Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support role management (v3) #10904

Closed
wants to merge 57 commits into from
Closed

Support role management (v3) #10904

wants to merge 57 commits into from

Conversation

findepi
Copy link
Contributor

@findepi findepi commented Jun 25, 2018

This PR enables roles management through Presto.

It covers all the syntax explained here: Teradata#494

Although the PR is enormous - it can be reviewed and merged partially.

  1. CREATE/DROP/LIST ROLES - commits through Introduce CREATE ROLE and DROP ROLE statements to Implement Create/Drop/List roles in Hive connector

  2. GRANT/REVOKE ROLES - commits through Introduce GRANT/REVOKE roles statements to Prepare metastore interface to accept ROLE for GRANT/REVOKE

  3. SET ROLE - commits through Introduce SET ROLE statement to Accept ROLE in GRANT/REVOKE Privileges statements

  4. SHOW ROLES, SHOW CURRENT ROLES, SHOW ROLE GRANTS shortcuts - commits through Add SHOW ROLES to the parser to Access control for SHOW ROLE GRANTS and SHOW CURRENT ROLES

  5. Consider role set with SET ROLE when checking permissions - commits through Remove redundant checkDatabasePermission methods to More product tests for SET ROLE

  6. Roles management documentation - Document role management

Supersedes #9366

@findepi findepi mentioned this pull request Jun 25, 2018
Closed
@findepi findepi force-pushed the epic/support-role-management/pr3 branch 8 times, most recently from 7dc6bbc to abe2f68 Compare June 25, 2018 20:58
@findepi findepi changed the title Support role management (v3) [WIP, Don't review just yet] Support role management (v3) Jun 26, 2018
@findepi findepi force-pushed the epic/support-role-management/pr3 branch 4 times, most recently from 7e6cefd to d40b3be Compare June 26, 2018 12:01
Andrii Rosa added 15 commits June 26, 2018 14:13
@findepi
Introduce CREATE ROLE and DROP ROLE statements
aef4030
@findepi
Move PrincipalType to presto-spi
54dd85f
@findepi
Expose Create/Drop/List roles methods in SPI
9681b93
@findepi
Introduce <catalog>.information_schema.roles table
ad6f88a
@findepi
Assign admin role to subset of users in FileHiveMetastore
a083428
@findepi
Implement Create/Drop/List roles in Hive connector
16176e7
@findepi
Introduce GRANT/REVOKE roles statements
db56f71
@findepi
Add Grant/Revoke/List roles authorization to the SPI
d8aa107
@findepi
Introduce APPLICABLE_ROLES view
2f2a8e5
@findepi
Implement Grant/Revoke/ListApplicableRoles in Hive
be94995
@findepi
Refactor GRANT/REVOKE in Hive
76e8579 
Leverage newly introduced method for recursive role grants traversal
@findepi
Introduce access control for GRANT/REVOKE ROLE
71fcd54
@findepi
Prepare metastore interface to accept ROLE for GRANT/REVOKE
c25c837
@findepi
Introduce SET ROLE statement
ba79f9f
@findepi
Introduce ConnectorIdentity
344461c 
Identity must hold all the selected roles for all the catalogs.
ConnectorIdentity holds only the role selected for some particular catalog.
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Introduce isTableOwner method for readability
a20e9af 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Simplify checkTablePermission
709de9d 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Refactor canCreateView security checks
53b13c9 
hasGrantOptionForPrivilege cannot be used in security checks for createView
because it doesn't consider the session role.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Consider enabled roles for permissions
c603474 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Refactor HivePrivilegeInfo
de9890c 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Reorder methods in HivePrivilegeInfo
18603de 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Move parsePrivilege to MetastoreUtil
0f2e2e3 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Add grantor to HivePrivilegeInfo
0ba3120 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Add grantor_type and grantee_type columns to table_privileges
0beeb77 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
More product tests for SET ROLE
87063ee 
Verify that role set with `SET ROLE` is considering during the access check.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Document role management
f5fe03d 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Catalog access control for roles
21ceed6 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Remove unused metastore statistics beans
5db2f71 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Extract role name constants
7427e3a 
Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Enumerate roles until enabled role is found
6910a27 
Previously when SqlStandardAccessControl was checking if given role is
enabled, it listed all role grants and check if that role is is among
all listed role grants.
Now it list all role grants until it finds that role.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Make ThriftMetastoreUtil.list*Roles methods to return Stream
0c2fa44 
That way roles are enumerated lazily.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Make list*TablePrivileges to return Stream
1d11c06 
This way table privileges are enumerated lazily.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@anusudarsan @sopel39
Fix listing privileges of tables owned by an user
fb93b6e 
Currently Presto shows that the owner of a table
has ALL privileges, even after some privileges are revoked.
This commit fixes this issue by listing only privileges
actually present in the metastore.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@anusudarsan @sopel39
Fix listing privileges when admin role is set
20cf120 
Presto currently lists only privilges of the
tables owned by the current user, even after the
admin role is set. This commit fixes this and lists all
privileges for admins.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Fix rewrite SHOW GRANTS as a SELECT query
729f646 
When tables of the same name exist across different schemas, Presto lists privileges
of the table from all schemas instead of the single schema mentioned in the
SHOW GRANTS query. This commit fixes the issue.

Extracted-From: prestodb/presto#10904
sopel39 pushed a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@kokosing @sopel39
Remove 'IN catalog' syntax from role management commands
eadfb43 
Extracted-From: prestodb/presto#10904
sopel39 added a commit to trinodb/trino that referenced this pull request Jan 29, 2019
@sopel39
Refactor RecordingHiveMetastore to make it consistent between releases
f958f81 
Extracted-From: prestodb/presto#10904
@findepi findepi deleted the epic/support-role-management/pr3 branch January 29, 2019 12:53
arhimondr pushed a commit to arhimondr/presto that referenced this pull request Feb 27, 2019
@sopel39 @arhimondr
Refactor RecordingHiveMetastore to make it consistent between releases
ea06d6e 
Extracted-From: prestodb#10904
arhimondr pushed a commit that referenced this pull request Feb 27, 2019
@sopel39 @arhimondr
Refactor RecordingHiveMetastore to make it consistent between releases
837caf3 
Extracted-From: #10904
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kokosing kokosing kokosing left review comments

@sopel39 sopel39 sopel39 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@findepi @tooptoop4 @kokosing @arhimondr @sopel39 @facebook-github-bot @cawallin @anusudarsan