diff --git a/core/trino-main/src/main/java/io/trino/metadata/MetadataListing.java b/core/trino-main/src/main/java/io/trino/metadata/MetadataListing.java index 382b86ae7ad50..9acf8a163608f 100644 --- a/core/trino-main/src/main/java/io/trino/metadata/MetadataListing.java +++ b/core/trino-main/src/main/java/io/trino/metadata/MetadataListing.java @@ -248,61 +248,76 @@ private static Map> doListTableColumns(Ses prefix, relationNames -> accessControl.filterTables(session.toSecurityContext(), prefix.getCatalogName(), relationNames)); - Map>> tableColumns = catalogColumns.stream() - .collect(toImmutableMap(TableColumnsMetadata::getTable, TableColumnsMetadata::getColumns)); - ImmutableMap.Builder> result = ImmutableMap.builder(); - tableColumns.forEach((table, columnsOptional) -> { - QualifiedObjectName originalTableName = new QualifiedObjectName(prefix.getCatalogName(), table.getSchemaName(), table.getTableName()); - List columns; - QualifiedObjectName actualTableName; - - if (columnsOptional.isPresent()) { - actualTableName = originalTableName; - columns = columnsOptional.get(); - } - else { - TableHandle targetTableHandle; - - try { - // For redirected tables, column listing requires special handling, because the column metadata is unavailable - // at the source table, and needs to be fetched from the target table. - RedirectionAwareTableHandle redirection = metadata.getRedirectionAwareTableHandle(session, originalTableName); - - // The target table name should be non-empty. If it is empty, it means that there is an - // inconsistency in the connector's implementation of ConnectorMetadata#streamTableColumns and - // ConnectorMetadata#redirectTable. - if (redirection.redirectedTableName().isEmpty()) { - return; + // Process tables without redirect + Map> columnNamesByTable = catalogColumns.stream() + .filter(tableColumnsMetadata -> tableColumnsMetadata.getColumns().isPresent()) + .collect(toImmutableMap( + TableColumnsMetadata::getTable, + tableColumnsMetadata -> tableColumnsMetadata.getColumns().orElseThrow().stream() + .map(ColumnMetadata::getName) + .collect(toImmutableSet()))); + Map> catalogAllowedColumns = accessControl.filterColumns(session.toSecurityContext(), prefix.getCatalogName(), columnNamesByTable); + catalogColumns.stream() + .filter(tableColumnsMetadata -> tableColumnsMetadata.getColumns().isPresent()) + .forEach(tableColumnsMetadata -> { + Set allowedTableColumns = catalogAllowedColumns.getOrDefault(tableColumnsMetadata.getTable(), ImmutableSet.of()); + result.put( + tableColumnsMetadata.getTable(), + tableColumnsMetadata.getColumns().get().stream() + .filter(column -> allowedTableColumns.contains(column.getName())) + .collect(toImmutableList())); + }); + + // Process redirects + catalogColumns.stream() + .filter(tableColumnsMetadata -> tableColumnsMetadata.getColumns().isEmpty()) + .forEach(tableColumnsMetadata -> { + SchemaTableName table = tableColumnsMetadata.getTable(); + QualifiedObjectName originalTableName = new QualifiedObjectName(prefix.getCatalogName(), table.getSchemaName(), table.getTableName()); + QualifiedObjectName actualTableName; + TableHandle targetTableHandle; + try { + // For redirected tables, column listing requires special handling, because the column metadata is unavailable + // at the source table, and needs to be fetched from the target table. + RedirectionAwareTableHandle redirection = metadata.getRedirectionAwareTableHandle(session, originalTableName); + + // The target table name should be non-empty. If it is empty, it means that there is an + // inconsistency in the connector's implementation of ConnectorMetadata#streamTableColumns and + // ConnectorMetadata#redirectTable. + if (redirection.redirectedTableName().isEmpty()) { + return; + } + actualTableName = redirection.redirectedTableName().get(); + targetTableHandle = redirection.tableHandle().orElseThrow(); } - actualTableName = redirection.redirectedTableName().get(); - targetTableHandle = redirection.tableHandle().orElseThrow(); - } - catch (TrinoException e) { - // Ignore redirection errors - if (e.getErrorCode().equals(TABLE_REDIRECTION_ERROR.toErrorCode())) { - return; + catch (TrinoException e) { + // Ignore redirection errors + if (e.getErrorCode().equals(TABLE_REDIRECTION_ERROR.toErrorCode())) { + return; + } + throw e; } - throw e; - } - - columns = metadata.getTableMetadata(session, targetTableHandle).getColumns(); - } - Set allowedColumns = accessControl.filterColumns( - session.toSecurityContext(), - // Use redirected table name for applying column filters, since the source does not know the column metadata - actualTableName.asCatalogSchemaTableName(), - columns.stream() - .map(ColumnMetadata::getName) - .collect(toImmutableSet())); - result.put( - table, - columns.stream() - .filter(column -> allowedColumns.contains(column.getName())) - .collect(toImmutableList())); - }); + List columns = metadata.getTableMetadata(session, targetTableHandle).getColumns(); + + Set allowedColumns = accessControl.filterColumns( + session.toSecurityContext(), + actualTableName.asCatalogSchemaTableName().getCatalogName(), + ImmutableMap.of( + // Use redirected table name for applying column filters, since the source does not know the column metadata + actualTableName.asSchemaTableName(), + columns.stream() + .map(ColumnMetadata::getName) + .collect(toImmutableSet()))) + .getOrDefault(actualTableName.asSchemaTableName(), ImmutableSet.of()); + result.put( + table, + columns.stream() + .filter(column -> allowedColumns.contains(column.getName())) + .collect(toImmutableList())); + }); return