Class AccessControlManager
- java.lang.Object
-
- io.prestosql.security.AccessControlManager
-
- All Implemented Interfaces:
AccessControl
- Direct Known Subclasses:
TestingAccessControlManager
public class AccessControlManager extends Object implements AccessControl
-
-
Constructor Summary
Constructors Constructor Description AccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager, AccessControlConfig config)
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addCatalogAccessControl(CatalogName catalogName, ConnectorAccessControl accessControl)
void
addSystemAccessControl(SystemAccessControl systemAccessControl)
void
addSystemAccessControlFactory(SystemAccessControlFactory accessControlFactory)
void
checkCanAddColumns(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to add columns to the specified table.void
checkCanCreateRole(SecurityContext securityContext, String role, Optional<PrestoPrincipal> grantor, String catalogName)
Check if identity is allowed to create the specified role.void
checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName schemaName)
Check if identity is allowed to create the specified schema.void
checkCanCreateTable(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to create the specified table.void
checkCanCreateView(SecurityContext securityContext, QualifiedObjectName viewName)
Check if identity is allowed to create the specified view.void
checkCanCreateViewWithSelectFromColumns(SecurityContext securityContext, QualifiedObjectName tableName, Set<String> columnNames)
Check if identity is allowed to create a view that selects from the specified columns.void
checkCanDeleteFromTable(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to delete from the specified table.void
checkCanDropColumn(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to drop columns from the specified table.void
checkCanDropRole(SecurityContext securityContext, String role, String catalogName)
Check if identity is allowed to drop the specified role.void
checkCanDropSchema(SecurityContext securityContext, CatalogSchemaName schemaName)
Check if identity is allowed to drop the specified schema.void
checkCanDropTable(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to drop the specified table.void
checkCanDropView(SecurityContext securityContext, QualifiedObjectName viewName)
Check if identity is allowed to drop the specified view.void
checkCanExecuteFunction(SecurityContext context, String functionName)
Check if identity is allowed to execute functionvoid
checkCanExecuteProcedure(SecurityContext securityContext, QualifiedObjectName procedureName)
Check if identity is allowed to execute procedurevoid
checkCanExecuteQuery(Identity identity)
Checks if identity can execute a query.void
checkCanGrantExecuteFunctionPrivilege(SecurityContext securityContext, String functionName, Identity grantee, boolean grantOption)
Check if identity is allowed to create a view that executes the function.void
checkCanGrantRoles(SecurityContext securityContext, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
Check if identity is allowed to grant the specified roles to the specified principals.void
checkCanGrantTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName tableName, PrestoPrincipal grantee, boolean grantOption)
Check if identity is allowed to grant a privilege to the grantee on the specified table.void
checkCanImpersonateUser(Identity identity, String userName)
Check if the identity is allowed impersonate the specified user.void
checkCanInsertIntoTable(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to insert into the specified table.void
checkCanKillQueryOwnedBy(Identity identity, String queryOwner)
Checks if identity can kill a query owned by the specified user.void
checkCanReadSystemInformation(Identity identity)
Check if identity is allowed to read system information such as statistics, service registry, thread stacks, etc.void
checkCanRenameColumn(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to rename a column in the specified table.void
checkCanRenameSchema(SecurityContext securityContext, CatalogSchemaName schemaName, String newSchemaName)
Check if identity is allowed to rename the specified schema.void
checkCanRenameTable(SecurityContext securityContext, QualifiedObjectName tableName, QualifiedObjectName newTableName)
Check if identity is allowed to rename the specified table.void
checkCanRenameView(SecurityContext securityContext, QualifiedObjectName viewName, QualifiedObjectName newViewName)
Check if identity is allowed to rename the specified view.void
checkCanRevokeRoles(SecurityContext securityContext, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
Check if identity is allowed to revoke the specified roles from the specified principals.void
checkCanRevokeTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName tableName, PrestoPrincipal revokee, boolean grantOption)
