Package io.trino.testing

Class TestingAccessControlManager

java.lang.Object

io.trino.security.AccessControlManager

io.trino.testing.TestingAccessControlManager

All Implemented Interfaces:

AccessControl

public class TestingAccessControlManager
extends AccessControlManager

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	TestingAccessControlManager.TestingPrivilege
static enum	TestingAccessControlManager.TestingPrivilegeType

Constructor Summary

Constructors

Constructor	Description
TestingAccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager)
TestingAccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager, AccessControlConfig accessControlConfig, io.opentelemetry.api.OpenTelemetry openTelemetry)

Method Summary

Modifier and Type	Method	Description
boolean	canCreateViewWithExecuteFunction(SecurityContext context, QualifiedObjectName functionName)	Is the identity allowed to create a view that executes the specified function?
boolean	canExecuteFunction(SecurityContext context, QualifiedObjectName functionName)	Is the identity allowed to execute function?
void	checkCanAddColumns(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to add columns to the specified table.
void	checkCanAlterColumn(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to alter columns to the specified table.
void	checkCanCreateMaterializedView(SecurityContext context, QualifiedObjectName materializedViewName, Map<String,Object> properties)	Check if identity is allowed to create the specified materialized view.
void	checkCanCreateSchema(SecurityContext context, CatalogSchemaName schemaName, Map<String,Object> properties)	Check if identity is allowed to create the specified schema.
void	checkCanCreateTable(SecurityContext context, QualifiedObjectName tableName, Map<String,Object> properties)	Check if identity is allowed to create the specified table with properties.
void	checkCanCreateView(SecurityContext context, QualifiedObjectName viewName)	Check if identity is allowed to create the specified view.
void	checkCanCreateViewWithSelectFromColumns(SecurityContext context, QualifiedObjectName tableName, Set<String> columnNames)	Check if identity is allowed to create a view that selects from the specified columns.
void	checkCanDeleteFromTable(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to delete from the specified table.
void	checkCanDropColumn(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to drop columns from the specified table.
void	checkCanDropMaterializedView(SecurityContext context, QualifiedObjectName materializedViewName)	Check if identity is allowed to drop the specified materialized view.
void	checkCanDropSchema(SecurityContext context, CatalogSchemaName schemaName)	Check if identity is allowed to drop the specified schema.
void	checkCanDropTable(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to drop the specified table.
void	checkCanDropView(SecurityContext context, QualifiedObjectName viewName)	Check if identity is allowed to drop the specified view.
void	checkCanExecuteQuery(Identity identity)	Checks if identity can execute a query.
void	checkCanExecuteTableProcedure(SecurityContext context, QualifiedObjectName table, String procedure)	Check if identity is allowed to execute given table procedure on given table
void	checkCanImpersonateUser(Identity identity, String userName)	Check if the identity is allowed impersonate the specified user.
void	checkCanInsertIntoTable(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to insert into the specified table.
void	checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner)	Checks if identity can kill a query owned by the specified user.
void	checkCanRefreshMaterializedView(SecurityContext context, QualifiedObjectName materializedViewName)	Check if identity is allowed to refresh the specified materialized view.
void	checkCanRenameColumn(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to rename a column in the specified table.
void	checkCanRenameMaterializedView(SecurityContext context, QualifiedObjectName viewName, QualifiedObjectName newViewName)	Check if identity is allowed to rename the specified materialized view.
void	checkCanRenameSchema(SecurityContext context, CatalogSchemaName schemaName, String newSchemaName)	Check if identity is allowed to rename the specified schema.
void	checkCanRenameTable(SecurityContext context, QualifiedObjectName tableName, QualifiedObjectName newTableName)	Check if identity is allowed to rename the specified table.
void	checkCanRenameView(SecurityContext context, QualifiedObjectName viewName, QualifiedObjectName newViewName)	Check if identity is allowed to rename the specified view.
void	checkCanSelectFromColumns(SecurityContext context, QualifiedObjectName tableName, Set<String> columns)	Check if identity is allowed to select from the specified columns.
void	checkCanSetCatalogSessionProperty(SecurityContext context, String catalogName, String propertyName)	Check if identity is allowed to set the specified catalog property.
void	checkCanSetColumnComment(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to comment the specified column.
void	checkCanSetMaterializedViewProperties(SecurityContext context, QualifiedObjectName materializedViewName, Map<String,Optional<Object>> properties)	Check if identity is allowed to set the properties of the specified materialized view.
void	checkCanSetSystemSessionProperty(Identity identity, String propertyName)	Check if identity is allowed to set the specified system property.
void	checkCanSetTableComment(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to comment the specified table.
void	checkCanSetTableProperties(SecurityContext context, QualifiedObjectName tableName, Map<String,Optional<Object>> properties)	Check if identity is allowed to set properties to the specified table.
void	checkCanSetUser(Optional<Principal> principal, String userName)	Deprecated.
void	checkCanSetViewComment(SecurityContext context, QualifiedObjectName viewName)	Check if identity is allowed to comment the specified view.
void	checkCanShowColumns(SecurityContext context, CatalogSchemaTableName table)	Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.
void	checkCanShowCreateTable(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW
void	checkCanTruncateTable(SecurityContext context, QualifiedObjectName tableName)	Check if identity is allowed to truncate the specified table.
void	checkCanUpdateTableColumns(SecurityContext context, QualifiedObjectName tableName, Set<String> updatedColumnNames)	Check if identity is allowed to update the specified table.
void	checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner)	Checks if identity can view a query owned by the specified user.
void	columnMask(QualifiedObjectName table, String column, String identity, ViewExpression mask)
void	deny(TestingAccessControlManager.TestingPrivilege... deniedPrivileges)
void	denyCatalogs(Predicate<String> deniedCatalogs)
void	denyIdentityTable(BiPredicate<Identity,String> denyIdentityTable)
void	denySchemas(Predicate<String> deniedSchemas)
void	denyTables(Predicate<SchemaTableName> deniedTables)
Set<String>	filterCatalogs(SecurityContext securityContext, Set<String> catalogs)	Filter the list of catalogs to those visible to the identity.
Map<SchemaTableName,Set<String>>	filterColumns(SecurityContext context, String catalogName, Map<SchemaTableName,Set<String>> tableColumns)	Filter lists of columns of multiple tables to those visible to the identity.
Collection<Identity>	filterQueriesOwnedBy(Identity identity, Collection<Identity> owners)	Filter the list of users to those the identity view query owned by the user.
Set<String>	filterSchemas(SecurityContext securityContext, String catalogName, Set<String> schemaNames)	Filter the list of schemas in a catalog to those visible to the identity.
Set<SchemaTableName>	filterTables(SecurityContext context, String catalogName, Set<SchemaTableName> tableNames)	Filter the list of tables, materialized views and views to those visible to the identity.
Optional<ViewExpression>	getColumnMask(SecurityContext context, QualifiedObjectName tableName, String column, Type type)
List<ViewExpression>	getRowFilters(SecurityContext context, QualifiedObjectName tableName)
static TestingAccessControlManager.TestingPrivilege	privilege(String entityName, TestingAccessControlManager.TestingPrivilegeType type)
static TestingAccessControlManager.TestingPrivilege	privilege(String actorName, String entityName, TestingAccessControlManager.TestingPrivilegeType type)
void	reset()
void	rowFilter(QualifiedObjectName table, String identity, ViewExpression filter)

