(TransactionId transactionId, Identity identity, Privilege privilege, QualifiedObjectName tableName, PrestoPrincipal revokee, boolean grantOptionFor)` Check if identity is allowed to revoke a privilege from the revokee on the specified table.
`void`	`checkCanSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, Set<String> columnNames)` Check if identity is allowed to select from the specified columns.
`void`	`checkCanSetCatalogSessionProperty(TransactionId transactionId, Identity identity, String catalogName, String propertyName)` Check if identity is allowed to set the specified catalog property.
`void`	`checkCanSetRole(TransactionId requiredTransactionId, Identity identity, String role, String catalog)` Check if identity is allowed to set role for specified catalog.
`void`	`checkCanSetSystemSessionProperty(Identity identity, String propertyName)` Check if identity is allowed to set the specified system property.
`void`	`checkCanSetTableComment(TransactionId transactionId, Identity identity, QualifiedObjectName tableName)` Check if identity is allowed to comment the specified table.
`void`	`checkCanSetUser(Optional<Principal> principal, String userName)` Check if the principal is allowed to be the specified user.
`void`	`checkCanShowColumnsMetadata(TransactionId transactionId, Identity identity, CatalogSchemaTableName table)` Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.
`void`	`checkCanShowCurrentRoles(TransactionId transactionId, Identity identity, String catalogName)` Check if identity is allowed to show current roles on the specified catalog.
`void`	`checkCanShowRoleGrants(TransactionId transactionId, Identity identity, String catalogName)` Check if identity is allowed to show its own role grants on the specified catalog.
`void`	`checkCanShowRoles(TransactionId transactionId, Identity identity, String catalogName)` Check if identity is allowed to show roles on the specified catalog.
`void`	`checkCanShowSchemas(TransactionId transactionId, Identity identity, String catalogName)` Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
`void`	`checkCanShowTablesMetadata(TransactionId transactionId, Identity identity, CatalogSchemaName schema)` Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc.
`Set<String>`	`filterCatalogs(Identity identity, Set<String> catalogs)` Filter the list of catalogs to those visible to the identity.
`List<ColumnMetadata>`	`filterColumns(TransactionId transactionId, Identity identity, CatalogSchemaTableName tableName, List<ColumnMetadata> columns)` Filter the list of columns to those visible to the identity.
`Set<String>`	`filterSchemas(TransactionId transactionId, Identity identity, String catalogName, Set<String> schemaNames)` Filter the list of schemas in a catalog to those visible to the identity.
`Set<SchemaTableName>`	`filterTables(TransactionId transactionId, Identity identity, String catalogName, Set<SchemaTableName> tableNames)` Filter the list of tables and views to those visible to the identity.

Method Detail

checkCanSetUser
```
void checkCanSetUser(Optional<Principal> principal,
                     String userName)
```
Check if the principal is allowed to be the specified user.

Throws:

AccessDeniedException - if not allowed

filterCatalogs

Set<String> filterCatalogs(Identity identity,
                           Set<String> catalogs)

Filter the list of catalogs to those visible to the identity.

checkCanAccessCatalog

void checkCanAccessCatalog(Identity identity,
                           String catalogName)

Check whether identity is allowed to access catalog

checkCanCreateSchema

void checkCanCreateSchema(TransactionId transactionId,
                          Identity identity,
                          CatalogSchemaName schemaName)

Check if identity is allowed to create the specified schema.

Throws:: AccessDeniedException - if not allowed

checkCanDropSchema

void checkCanDropSchema(TransactionId transactionId,
                        Identity identity,
                        CatalogSchemaName schemaName)

Check if identity is allowed to drop the specified schema.

Throws:: AccessDeniedException - if not allowed

checkCanRenameSchema

void checkCanRenameSchema(TransactionId transactionId,
                          Identity identity,
                          CatalogSchemaName schemaName,
                          String newSchemaName)

Check if identity is allowed to rename the specified schema.

Throws:: AccessDeniedException - if not allowed

checkCanShowSchemas
```
void checkCanShowSchemas(TransactionId transactionId,
                         Identity identity,
                         String catalogName)
```
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterSchemas(io.prestosql.transaction.TransactionId, io.prestosql.spi.security.Identity, java.lang.String, java.util.Set<java.lang.String>) method must filter all results for unauthorized users, since there are multiple ways to list schemas.

