Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Support role management #7346

Closed
wants to merge 58 commits into from
Closed

[WIP] Support role management #7346

wants to merge 58 commits into from

Commits on Mar 20, 2017

  1. Add syntax support for SHOW GRANTS

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    1839203 View commit details
    Browse the repository at this point in the history

  2. Add PrivilegeInfo class to SPI 

    The grantOption flag in PrivilegeInfo represents
the WITH GRANT OPTION clause in GRANT.

Also add UPDATE privilege to the SPI Privilege enum.
    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    90718e9 View commit details
    Browse the repository at this point in the history

  3. Make metadata changes for SHOW GRANTS

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    0fcd676 View commit details
    Browse the repository at this point in the history

  4. Implement SHOW GRANTS for Hive connector

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    5b4a37e View commit details
    Browse the repository at this point in the history

  5. Add table in INFORMATION_SCHEMA to store table privileges

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    e89bdca View commit details
    Browse the repository at this point in the history

  6. Rewrite SHOW GRANTS as a SELECT query

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    249eba1 View commit details
    Browse the repository at this point in the history

  7. Add product tests for SHOW GRANTS

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    8aa7d34 View commit details
    Browse the repository at this point in the history

  8. Document SHOW GRANTS

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    73bc07e View commit details
    Browse the repository at this point in the history

  9. Add access control for SHOW GRANTS

    Amruta Gokhale authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    ed7fe4b View commit details
    Browse the repository at this point in the history

  10. Introduce CREATE ROLE and DROP ROLE statements

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    32bfd18 View commit details
    Browse the repository at this point in the history

  11. Move PrincipalType to presto-spi

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    ddc52cf View commit details
    Browse the repository at this point in the history

  12. Expose Create/Drop/List roles methods in SPI

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    2508566 View commit details
    Browse the repository at this point in the history

  13. Introduce <catalog>.information_schema.roles table

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    010ac43 View commit details
    Browse the repository at this point in the history

  14. Remove unused InMemoryHiveMetastore

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    fdf530f View commit details
    Browse the repository at this point in the history

  15. Assign admin role to subset of users in FileHiveMetastore

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    7cdb994 View commit details
    Browse the repository at this point in the history

  16. Speedup TestHiveFileBasedSecurity 

    Instead of creating the entire TPCH table set it is enough to create
one small table, such as nation.

After closing a query executor reference must be nullified to prevent
memory leaks.
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    b882f1b View commit details
    Browse the repository at this point in the history

  17. Implement Create/Drop/List roles in Hive connector

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    515cb79 View commit details
    Browse the repository at this point in the history

  18. Introduce GRANT/REVOKE roles statements

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    4b86875 View commit details
    Browse the repository at this point in the history

  19. Add Grant/Revoke/List roles authorization to the SPI

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    c396608 View commit details
    Browse the repository at this point in the history

  20. Introduce APPLICABLE_ROLES view

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    f1909cd View commit details
    Browse the repository at this point in the history

  21. Implement Grant/Revoke/ListApplicableRoles in Hive

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    682ba55 View commit details
    Browse the repository at this point in the history

  22. Refactor GRANT/REVOKE in Hive 

    Leverage newly introduced method for recursive role grants traversal
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    73e563a View commit details
    Browse the repository at this point in the history

  23. Introduce access control for GRANT/REVOKE ROLE

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    bcd2424 View commit details
    Browse the repository at this point in the history

  24. Prepare metastore interface to accept ROLE for GRANT/REVOKE

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    be8565f View commit details
    Browse the repository at this point in the history

  25. Introduce SET ROLE statement

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    0c35d15 View commit details
    Browse the repository at this point in the history

  26. Introduce ConnectorIdentity 

    Identity must hold all the selected roles for all the catalogs.
ConnectorIdentity holds only the role selected for some particular catalog.
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    9e95e0f View commit details
    Browse the repository at this point in the history

  27. Implement SET ROLE

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    1611266 View commit details
    Browse the repository at this point in the history

  28. Store catalog selected roles in Identity

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    d18f22d View commit details
    Browse the repository at this point in the history

  29. Introduce ENABLED_ROLES view

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    411ebde View commit details
    Browse the repository at this point in the history

  30. Implement SET ROLE in Hive Connector

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    4b88b58 View commit details
    Browse the repository at this point in the history