Methods inherited from class io.trino.security.AccessControlManager

addSystemAccessControlFactory, checkCanCreateCatalog, checkCanCreateFunction, checkCanCreateRole, checkCanDenyEntityPrivilege, checkCanDenySchemaPrivilege, checkCanDenyTablePrivilege, checkCanDropCatalog, checkCanDropFunction, checkCanDropRole, checkCanExecuteProcedure, checkCanGrantEntityPrivilege, checkCanGrantRoles, checkCanGrantSchemaPrivilege, checkCanGrantTablePrivilege, checkCanReadSystemInformation, checkCanRevokeEntityPrivilege, checkCanRevokeRoles, checkCanRevokeSchemaPrivilege, checkCanRevokeTablePrivilege, checkCanSetCatalogRole, checkCanSetSchemaAuthorization, checkCanSetTableAuthorization, checkCanSetViewAuthorization, checkCanShowCreateSchema, checkCanShowCurrentRoles, checkCanShowFunctions, checkCanShowRoleGrants, checkCanShowRoles, checkCanShowSchemas, checkCanShowTables, checkCanWriteSystemInformation, destroy, filterFunctions, getAuthorizationFail, getAuthorizationSuccess, loadSystemAccessControl, loadSystemAccessControl, setConnectorAccessControlProvider, setSystemAccessControls