Check if identity is allowed to revoke a privilege from the revokee on the specified table.void
checkCanSelectFromColumns(SecurityContext securityContext, QualifiedObjectName tableName, Set<String> columnNames)
Check if identity is allowed to select from the specified columns.void
checkCanSetCatalogSessionProperty(SecurityContext securityContext, String catalogName, String propertyName)
Check if identity is allowed to set the specified catalog property.void
checkCanSetColumnComment(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to comment the specified column.void
checkCanSetRole(SecurityContext securityContext, String role, String catalogName)
Check if identity is allowed to set role for specified catalog.void
checkCanSetSchemaAuthorization(SecurityContext securityContext, CatalogSchemaName schemaName, PrestoPrincipal principal)
Check if identity is allowed to change the specified schema's user/role.void
checkCanSetSystemSessionProperty(Identity identity, String propertyName)
Check if identity is allowed to set the specified system property.void
checkCanSetTableComment(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to comment the specified table.void
checkCanSetUser(Optional<Principal> principal, String userName)
Deprecated.void
checkCanShowColumns(SecurityContext securityContext, CatalogSchemaTableName table)
Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.void
checkCanShowCreateSchema(SecurityContext securityContext, CatalogSchemaName schemaName)
Check if identity is allowed to execute SHOW CREATE SCHEMA.void
checkCanShowCreateTable(SecurityContext securityContext, QualifiedObjectName tableName)
Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEWvoid
checkCanShowCurrentRoles(SecurityContext securityContext, String catalogName)
Check if identity is allowed to show current roles on the specified catalog.void
checkCanShowRoleAuthorizationDescriptors(SecurityContext securityContext, String catalogName)
Check if identity is allowed to show role authorization descriptors (i.e.void
checkCanShowRoleGrants(SecurityContext securityContext, String catalogName)
Check if identity is allowed to show its own role grants on the specified catalog.void
checkCanShowRoles(SecurityContext securityContext, String catalogName)
Check if identity is allowed to show roles on the specified catalog.void
checkCanShowSchemas(SecurityContext securityContext, String catalogName)
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.void
checkCanShowTables(SecurityContext securityContext, CatalogSchemaName schema)
Check if identity is allowed to show tables by executing SHOW TABLES, SHOW GRANTS etc.void
checkCanViewQueryOwnedBy(Identity identity, String queryOwner)
Checks if identity can view a query owned by the specified user.void
checkCanWriteSystemInformation(Identity identity)
Check if identity is allowed to write system information such as marking nodes offline, or changing runtime flags.Set<String>
filterCatalogs(Identity identity, Set<String> catalogs)
Filter the list of catalogs to those visible to the identity.List<ColumnMetadata>
filterColumns(SecurityContext securityContext, CatalogSchemaTableName table, List<ColumnMetadata> columns)
Filter the list of columns to those visible to the identity.Set<String>
filterQueriesOwnedBy(Identity identity, Set<String> queryOwners)
Filter the list of users to those the identity view query owned by the user.Set<String>
filterSchemas(SecurityContext securityContext, String catalogName, Set<String> schemaNames)
Filter the list of schemas in a catalog to those visible to the identity.Set<SchemaTableName>
filterTables(SecurityContext securityContext, String catalogName, Set<SchemaTableName> tableNames)
Filter the list of tables and views to those visible to the identity.io.airlift.stats.CounterStat
getAuthorizationFail()
io.airlift.stats.CounterStat
getAuthorizationSuccess()
List<ViewExpression>
getColumnMasks(SecurityContext context, QualifiedObjectName tableName, String columnName, Type type)
List<ViewExpression>
getRowFilters(SecurityContext context, QualifiedObjectName tableName)
void
loadSystemAccessControl()
void
removeCatalogAccessControl(CatalogName catalogName)
protected void
setSystemAccessControl(String name, Map<String,String> properties)
void
setSystemAccessControls(List<SystemAccessControl> systemAccessControls)
-
-
-
Constructor Detail
-
AccessControlManager
@Inject public AccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager, AccessControlConfig config)
-
-
Method Detail
-
addSystemAccessControlFactory
public final void addSystemAccessControlFactory(SystemAccessControlFactory accessControlFactory)
-
addCatalogAccessControl
public void addCatalogAccessControl(CatalogName catalogName, ConnectorAccessControl accessControl)
-
removeCatalogAccessControl
public void removeCatalogAccessControl(CatalogName catalogName)
-
loadSystemAccessControl