result.buildOrThrow(); } diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControl.java b/core/trino-main/src/main/java/io/trino/security/AccessControl.java index b4d7b5b2cdbd6..314fa7f52d8fb 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControl.java @@ -254,9 +254,17 @@ public interface AccessControl /** * Filter the list of columns to those visible to the identity. + * + * @deprecated Use {@link #filterColumns(SecurityContext, String, Map)} */ + @Deprecated Set filterColumns(SecurityContext context, CatalogSchemaTableName tableName, Set columns); + /** + * Filter lists of columns of multiple tables to those visible to the identity. + */ + Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns); + /** * Check if identity is allowed to add columns to the specified table. * diff --git a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java index dad6da04467c9..57a36e4345627 100644 --- a/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/security/AccessControlManager.java @@ -17,6 +17,7 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Maps; import com.google.inject.Inject; import io.airlift.log.Logger; import io.airlift.stats.CounterStat; @@ -635,6 +636,34 @@ public Set filterColumns(SecurityContext securityContext, CatalogSchemaT return columns; } + @Override + public Map> filterColumns(SecurityContext securityContext, String catalogName, Map> tableColumns) + { + requireNonNull(securityContext, "securityContext is null"); + requireNonNull(catalogName, "catalogName is null"); + requireNonNull(tableColumns, "tableColumns is null"); + + Set filteredTables = filterTables(securityContext, catalogName, tableColumns.keySet()); + if (!filteredTables.equals(tableColumns.keySet())) { + tableColumns = Maps.filterKeys(tableColumns, filteredTables::contains); + } + + if (tableColumns.isEmpty()) { + // Do not call plugin-provided implementation unnecessarily. + return ImmutableMap.of(); + } + + for (SystemAccessControl systemAccessControl : getSystemAccessControls()) { + tableColumns = systemAccessControl.filterColumns(securityContext.toSystemSecurityContext(), catalogName, tableColumns); + } + + ConnectorAccessControl connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogName); + if (connectorAccessControl != null) { + tableColumns = connectorAccessControl.filterColumns(toConnectorSecurityContext(catalogName, securityContext), tableColumns); + } + return tableColumns; + } + @Override public void checkCanAddColumns(SecurityContext securityContext, QualifiedObjectName tableName) { diff --git a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java index bc29abdb52684..1097deb140f11 100644 --- a/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/AllowAllAccessControl.java @@ -186,6 +186,12 @@ public Set filterColumns(SecurityContext context, CatalogSchemaTableName return columns; } + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanAddColumns(SecurityContext context, QualifiedObjectName tableName) { diff --git a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java index 5cf5dfe1f005d..dda2fde3e37b8 100644 --- a/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/DenyAllAccessControl.java @@ -14,6 +14,7 @@ package io.trino.security; import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import io.trino.metadata.QualifiedObjectName; import io.trino.spi.connector.CatalogSchemaName; @@ -267,6 +268,12 @@ public Set filterColumns(SecurityContext context, CatalogSchemaTableName return ImmutableSet.of(); } + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + return ImmutableMap.of(); + } + @Override public void checkCanShowSchemas(SecurityContext context, String catalogName) { diff --git a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java index fa020ad390281..6b84498bea2bb 100644 --- a/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ForwardingAccessControl.java @@ -239,6 +239,12 @@ public Set filterColumns(SecurityContext context, CatalogSchemaTableName return delegate().filterColumns(context, tableName, columns); } + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + return delegate().filterColumns(context, catalogName, tableColumns); + } + @Override public void checkCanAddColumns(SecurityContext context, QualifiedObjectName tableName) { diff --git a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java index a424230e2a73e..fdf0068ce4adf 100644 --- a/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java @@ -192,6 +192,13 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa return accessControl.filterColumns(securityContext, new CatalogSchemaTableName(catalogName, tableName), columns); } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + checkArgument(context == null, "context must be null"); + return accessControl.filterColumns(securityContext, catalogName, tableColumns); + } + @Override public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/core/trino-main/src/main/java/io/trino/security/ViewAccessControl.java b/core/trino-main/src/main/java/io/trino/security/ViewAccessControl.java index 6e61a5a950cd2..a453cfd103529 100644 --- a/core/trino-main/src/main/java/io/trino/security/ViewAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/security/ViewAccessControl.java @@ -15,6 +15,7 @@ import io.trino.metadata.QualifiedObjectName; import io.trino.spi.connector.CatalogSchemaTableName; +import io.trino.spi.connector.SchemaTableName; import io.trino.spi.function.FunctionKind; import io.trino.spi.security.AccessDeniedException; import io.trino.spi.security.Identity; @@ -22,6 +23,7 @@ import io.trino.spi.type.Type; import java.util.List; +import java.util.Map; import