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

TestingAccessControlManager

@Inject
public TestingAccessControlManager(TransactionManager transactionManager,
 EventListenerManager eventListenerManager,
 AccessControlConfig accessControlConfig,
 io.opentelemetry.api.OpenTelemetry openTelemetry)

TestingAccessControlManager

public TestingAccessControlManager(TransactionManager transactionManager,
 EventListenerManager eventListenerManager)

Method Details

privilege

public static TestingAccessControlManager.TestingPrivilege privilege(String entityName,
 TestingAccessControlManager.TestingPrivilegeType type)

privilege

public static TestingAccessControlManager.TestingPrivilege privilege(String actorName,
 String entityName,
 TestingAccessControlManager.TestingPrivilegeType type)

deny

public void deny(TestingAccessControlManager.TestingPrivilege... deniedPrivileges)

rowFilter

public void rowFilter(QualifiedObjectName table,
 String identity,
 ViewExpression filter)

columnMask

public void columnMask(QualifiedObjectName table,
 String column,
 String identity,
 ViewExpression mask)

reset

public void reset()

denyCatalogs

public void denyCatalogs(Predicate<String> deniedCatalogs)

denySchemas

public void denySchemas(Predicate<String> deniedSchemas)

denyTables

public void denyTables(Predicate<SchemaTableName> deniedTables)

denyIdentityTable

public void denyIdentityTable(BiPredicate<Identity,String> denyIdentityTable)

filterCatalogs

public Set<String> filterCatalogs(SecurityContext securityContext,
 Set<String> catalogs)

Description copied from interface: AccessControl

Filter the list of catalogs to those visible to the identity.

Specified by:

filterCatalogs in interface AccessControl

Overrides:

filterCatalogs in class AccessControlManager

filterSchemas

public Set<String> filterSchemas(SecurityContext securityContext,
 String catalogName,
 Set<String> schemaNames)

Description copied from interface: AccessControl

Filter the list of schemas in a catalog to those visible to the identity.

Specified by:

filterSchemas in interface AccessControl

Overrides:

filterSchemas in class AccessControlManager

filterTables

public Set<SchemaTableName> filterTables(SecurityContext context,
 String catalogName,
 Set<SchemaTableName> tableNames)

Description copied from interface: AccessControl

Filter the list of tables, materialized views and views to those visible to the identity.

Specified by:

filterTables in interface AccessControl

Overrides:

filterTables in class AccessControlManager

checkCanImpersonateUser

public void checkCanImpersonateUser(Identity identity,
 String userName)

Description copied from interface: AccessControl

Check if the identity is allowed impersonate the specified user.

Specified by:

checkCanImpersonateUser in interface AccessControl

Overrides:

checkCanImpersonateUser in class AccessControlManager

checkCanSetUser

@Deprecated
public void checkCanSetUser(Optional<Principal> principal,
 String userName)

Deprecated.

Description copied from interface: AccessControl

Check if the principal is allowed to be the specified user.

Specified by:

checkCanSetUser in interface AccessControl

Overrides:

checkCanSetUser in class AccessControlManager

checkCanExecuteQuery

public void checkCanExecuteQuery(Identity identity)

Description copied from interface: AccessControl

Checks if identity can execute a query.

Specified by:

checkCanExecuteQuery in interface AccessControl

Overrides:

checkCanExecuteQuery in class AccessControlManager

checkCanViewQueryOwnedBy

public void checkCanViewQueryOwnedBy(Identity identity,
 Identity queryOwner)

Description copied from interface: AccessControl

Checks if identity can view a query owned by the specified user. The method will not be called when the current user is the query owner.

Specified by:

checkCanViewQueryOwnedBy in interface AccessControl

Overrides:

checkCanViewQueryOwnedBy in class AccessControlManager

filterQueriesOwnedBy

public Collection<Identity> filterQueriesOwnedBy(Identity identity,
 Collection<Identity> owners)

Description copied from interface: AccessControl

Filter the list of users to those the identity view query owned by the user. The method will not be called with the current user in the set.