public void loadSystemAccessControl()
-
setSystemAccessControl
protected void setSystemAccessControl(String name, Map<String,String> properties)
-
addSystemAccessControl
public void addSystemAccessControl(SystemAccessControl systemAccessControl)
-
setSystemAccessControls
public void setSystemAccessControls(List<SystemAccessControl> systemAccessControls)
-
checkCanImpersonateUser
public void checkCanImpersonateUser(Identity identity, String userName)
Description copied from interface:AccessControl
Check if the identity is allowed impersonate the specified user.- Specified by:
checkCanImpersonateUser
in interfaceAccessControl
-
checkCanSetUser
@Deprecated public void checkCanSetUser(Optional<Principal> principal, String userName)
Deprecated.Description copied from interface:AccessControl
Check if the principal is allowed to be the specified user.- Specified by:
checkCanSetUser
in interfaceAccessControl
-
checkCanReadSystemInformation
public void checkCanReadSystemInformation(Identity identity)
Description copied from interface:AccessControl
Check if identity is allowed to read system information such as statistics, service registry, thread stacks, etc. This is typically allowed for administrators and management tools.- Specified by:
checkCanReadSystemInformation
in interfaceAccessControl
-
checkCanWriteSystemInformation
public void checkCanWriteSystemInformation(Identity identity)
Description copied from interface:AccessControl
Check if identity is allowed to write system information such as marking nodes offline, or changing runtime flags. This is typically allowed for administrators.- Specified by:
checkCanWriteSystemInformation
in interfaceAccessControl
-
checkCanExecuteQuery
public void checkCanExecuteQuery(Identity identity)
Description copied from interface:AccessControl
Checks if identity can execute a query.- Specified by:
checkCanExecuteQuery
in interfaceAccessControl
-
checkCanViewQueryOwnedBy
public void checkCanViewQueryOwnedBy(Identity identity, String queryOwner)
Description copied from interface:AccessControl
Checks if identity can view a query owned by the specified user. The method will not be called when the current user is the query owner.- Specified by:
checkCanViewQueryOwnedBy
in interfaceAccessControl
-
filterQueriesOwnedBy
public Set<String> filterQueriesOwnedBy(Identity identity, Set<String> queryOwners)
Description copied from interface:AccessControl
Filter the list of users to those the identity view query owned by the user. The method will not be called with the current user in the set.- Specified by:
filterQueriesOwnedBy
in interfaceAccessControl
-
checkCanKillQueryOwnedBy
public void checkCanKillQueryOwnedBy(Identity identity, String queryOwner)
Description copied from interface:AccessControl
Checks if identity can kill a query owned by the specified user. The method will not be called when the current user is the query owner.- Specified by:
checkCanKillQueryOwnedBy
in interfaceAccessControl
-
filterCatalogs
public Set<String> filterCatalogs(Identity identity, Set<String> catalogs)
Description copied from interface:AccessControl
Filter the list of catalogs to those visible to the identity.- Specified by:
filterCatalogs
in interfaceAccessControl
-
checkCanCreateSchema
public void checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName schemaName)
Description copied from interface:AccessControl
Check if identity is allowed to create the specified schema.- Specified by:
checkCanCreateSchema
in interfaceAccessControl
-
checkCanDropSchema
public void checkCanDropSchema(SecurityContext securityContext, CatalogSchemaName schemaName)
Description copied from interface:AccessControl
Check if identity is allowed to drop the specified schema.- Specified by:
checkCanDropSchema
in interfaceAccessControl
-
checkCanRenameSchema
public void checkCanRenameSchema(SecurityContext securityContext, CatalogSchemaName schemaName, String newSchemaName)
Description copied from interface:AccessControl
Check if identity is allowed to rename the specified schema.- Specified by:
checkCanRenameSchema
in interfaceAccessControl
-
checkCanSetSchemaAuthorization
public void checkCanSetSchemaAuthorization(SecurityContext securityContext, CatalogSchemaName schemaName, PrestoPrincipal principal)
Description copied from interface:AccessControl
Check if identity is allowed to change the specified schema's user/role.- Specified by:
checkCanSetSchemaAuthorization
in interfaceAccessControl
-
checkCanShowSchemas
public void checkCanShowSchemas(SecurityContext securityContext, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.NOTE: This method is only present to give users an error message when listing is not allowed. The
AccessControl.filterSchemas(io.prestosql.security.SecurityContext, java.lang.String, java.util.Set<java.lang.String>)
method must filter all results for unauthorized users, since there are multiple ways to list schemas.- Specified by:
checkCanShowSchemas
in interfaceAccessControl
-
filterSchemas
public Set<String> filterSchemas(SecurityContext securityContext, String catalogName, Set<String> schemaNames)
Description copied from interface:AccessControl
Filter the list of schemas in a catalog to those visible to the identity.- Specified by:
filterSchemas
in interfaceAccessControl
-
checkCanShowCreateSchema
public void checkCanShowCreateSchema(SecurityContext securityContext, CatalogSchemaName schemaName)
Description copied from interface:AccessControl
Check if identity is allowed to execute SHOW CREATE SCHEMA.- Specified by:
checkCanShowCreateSchema
in interfaceAccessControl
-
checkCanShowCreateTable
public void checkCanShowCreateTable(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW- Specified by:
checkCanShowCreateTable
in interfaceAccessControl
-
checkCanCreateTable
public void checkCanCreateTable(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to create the specified table.- Specified by:
checkCanCreateTable
in interfaceAccessControl
-
checkCanDropTable
public void checkCanDropTable(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to drop the specified table.- Specified by:
checkCanDropTable
in interfaceAccessControl
-
checkCanRenameTable
public void checkCanRenameTable(SecurityContext securityContext, QualifiedObjectName tableName, QualifiedObjectName newTableName)
Description copied from interface:AccessControl
Check if identity is allowed to rename the specified table.- Specified by:
checkCanRenameTable
in interfaceAccessControl
-
checkCanSetTableComment
public void checkCanSetTableComment(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to comment the specified table.- Specified by:
checkCanSetTableComment
in interfaceAccessControl
-
checkCanSetColumnComment
public void checkCanSetColumnComment(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to comment the specified column.- Specified by:
checkCanSetColumnComment
in interfaceAccessControl
-
checkCanShowTables
public void checkCanShowTables(SecurityContext securityContext, CatalogSchemaName schema)
Description copied from interface:AccessControl
Check if identity is allowed to show tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog schema.NOTE: This method is only present to give users an error message when listing is not allowed. The
AccessControl.filterTables(io.prestosql.security.SecurityContext, java.lang.String, java.util.Set<io.prestosql.spi.connector.SchemaTableName>)
method must filter all results for unauthorized users, since there are multiple ways to list tables.- Specified by:
checkCanShowTables
in interfaceAccessControl
-
filterTables
public Set<SchemaTableName> filterTables(SecurityContext securityContext, String catalogName, Set<SchemaTableName> tableNames)
Description copied from interface:AccessControl
Filter the list of tables and views to those visible to the identity.- Specified by:
filterTables
in interfaceAccessControl
-
checkCanShowColumns
public void checkCanShowColumns(SecurityContext securityContext, CatalogSchemaTableName table)
Description copied from interface:AccessControl
Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.NOTE: This method is only present to give users an error message when listing is not allowed. The
AccessControl.filterColumns(io.prestosql.security.SecurityContext, io.prestosql.spi.connector.CatalogSchemaTableName, java.util.List<io.prestosql.spi.connector.ColumnMetadata>)
method must filter all results for unauthorized users, since there are multiple ways to list columns.- Specified by:
checkCanShowColumns
in interfaceAccessControl
-
filterColumns
public List<ColumnMetadata> filterColumns(SecurityContext securityContext, CatalogSchemaTableName table, List<ColumnMetadata> columns)
Description copied from interface:AccessControl
Filter the list of columns to those visible to the identity.- Specified by:
filterColumns
in interfaceAccessControl
-
checkCanAddColumns
public void checkCanAddColumns(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to add columns to the specified table.- Specified by:
checkCanAddColumns
in interfaceAccessControl
-
checkCanDropColumn
public void checkCanDropColumn(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to drop columns from the specified table.- Specified by:
checkCanDropColumn
in interfaceAccessControl
-
checkCanRenameColumn
public void checkCanRenameColumn(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to rename a column in the specified table.- Specified by:
checkCanRenameColumn
in interfaceAccessControl
-
checkCanInsertIntoTable
public void checkCanInsertIntoTable(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to insert into the specified table.- Specified by:
checkCanInsertIntoTable
in interfaceAccessControl
-
checkCanDeleteFromTable
public void checkCanDeleteFromTable(SecurityContext securityContext, QualifiedObjectName tableName)