Throws:

AccessDeniedException - if not allowed

filterSchemas

Set<String> filterSchemas(TransactionId transactionId,
                          Identity identity,
                          String catalogName,
                          Set<String> schemaNames)

Filter the list of schemas in a catalog to those visible to the identity.

checkCanCreateTable

void checkCanCreateTable(TransactionId transactionId,
                         Identity identity,
                         QualifiedObjectName tableName)

Check if identity is allowed to create the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanDropTable

void checkCanDropTable(TransactionId transactionId,
                       Identity identity,
                       QualifiedObjectName tableName)

Check if identity is allowed to drop the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanRenameTable

void checkCanRenameTable(TransactionId transactionId,
                         Identity identity,
                         QualifiedObjectName tableName,
                         QualifiedObjectName newTableName)

Check if identity is allowed to rename the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanSetTableComment

void checkCanSetTableComment(TransactionId transactionId,
                             Identity identity,
                             QualifiedObjectName tableName)

Check if identity is allowed to comment the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanShowTablesMetadata
```
void checkCanShowTablesMetadata(TransactionId transactionId,
                                Identity identity,
                                CatalogSchemaName schema)
```
Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterTables(io.prestosql.transaction.TransactionId, io.prestosql.spi.security.Identity, java.lang.String, java.util.Set<io.prestosql.spi.connector.SchemaTableName>) method must filter all results for unauthorized users, since there are multiple ways to list tables.

Throws:

AccessDeniedException - if not allowed

filterTables

Set<SchemaTableName> filterTables(TransactionId transactionId,
                                  Identity identity,
                                  String catalogName,
                                  Set<SchemaTableName> tableNames)

Filter the list of tables and views to those visible to the identity.

checkCanShowColumnsMetadata
```
void checkCanShowColumnsMetadata(TransactionId transactionId,
                                 Identity identity,
                                 CatalogSchemaTableName table)
```
Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.
NOTE: This method is only present to give users an error message when listing is not allowed. The filterColumns(io.prestosql.transaction.TransactionId, io.prestosql.spi.security.Identity, io.prestosql.spi.connector.CatalogSchemaTableName, java.util.List<io.prestosql.spi.connector.ColumnMetadata>) method must filter all results for unauthorized users, since there are multiple ways to list columns.

Throws:

AccessDeniedException - if not allowed

filterColumns

List<ColumnMetadata> filterColumns(TransactionId transactionId,
                                   Identity identity,
                                   CatalogSchemaTableName tableName,
                                   List<ColumnMetadata> columns)

Filter the list of columns to those visible to the identity.

checkCanAddColumns

void checkCanAddColumns(TransactionId transactionId,
                        Identity identity,
                        QualifiedObjectName tableName)

Check if identity is allowed to add columns to the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanDropColumn

void checkCanDropColumn(TransactionId transactionId,
                        Identity identity,
                        QualifiedObjectName tableName)

Check if identity is allowed to drop columns from the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanRenameColumn

void checkCanRenameColumn(TransactionId transactionId,
                          Identity identity,
                          QualifiedObjectName tableName)

Check if identity is allowed to rename a column in the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanInsertIntoTable

void checkCanInsertIntoTable(TransactionId transactionId,
                             Identity identity,
                             QualifiedObjectName tableName)

Check if identity is allowed to insert into the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanDeleteFromTable

void checkCanDeleteFromTable(TransactionId transactionId,
                             Identity identity,
                             QualifiedObjectName tableName)

Check if identity is allowed to delete from the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanCreateView

void checkCanCreateView(TransactionId transactionId,
                        Identity identity,
                        QualifiedObjectName viewName)

Check if identity is allowed to create the specified view.

Throws:: AccessDeniedException - if not allowed

checkCanDropView

void checkCanDropView(TransactionId transactionId,
                      Identity identity,
                      QualifiedObjectName viewName)

Check if identity is allowed to drop the specified view.