Specified by:

filterQueriesOwnedBy in interface AccessControl

Overrides:

filterQueriesOwnedBy in class AccessControlManager

checkCanKillQueryOwnedBy

public void checkCanKillQueryOwnedBy(Identity identity,
 Identity queryOwner)

Description copied from interface: AccessControl

Checks if identity can kill a query owned by the specified user. The method will not be called when the current user is the query owner.

Specified by:

checkCanKillQueryOwnedBy in interface AccessControl

Overrides:

checkCanKillQueryOwnedBy in class AccessControlManager

checkCanCreateSchema

public void checkCanCreateSchema(SecurityContext context,
 CatalogSchemaName schemaName,
 Map<String,Object> properties)

Description copied from interface: AccessControl

Check if identity is allowed to create the specified schema.

Specified by:

checkCanCreateSchema in interface AccessControl

Overrides:

checkCanCreateSchema in class AccessControlManager

checkCanDropSchema

public void checkCanDropSchema(SecurityContext context,
 CatalogSchemaName schemaName)

Description copied from interface: AccessControl

Check if identity is allowed to drop the specified schema.

Specified by:

checkCanDropSchema in interface AccessControl

Overrides:

checkCanDropSchema in class AccessControlManager

checkCanRenameSchema

public void checkCanRenameSchema(SecurityContext context,
 CatalogSchemaName schemaName,
 String newSchemaName)

Description copied from interface: AccessControl

Check if identity is allowed to rename the specified schema.

Specified by:

checkCanRenameSchema in interface AccessControl

Overrides:

checkCanRenameSchema in class AccessControlManager

checkCanShowCreateTable

public void checkCanShowCreateTable(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW

Specified by:

checkCanShowCreateTable in interface AccessControl

Overrides:

checkCanShowCreateTable in class AccessControlManager

checkCanCreateTable

public void checkCanCreateTable(SecurityContext context,
 QualifiedObjectName tableName,
 Map<String,Object> properties)

Description copied from interface: AccessControl

Check if identity is allowed to create the specified table with properties.

Specified by:

checkCanCreateTable in interface AccessControl

Overrides:

checkCanCreateTable in class AccessControlManager

checkCanDropTable

public void checkCanDropTable(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to drop the specified table.

Specified by:

checkCanDropTable in interface AccessControl

Overrides:

checkCanDropTable in class AccessControlManager

checkCanRenameTable

public void checkCanRenameTable(SecurityContext context,
 QualifiedObjectName tableName,
 QualifiedObjectName newTableName)

Description copied from interface: AccessControl

Check if identity is allowed to rename the specified table.

Specified by:

checkCanRenameTable in interface AccessControl

Overrides:

checkCanRenameTable in class AccessControlManager

checkCanSetTableProperties

public void checkCanSetTableProperties(SecurityContext context,
 QualifiedObjectName tableName,
 Map<String,Optional<Object>> properties)

Description copied from interface: AccessControl

Check if identity is allowed to set properties to the specified table.

Specified by:

checkCanSetTableProperties in interface AccessControl

Overrides:

checkCanSetTableProperties in class AccessControlManager

checkCanSetTableComment

public void checkCanSetTableComment(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to comment the specified table.

Specified by:

checkCanSetTableComment in interface AccessControl

Overrides:

checkCanSetTableComment in class AccessControlManager

checkCanSetViewComment

public void checkCanSetViewComment(SecurityContext context,
 QualifiedObjectName viewName)

Description copied from interface: AccessControl

Check if identity is allowed to comment the specified view.

Specified by:

checkCanSetViewComment in interface AccessControl

Overrides:

checkCanSetViewComment in class AccessControlManager

checkCanSetColumnComment

public void checkCanSetColumnComment(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to comment the specified column.

Specified by:

checkCanSetColumnComment in interface AccessControl

Overrides:

checkCanSetColumnComment in class AccessControlManager

checkCanAddColumns

public void checkCanAddColumns(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to add columns to the specified table.

Specified by:

checkCanAddColumns in interface AccessControl

Overrides:

checkCanAddColumns in class AccessControlManager

checkCanDropColumn

public void checkCanDropColumn(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to drop columns from the specified table.

Specified by:

checkCanDropColumn in interface AccessControl

Overrides:

checkCanDropColumn in class AccessControlManager

checkCanRenameColumn

public void checkCanRenameColumn(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to rename a column in the specified table.