  31. Accept ROLE in GRANT/REVOKE Privileges statements

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    6c490ba View commit details
    Browse the repository at this point in the history

  32. Add SHOW ROLES to the parser

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    ecfbb4c View commit details
    Browse the repository at this point in the history

  33. Rewrite SHOW ROLES as a select query 

    For SHOW ROLES, issue the query:
select role_name as "Role" from catalog.information_schema.roles;
    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    d2fda35 View commit details
    Browse the repository at this point in the history

  34. Add access control checks for SHOW ROLES

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    2acf38d View commit details
    Browse the repository at this point in the history

  35. Add docs for SHOW ROLES

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    323b57b View commit details
    Browse the repository at this point in the history

  36. Product tests for SHOW ROLES

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    66ff09e View commit details
    Browse the repository at this point in the history

  37. Add SHOW CURRENT ROLES 

    Instead of select * from information_schema.roles, SHOW CURRENT ROLES
rewrites to select * from information_schema.enabled_roles.

All users can see what roles they're currently using, so no need
for access control checks.
    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    acabc65 View commit details
    Browse the repository at this point in the history

  38. Add SHOW ROLE GRANTS syntax

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    6a246e9 View commit details
    Browse the repository at this point in the history

  39. Add listRoleGrants to the SPI

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    06a9042 View commit details
    Browse the repository at this point in the history

  40. Implement listRoleGrants() in Hive

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    6969228 View commit details
    Browse the repository at this point in the history

  41. Implement SHOW ROLE GRANTS rewrite

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    02d9fbd View commit details
    Browse the repository at this point in the history

  42. Add docs for SHOW ROLE GRANTS

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    7668f79 View commit details
    Browse the repository at this point in the history

  43. Access control for SHOW ROLE GRANTS and SHOW CURRENT ROLES

    @cawallin
    cawallin authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    852d7cd View commit details
    Browse the repository at this point in the history

  44. Remove redundant checkDatabasePermission methods 

    Currently the only database permission we support is OWNERSHIP.
Instead of creating that permission, and checking if it is granted
it is more readable to just call `isDatabaseOwner` directly.
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    c4afa44 View commit details
    Browse the repository at this point in the history

  45. Reorder methods in SqlStandardAccessControl

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    79946ef View commit details
    Browse the repository at this point in the history

  46. Rename getGrantOptionForPrivilege to hasGrantOptionForPrivilege

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    d3a9ae0 View commit details
    Browse the repository at this point in the history

  47. Remove hive privilege null check

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    e16aaf1 View commit details
    Browse the repository at this point in the history

  48. Allow all for admin role 

    Admin user has all the available permissions for all the entities
implicitly. So it may be considered as a database and table "owner"
for all tables and databases. Also it has all the SELECT, INSERT, DELETE
permissions implicitly.
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    78bb8da View commit details
    Browse the repository at this point in the history

  49. Introduce isTableOwner method for readability

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    187af6e View commit details
    Browse the repository at this point in the history

  50. Simplify checkTablePermission

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    567ffe1 View commit details
    Browse the repository at this point in the history

  51. Refactor canCreateView security checks 

    hasGrantOptionForPrivilege cannot be used in security checks for createView
because it doesn't consider the session role.
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    40467a8 View commit details
    Browse the repository at this point in the history

  52. Consider enabled roles for permissions

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    5e2cb1f View commit details
    Browse the repository at this point in the history

  53. Refactor HivePrivilegeInfo

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    39a9298 View commit details
    Browse the repository at this point in the history

  54. Reorder methods in HivePrivilegeInfo

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    bb4a0e0 View commit details
    Browse the repository at this point in the history

  55. Move parsePrivilege to MetastoreUtil

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    b92e79c View commit details
    Browse the repository at this point in the history

  56. Add grantor to HivePrivilegeInfo

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    7a9775f View commit details
    Browse the repository at this point in the history

  57. Add grantor_type and grantee_type columns to table_privileges

    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    9e0a23d View commit details
    Browse the repository at this point in the history

  58. More product tests for SET ROLE 

    Verify that role set with `SET ROLE` is considering during the access check.
    Andrii Rosa authored and Andrii Rosa committed Mar 20, 2017
    Configuration menu
    Copy the full SHA
    9b62dac View commit details
    Browse the repository at this point in the history