java.util.Optional; import java.util.Set; @@ -62,6 +64,12 @@ public Set filterColumns(SecurityContext context, CatalogSchemaTableName return delegate.filterColumns(context, tableName, columns); } + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + return delegate.filterColumns(context, catalogName, tableColumns); + } + @Override public void checkCanCreateViewWithSelectFromColumns(SecurityContext context, QualifiedObjectName tableName, Set columnNames) { diff --git a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java index 8b7fcc6a1dcf3..e55cf79536036 100644 --- a/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/AllowAllAccessControlManager.java @@ -138,6 +138,12 @@ public Set filterColumns(SecurityContext context, CatalogSchemaTableName return columns; } + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanAddColumns(SecurityContext context, QualifiedObjectName tableName) {} diff --git a/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java b/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java index 1386eddaa2963..269564b75c93e 100644 --- a/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java +++ b/core/trino-main/src/main/java/io/trino/testing/TestingAccessControlManager.java @@ -46,6 +46,7 @@ import java.util.function.Predicate; import static com.google.common.base.MoreObjects.toStringHelper; +import static com.google.common.collect.ImmutableMap.toImmutableMap; import static com.google.common.collect.ImmutableSet.toImmutableSet; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyAlterColumn; @@ -665,14 +666,30 @@ public void checkCanShowColumns(SecurityContext context, CatalogSchemaTableName @Override public Set filterColumns(SecurityContext context, CatalogSchemaTableName table, Set columns) + { + Set visibleColumns = localFilterColumns(context, table.getSchemaTableName(), columns); + return super.filterColumns(context, table, visibleColumns); + } + + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + tableColumns = tableColumns.entrySet().stream() + .collect(toImmutableMap( + Map.Entry::getKey, + e -> localFilterColumns(context, e.getKey(), e.getValue()))); + return super.filterColumns(context, catalogName, tableColumns); + } + + private Set localFilterColumns(SecurityContext context, SchemaTableName table, Set columns) { ImmutableSet.Builder visibleColumns = ImmutableSet.builder(); for (String column : columns) { - if (!shouldDenyPrivilege(context.getIdentity().getUser(), table.getSchemaTableName().getTableName() + "." + column, SELECT_COLUMN)) { + if (!shouldDenyPrivilege(context.getIdentity().getUser(), table.getTableName() + "." + column, SELECT_COLUMN)) { visibleColumns.add(column); } } - return super.filterColumns(context, table, visibleColumns.build()); + return visibleColumns.build(); } @Override diff --git a/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java b/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java index 4ab2b8f33bdb8..043d6c5ed7bc2 100644 --- a/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java +++ b/core/trino-main/src/main/java/io/trino/tracing/TracingAccessControl.java @@ -329,6 +329,15 @@ public Set filterColumns(SecurityContext context, CatalogSchemaTableName } } + @Override + public Map> filterColumns(SecurityContext context, String catalogName, Map> tableColumns) + { + Span span = startSpan("filterColumns bulk"); + try (var ignored = scopedSpan(span)) { + return delegate.filterColumns(context, catalogName, tableColumns); + } + } + @Override public void checkCanAddColumns(SecurityContext context, QualifiedObjectName tableName) { diff --git a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java index 548780e3a75bb..70b4e6d268728 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java @@ -26,6 +26,7 @@ import java.util.Map; import java.util.Optional; import java.util.Set; +import java.util.stream.Collectors; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyAlterColumn; @@ -278,12 +279,26 @@ default void checkCanShowColumns(ConnectorSecurityContext context, SchemaTableNa /** * Filter the list of columns to those visible to the identity. + * + * @deprecated Use {@link #filterColumns(ConnectorSecurityContext, Map)} */ + @Deprecated default Set filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set columns) { return emptySet(); } + /** + * Filter lists of columns of multiple tables to those visible to the identity. + */ + default Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + return tableColumns.entrySet().stream() + .collect(Collectors.toMap( + Map.Entry::getKey, + entry -> filterColumns(context, entry.getKey(), entry.getValue()))); + } + /** * Check if identity is allowed to add columns to the specified table. * diff --git a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java index e925475eac81c..b4c39bc9617a2 100644 --- a/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java +++ b/core/trino-spi/src/main/java/io/trino/spi/security/SystemAccessControl.java @@ -28,6 +28,7 @@ import java.util.Map; import java.util.Optional; import java.util.Set; +import java.util.stream.Collectors; import static io.trino.spi.security.AccessDeniedException.denyAddColumn; import static io.trino.spi.security.AccessDeniedException.denyAlterColumn; @@ -420,12 +421,26 @@ default void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTab /** * Filter the list of columns to those visible to the identity. + * + * @deprecated Use {@link #filterColumns(SystemSecurityContext, String, Map)} */ + @Deprecated default Set filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns) { return emptySet(); } + /** + * Filter