Could you explain why Trino decided to always skip access control on inline and built-in functions..?

[okayhooni]

We currently use Apache Ranger for access control on Trino queries, and manage policies to control special privileges to use in-line functions such as some sensitive unhash-like functions. (I know, Ranger is not the officially supported plugin for Trino)

This access control on the in-line functions was working well until v412 (current version of our production cluster), but it's not working anymore on the latest release of Trino(v433) with some breaking changes on the redesigning of access control codes.

I found the reason on the code like below.

• https://github.com/trinodb/trino/blob/master/core/trino-main/src/main/java/io/trino/metadata/FunctionResolver.java#L312

private static boolean canExecuteFunction(Session session, AccessControl accessControl, CatalogSchemaFunctionName functionName)
    {
        if (isInlineFunction(functionName) || isBuiltinFunctionName(functionName)) {
            return true;
        }
        return accessControl.canExecuteFunction(
                SecurityContext.of(session),
                new QualifiedObjectName(functionName.getCatalogName(), functionName.getSchemaName(), functionName.getFunctionName()));
    }

It's easy to fix these code lines on our forked repository of Trino,
but I wonder why Trino decided to remove access control on inline function at all.

How about adding option like access-control-on-inline-function-enabled (by default false) ..?
I found FeatureConfig can be injected to FunctionResolver through PlannerContext within LocalQueryRunner. (But it looks ugly to transfer configuration like this..)

[hashhar]

@dain

[okayhooni]

related PR: #19160

[hashhar]

the reason why in-built functions are always allowed is because they are considered "safe". Can you explain which functions you want to disallow and why?