Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distinguish SystemAccessControl methods not exposing query id #18973

Merged
merged 4 commits into from
Sep 11, 2023
Merged

Distinguish SystemAccessControl methods not exposing query id #18973

merged 4 commits into from
Sep 11, 2023

Conversation

findepi
Copy link
Member

@findepi findepi commented Sep 8, 2023

Description

Before the change, SystemSecurityContext was provided to every method in SystemAccessControl. This was problematic for implementations which need to be query-aware (e.g. for audit or caching purposes), because there was no type system support helping to determine whether ID is present or not. This commit makes SystemSecurityContext.queryId non-optional. For methods where query ID is not passed, simple Identity is now passed, since this is the only other field in the SystemSecurityContext. This is a breaking change because doing it in backwards compatible way would be quite laborious.

@cla-bot cla-bot bot added the cla-signed label Sep 8, 2023
@findepi findepi force-pushed the findepi/security-context-query-id branch from 24fd23b to f309164 Compare September 8, 2023 12:57
kokosing
kokosing approved these changes Sep 8, 2023
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

% comment

core/trino-spi/pom.xml
@@ -229,6 +229,60 @@
</item>
<!-- Backwards incompatible changes since the previous release -->
<!-- Any exclusions below can be deleted after each release -->
<item>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should go with deprecation step and avoid backward incompatible change here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you envision getQueryId method in the security context class? would it return optional or not?
i think it would require spreading out changes over multiple versions with plugins updating more than once. I think this is the case where lack of compat is justified.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let it be.

@findepi findepi force-pushed the findepi/security-context-query-id branch from b642c6e to 0ef33d8 Compare September 8, 2023 14:58
djsstarburst
djsstarburst approved these changes Sep 8, 2023
View reviewed changes
Copy link
Member

@djsstarburst djsstarburst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I generally like this change. I think this is one of those cases where an argument that can be Optional.empty() buys us nothing, and obscures the intent.

I don't have an opinion on the backwards-compatibliity question.

@findepi
Remove outdated SPI revapi exclusions
7bc4a39
@findepi
Import AccessDeniedException factory methods statically
52ac627 
Almost all were imported statically. Import all.
@findepi
Update test to pass query ID to security context
c58b235
@findepi
Distinguish SystemAccessControl methods not exposing query id
2905c18 
Before the change, `SystemSecurityContext` was provided to every method
in `SystemAccessControl`. This was problematic for implementations which
need to be query-aware (e.g. for audit or caching purposes), because
there was no type system support helping to determine whether ID is
present or not. This commit makes `SystemSecurityContext.queryId`
non-optional. For methods where query ID is not passed, simple
`Identity` is now passed, since this is the only other field in the
`SystemSecurityContext`. This is a breaking change because doing it in
backwards compatible way would be quite laborious.
@findepi findepi force-pushed the findepi/security-context-query-id branch from 0ef33d8 to 2905c18 Compare September 9, 2023 19:42
@findepi findepi merged commit 1f46063 into trinodb:master Sep 11, 2023
87 of 88 checks passed
@findepi findepi deleted the findepi/security-context-query-id branch September 11, 2023 07:05
@github-actions github-actions bot added this to the 427 milestone Sep 11, 2023
@colebow colebow mentioned this pull request Sep 12, 2023
Merged
@colebow colebow added the no-release-notes This pull request does not require release notes entry label Sep 12, 2023
@wannte
Copy link

wannte commented Sep 27, 2023

Hi, @findepi

I tried to use trino version 427, I found that this breaking changes makes unexpected result when using with Apache Ranger.

Apache Ranger override SystemAccessControl method, but now, base methods were changed in Trino 427.

Do you have any idea to handle this issue?

https://github.com/apache/ranger/blob/master/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java

@2416210017
Copy link

Hi, @findepi

I tried to use trino version 427, I found that this breaking changes makes unexpected result when using with Apache Ranger.

Apache Ranger override SystemAccessControl method, but now, base methods were changed in Trino 427.

Do you have any idea to handle this issue?

https://github.com/apache/ranger/blob/master/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java

Hello,@wannte , I used<trino. version>427</trino. version>to compile ranger, but still reported the same error. May I ask if there is anything wrong?
Error log:
[ERROR] /app/ranger/ranger-release-ranger-2.3.0/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java:[615,71] error: cannot find symbol [ERROR] symbol: class CatalogSchemaTableName [ERROR] location: class RangerSystemAccessControl [ERROR] /app/ranger/ranger-release-ranger-2.3.0/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java:[628,35] error: cannot find symbol [ERROR] symbol: class SystemSecurityContext [ERROR] location: class RangerSystemAccessControl [ERROR] /app/ranger/ranger-release-ranger-2.3.0/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java:[628,66] error: cannot find symbol [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn <args> -rf :ranger-trino-plugin

@findepi
Copy link
Member Author

findepi commented Oct 12, 2023

i wish i could help. i don't know where the ranger integration is maintained and by whom

@wannte
Copy link

wannte commented Oct 14, 2023

hi @2416210017 ,

As you check RangerSystemAccessControl, it implements trino's SystemAccessControl. The change of this pull-request (which changed function signature) makes the ranger's implementation fail. You have to customize Ranger's implementation according to Trinos's change.

@2416210017
Copy link

hi @2416210017 ,

As you check RangerSystemAccessControl, it implements trino's SystemAccessControl. The change of this pull-request (which changed function signature) makes the ranger's implementation fail. You have to customize Ranger's implementation according to Trinos's change.

Hello,@wannte
Do you have any modified code or installation packages?

utk-spartan added a commit to razorpay/ranger that referenced this pull request Oct 16, 2023
@utk-spartan
[trino] Update spi to v427
75e14ac 
Incorporates following changes:

Add query start to SystemSecurityContext
trinodb/trino#19141
trinodb/trino@925f7e4

Distinguish SystemAccessControl methods not exposing query id
trinodb/trino#18973
trinodb/trino@1f46063

Signed-off-by: Utkarsh Saxena <[email protected]>
utk-spartan added a commit to razorpay/ranger that referenced this pull request Oct 16, 2023
@utk-spartan
[trino] Update spi to v427
e1c2ae4 
Incorporates following changes:

Add query start to SystemSecurityContext
trinodb/trino#19141
trinodb/trino@925f7e4

Distinguish SystemAccessControl methods not exposing query id
trinodb/trino#18973
trinodb/trino@1f46063

Signed-off-by: Utkarsh Saxena <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kokosing kokosing kokosing approved these changes

@djsstarburst djsstarburst djsstarburst approved these changes

@dain dain Awaiting requested review from dain

@lukasz-walkiewicz lukasz-walkiewicz Awaiting requested review from lukasz-walkiewicz

Assignees
No one assigned
Labels
cla-signed no-release-notes This pull request does not require release notes entry
Milestone
427
Development

Successfully merging this pull request may close these issues.
6 participants
@findepi @wannte @2416210017 @kokosing @djsstarburst @colebow