lists of columns of multiple tables to those visible to the identity. + */ + default Map> filterColumns(SystemSecurityContext context, String catalogName, Map> tableColumns) + { + return tableColumns.entrySet().stream() + .collect(Collectors.toMap( + Map.Entry::getKey, + entry -> filterColumns(context, new CatalogSchemaTableName(catalogName, entry.getKey()), entry.getValue()))); + } + /** * Check if identity is allowed to add columns to the specified table in a catalog. * diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java index 0297cafe9d6b2..ad9725b8c476e 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java @@ -197,6 +197,14 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa } } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + try (ThreadContextClassLoader ignored = new ThreadContextClassLoader(classLoader)) { + return delegate.filterColumns(context, tableColumns); + } + } + @Override public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java index fd941afdd6ab5..4a62d94e082e9 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java @@ -130,6 +130,12 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa return columns; } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java index 47b85f6aab4be..54171fd673380 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllSystemAccessControl.java @@ -228,6 +228,12 @@ public Set filterColumns(SystemSecurityContext context, CatalogSchemaTab return columns; } + @Override + public Map> filterColumns(SystemSecurityContext context, String catalogName, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java index 7b3b8a93c4a17..956712ba4d934 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java @@ -273,6 +273,13 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa .collect(toImmutableSet()); } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + // Default implementation is good enough. Explicit implementation is expected by the test though. + return ConnectorAccessControl.super.filterColumns(context, tableColumns); + } + @Override public void checkCanRenameTable(ConnectorSecurityContext context, SchemaTableName tableName, SchemaTableName newTableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java index 78c2ce78b2ece..7cb66c3766f4c 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java @@ -596,6 +596,13 @@ public Set filterColumns(SystemSecurityContext context, CatalogSchemaTab .collect(toImmutableSet()); } + @Override + public Map> filterColumns(SystemSecurityContext context, String catalogName, Map> tableColumns) + { + // Default implementation is good enough. Explicit implementation is expected by the test though. + return SystemAccessControl.super.filterColumns(context, catalogName, tableColumns); + } + @Override public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java index 6acf0cf337940..2b25f3464218d 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java @@ -163,6 +163,12 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa return delegate().filterColumns(context, tableName, columns); } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + return delegate().filterColumns(context, tableColumns); + } + @Override public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java index 17ad56406a7fa..3fa6665c2c32f 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingSystemAccessControl.java @@ -247,6 +247,12 @@ public Set filterColumns(SystemSecurityContext context, CatalogSchemaTab return delegate().filterColumns(context, tableName, columns); } + @Override + public Map> filterColumns(SystemSecurityContext context, String catalogName, Map> tableColumns) + { + return delegate().filterColumns(context, catalogName, tableColumns); + } + @Override public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java index 7a7988c700031..bbb4e92350a77 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlyAccessControl.java @@ -148,6 +148,12 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa return columns; } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanRenameColumn(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java index a278d4b447142..a3611ea1b103f 100644 --- a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java +++ b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReadOnlySystemAccessControl.java @@ -153,6 +153,12 @@ public Set filterColumns(SystemSecurityContext context, CatalogSchemaTab return columns; } + @Override + public Map> filterColumns(SystemSecurityContext context, String catalogName, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) { diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java index d7b24b8ad69ec..68a95948c2983 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/LegacyAccessControl.java @@ -195,6 +195,12 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa return columns; } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + return tableColumns; + } + @Override public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName) { diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index 6566e697a55f0..da7940cc954ba 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -271,6 +271,13 @@ public Set filterColumns(ConnectorSecurityContext context, SchemaTableNa return columns; } + @Override + public Map> filterColumns(ConnectorSecurityContext context, Map> tableColumns) + { + // Default implementation is good enough. Explicit implementation is expected by the test though. + return ConnectorAccessControl.super.filterColumns(context, tableColumns); + } + @Override public void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName) {