Specified by:

checkCanRenameColumn in interface AccessControl

Overrides:

checkCanRenameColumn in class AccessControlManager

checkCanAlterColumn

public void checkCanAlterColumn(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to alter columns to the specified table.

Specified by:

checkCanAlterColumn in interface AccessControl

Overrides:

checkCanAlterColumn in class AccessControlManager

checkCanInsertIntoTable

public void checkCanInsertIntoTable(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to insert into the specified table.

Specified by:

checkCanInsertIntoTable in interface AccessControl

Overrides:

checkCanInsertIntoTable in class AccessControlManager

checkCanDeleteFromTable

public void checkCanDeleteFromTable(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to delete from the specified table.

Specified by:

checkCanDeleteFromTable in interface AccessControl

Overrides:

checkCanDeleteFromTable in class AccessControlManager

checkCanTruncateTable

public void checkCanTruncateTable(SecurityContext context,
 QualifiedObjectName tableName)

Description copied from interface: AccessControl

Check if identity is allowed to truncate the specified table.

Specified by:

checkCanTruncateTable in interface AccessControl

Overrides:

checkCanTruncateTable in class AccessControlManager

checkCanUpdateTableColumns

public void checkCanUpdateTableColumns(SecurityContext context,
 QualifiedObjectName tableName,
 Set<String> updatedColumnNames)

Description copied from interface: AccessControl

Check if identity is allowed to update the specified table.

Specified by:

checkCanUpdateTableColumns in interface AccessControl

Overrides:

checkCanUpdateTableColumns in class AccessControlManager

checkCanCreateView

public void checkCanCreateView(SecurityContext context,
 QualifiedObjectName viewName)

Description copied from interface: AccessControl

Check if identity is allowed to create the specified view.

Specified by:

checkCanCreateView in interface AccessControl

Overrides:

checkCanCreateView in class AccessControlManager

checkCanRenameView

public void checkCanRenameView(SecurityContext context,
 QualifiedObjectName viewName,
 QualifiedObjectName newViewName)

Description copied from interface: AccessControl

Check if identity is allowed to rename the specified view.

Specified by:

checkCanRenameView in interface AccessControl

Overrides:

checkCanRenameView in class AccessControlManager

checkCanDropView

public void checkCanDropView(SecurityContext context,
 QualifiedObjectName viewName)

Description copied from interface: AccessControl

Check if identity is allowed to drop the specified view.

Specified by:

checkCanDropView in interface AccessControl

Overrides:

checkCanDropView in class AccessControlManager

checkCanSetSystemSessionProperty

public void checkCanSetSystemSessionProperty(Identity identity,
 String propertyName)

Description copied from interface: AccessControl

Check if identity is allowed to set the specified system property.

Specified by:

checkCanSetSystemSessionProperty in interface AccessControl

Overrides:

checkCanSetSystemSessionProperty in class AccessControlManager

checkCanCreateViewWithSelectFromColumns

public void checkCanCreateViewWithSelectFromColumns(SecurityContext context,
 QualifiedObjectName tableName,
 Set<String> columnNames)

Description copied from interface: AccessControl

Check if identity is allowed to create a view that selects from the specified columns.

Specified by:

checkCanCreateViewWithSelectFromColumns in interface AccessControl

Overrides:

checkCanCreateViewWithSelectFromColumns in class AccessControlManager

checkCanCreateMaterializedView

public void checkCanCreateMaterializedView(SecurityContext context,
 QualifiedObjectName materializedViewName,
 Map<String,Object> properties)

Description copied from interface: AccessControl

Check if identity is allowed to create the specified materialized view.

Specified by:

checkCanCreateMaterializedView in interface AccessControl

Overrides:

checkCanCreateMaterializedView in class AccessControlManager

checkCanRefreshMaterializedView

public void checkCanRefreshMaterializedView(SecurityContext context,
 QualifiedObjectName materializedViewName)

Description copied from interface: AccessControl

Check if identity is allowed to refresh the specified materialized view.

Specified by:

checkCanRefreshMaterializedView in interface AccessControl

Overrides:

checkCanRefreshMaterializedView in class AccessControlManager

checkCanDropMaterializedView

public void checkCanDropMaterializedView(SecurityContext context,
 QualifiedObjectName materializedViewName)

Description copied from interface: AccessControl

Check if identity is allowed to drop the specified materialized view.