Throws:: AccessDeniedException - if not allowed

checkCanCreateViewWithSelectFromColumns

void checkCanCreateViewWithSelectFromColumns(TransactionId transactionId,
                                             Identity identity,
                                             QualifiedObjectName tableName,
                                             Set<String> columnNames)

Check if identity is allowed to create a view that selects from the specified columns.

Throws:: AccessDeniedException - if not allowed

checkCanGrantTablePrivilege

void checkCanGrantTablePrivilege(TransactionId transactionId,
                                 Identity identity,
                                 Privilege privilege,
                                 QualifiedObjectName tableName,
                                 PrestoPrincipal grantee,
                                 boolean withGrantOption)

Check if identity is allowed to grant a privilege to the grantee on the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanRevokeTablePrivilege

void checkCanRevokeTablePrivilege(TransactionId transactionId,
                                  Identity identity,
                                  Privilege privilege,
                                  QualifiedObjectName tableName,
                                  PrestoPrincipal revokee,
                                  boolean grantOptionFor)

Check if identity is allowed to revoke a privilege from the revokee on the specified table.

Throws:: AccessDeniedException - if not allowed

checkCanSetSystemSessionProperty

void checkCanSetSystemSessionProperty(Identity identity,
                                      String propertyName)

Check if identity is allowed to set the specified system property.

Throws:: AccessDeniedException - if not allowed

checkCanSetCatalogSessionProperty

void checkCanSetCatalogSessionProperty(TransactionId transactionId,
                                       Identity identity,
                                       String catalogName,
                                       String propertyName)

Check if identity is allowed to set the specified catalog property.

Throws:: AccessDeniedException - if not allowed

checkCanSelectFromColumns

void checkCanSelectFromColumns(TransactionId transactionId,
                               Identity identity,
                               QualifiedObjectName tableName,
                               Set<String> columnNames)

Check if identity is allowed to select from the specified columns. The column set can be empty.

Throws:: AccessDeniedException - if not allowed

checkCanCreateRole

void checkCanCreateRole(TransactionId transactionId,
                        Identity identity,
                        String role,
                        Optional<PrestoPrincipal> grantor,
                        String catalogName)

Check if identity is allowed to create the specified role.

Throws:: AccessDeniedException - if not allowed

checkCanDropRole

void checkCanDropRole(TransactionId transactionId,
                      Identity identity,
                      String role,
                      String catalogName)

Check if identity is allowed to drop the specified role.

Throws:: AccessDeniedException - if not allowed

checkCanGrantRoles

void checkCanGrantRoles(TransactionId transactionId,
                        Identity identity,
                        Set<String> roles,
                        Set<PrestoPrincipal> grantees,
                        boolean withAdminOption,
                        Optional<PrestoPrincipal> grantor,
                        String catalogName)

Check if identity is allowed to grant the specified roles to the specified principals.

Throws:: AccessDeniedException - if not allowed

checkCanRevokeRoles

void checkCanRevokeRoles(TransactionId transactionId,
                         Identity identity,
                         Set<String> roles,
                         Set<PrestoPrincipal> grantees,
                         boolean adminOptionFor,
                         Optional<PrestoPrincipal> grantor,
                         String catalogName)

Check if identity is allowed to revoke the specified roles from the specified principals.

Throws:: AccessDeniedException - if not allowed

checkCanSetRole

void checkCanSetRole(TransactionId requiredTransactionId,
                     Identity identity,
                     String role,
                     String catalog)

Check if identity is allowed to set role for specified catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowRoles

void checkCanShowRoles(TransactionId transactionId,
                       Identity identity,
                       String catalogName)

Check if identity is allowed to show roles on the specified catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowCurrentRoles

void checkCanShowCurrentRoles(TransactionId transactionId,
                              Identity identity,
                              String catalogName)

Check if identity is allowed to show current roles on the specified catalog.

Throws:: AccessDeniedException - if not allowed

checkCanShowRoleGrants

void checkCanShowRoleGrants(TransactionId transactionId,
                            Identity identity,
                            String catalogName)

Check if identity is allowed to show its own role grants on the specified catalog.

Throws:: AccessDeniedException - if not allowed

Interface AccessControl