Specified by:

checkCanDropMaterializedView in interface AccessControl

Overrides:

checkCanDropMaterializedView in class AccessControlManager

checkCanRenameMaterializedView

public void checkCanRenameMaterializedView(SecurityContext context,
 QualifiedObjectName viewName,
 QualifiedObjectName newViewName)

Description copied from interface: AccessControl

Check if identity is allowed to rename the specified materialized view.

Specified by:

checkCanRenameMaterializedView in interface AccessControl

Overrides:

checkCanRenameMaterializedView in class AccessControlManager

checkCanSetMaterializedViewProperties

public void checkCanSetMaterializedViewProperties(SecurityContext context,
 QualifiedObjectName materializedViewName,
 Map<String,Optional<Object>> properties)

Description copied from interface: AccessControl

Check if identity is allowed to set the properties of the specified materialized view.

Specified by:

checkCanSetMaterializedViewProperties in interface AccessControl

Overrides:

checkCanSetMaterializedViewProperties in class AccessControlManager

checkCanShowColumns

public void checkCanShowColumns(SecurityContext context,
 CatalogSchemaTableName table)

Description copied from interface: AccessControl

Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.

NOTE: This method is only present to give users an error message when listing is not allowed. The AccessControl.filterColumns(io.trino.security.SecurityContext, java.lang.String, java.util.Map<io.trino.spi.connector.SchemaTableName, java.util.Set<java.lang.String>>) method must filter all results for unauthorized users, since there are multiple ways to list columns.

Specified by:

checkCanShowColumns in interface AccessControl

Overrides:

checkCanShowColumns in class AccessControlManager

filterColumns

public Map<SchemaTableName,Set<String>> filterColumns(SecurityContext context,
 String catalogName,
 Map<SchemaTableName,Set<String>> tableColumns)

Description copied from interface: AccessControl

Filter lists of columns of multiple tables to those visible to the identity.

Specified by:

filterColumns in interface AccessControl

Overrides:

filterColumns in class AccessControlManager

checkCanSetCatalogSessionProperty

public void checkCanSetCatalogSessionProperty(SecurityContext context,
 String catalogName,
 String propertyName)

Description copied from interface: AccessControl

Check if identity is allowed to set the specified catalog property.

Specified by:

checkCanSetCatalogSessionProperty in interface AccessControl

Overrides:

checkCanSetCatalogSessionProperty in class AccessControlManager

checkCanSelectFromColumns

public void checkCanSelectFromColumns(SecurityContext context,
 QualifiedObjectName tableName,
 Set<String> columns)

Description copied from interface: AccessControl

Check if identity is allowed to select from the specified columns. The column set can be empty.

Specified by:

checkCanSelectFromColumns in interface AccessControl

Overrides:

checkCanSelectFromColumns in class AccessControlManager

canExecuteFunction

public boolean canExecuteFunction(SecurityContext context,
 QualifiedObjectName functionName)

Description copied from interface: AccessControl

Is the identity allowed to execute function?

Specified by:

canExecuteFunction in interface AccessControl

Overrides:

canExecuteFunction in class AccessControlManager

canCreateViewWithExecuteFunction

public boolean canCreateViewWithExecuteFunction(SecurityContext context,
 QualifiedObjectName functionName)

Description copied from interface: AccessControl

Is the identity allowed to create a view that executes the specified function?

Specified by:

canCreateViewWithExecuteFunction in interface AccessControl

Overrides:

canCreateViewWithExecuteFunction in class AccessControlManager

checkCanExecuteTableProcedure

public void checkCanExecuteTableProcedure(SecurityContext context,
 QualifiedObjectName table,
 String procedure)

Description copied from interface: AccessControl

Check if identity is allowed to execute given table procedure on given table

Specified by:

checkCanExecuteTableProcedure in interface AccessControl

Overrides:

checkCanExecuteTableProcedure in class AccessControlManager

getRowFilters

public List<ViewExpression> getRowFilters(SecurityContext context,
 QualifiedObjectName tableName)

Specified by:

getRowFilters in interface AccessControl

Overrides:

getRowFilters in class AccessControlManager

getColumnMask

public Optional<ViewExpression> getColumnMask(SecurityContext context,
 QualifiedObjectName tableName,
 String column,
 Type type)

Specified by:

getColumnMask in interface AccessControl

Overrides:

getColumnMask in class AccessControlManager