Description copied from interface:AccessControl
Check if identity is allowed to delete from the specified table.- Specified by:
checkCanDeleteFromTable
in interfaceAccessControl
-
checkCanCreateView
public void checkCanCreateView(SecurityContext securityContext, QualifiedObjectName viewName)
Description copied from interface:AccessControl
Check if identity is allowed to create the specified view.- Specified by:
checkCanCreateView
in interfaceAccessControl
-
checkCanRenameView
public void checkCanRenameView(SecurityContext securityContext, QualifiedObjectName viewName, QualifiedObjectName newViewName)
Description copied from interface:AccessControl
Check if identity is allowed to rename the specified view.- Specified by:
checkCanRenameView
in interfaceAccessControl
-
checkCanDropView
public void checkCanDropView(SecurityContext securityContext, QualifiedObjectName viewName)
Description copied from interface:AccessControl
Check if identity is allowed to drop the specified view.- Specified by:
checkCanDropView
in interfaceAccessControl
-
checkCanCreateViewWithSelectFromColumns
public void checkCanCreateViewWithSelectFromColumns(SecurityContext securityContext, QualifiedObjectName tableName, Set<String> columnNames)
Description copied from interface:AccessControl
Check if identity is allowed to create a view that selects from the specified columns.- Specified by:
checkCanCreateViewWithSelectFromColumns
in interfaceAccessControl
-
checkCanGrantExecuteFunctionPrivilege
public void checkCanGrantExecuteFunctionPrivilege(SecurityContext securityContext, String functionName, Identity grantee, boolean grantOption)
Description copied from interface:AccessControl
Check if identity is allowed to create a view that executes the function.- Specified by:
checkCanGrantExecuteFunctionPrivilege
in interfaceAccessControl
-
checkCanGrantTablePrivilege
public void checkCanGrantTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName tableName, PrestoPrincipal grantee, boolean grantOption)
Description copied from interface:AccessControl
Check if identity is allowed to grant a privilege to the grantee on the specified table.- Specified by:
checkCanGrantTablePrivilege
in interfaceAccessControl
-
checkCanRevokeTablePrivilege
public void checkCanRevokeTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName tableName, PrestoPrincipal revokee, boolean grantOption)
Description copied from interface:AccessControl
Check if identity is allowed to revoke a privilege from the revokee on the specified table.- Specified by:
checkCanRevokeTablePrivilege
in interfaceAccessControl
-
checkCanSetSystemSessionProperty
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName)
Description copied from interface:AccessControl
Check if identity is allowed to set the specified system property.- Specified by:
checkCanSetSystemSessionProperty
in interfaceAccessControl
-
checkCanSetCatalogSessionProperty
public void checkCanSetCatalogSessionProperty(SecurityContext securityContext, String catalogName, String propertyName)
Description copied from interface:AccessControl
Check if identity is allowed to set the specified catalog property.- Specified by:
checkCanSetCatalogSessionProperty
in interfaceAccessControl
-
checkCanSelectFromColumns
public void checkCanSelectFromColumns(SecurityContext securityContext, QualifiedObjectName tableName, Set<String> columnNames)
Description copied from interface:AccessControl
Check if identity is allowed to select from the specified columns. The column set can be empty.- Specified by:
checkCanSelectFromColumns
in interfaceAccessControl
-
checkCanCreateRole
public void checkCanCreateRole(SecurityContext securityContext, String role, Optional<PrestoPrincipal> grantor, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to create the specified role.- Specified by:
checkCanCreateRole
in interfaceAccessControl
-
checkCanDropRole
public void checkCanDropRole(SecurityContext securityContext, String role, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to drop the specified role.- Specified by:
checkCanDropRole
in interfaceAccessControl
-
checkCanGrantRoles
public void checkCanGrantRoles(SecurityContext securityContext, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to grant the specified roles to the specified principals.- Specified by:
checkCanGrantRoles
in interfaceAccessControl
-
checkCanRevokeRoles
public void checkCanRevokeRoles(SecurityContext securityContext, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to revoke the specified roles from the specified principals.- Specified by:
checkCanRevokeRoles
in interfaceAccessControl
-
checkCanSetRole
public void checkCanSetRole(SecurityContext securityContext, String role, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to set role for specified catalog.- Specified by:
checkCanSetRole
in interfaceAccessControl
-
checkCanShowRoleAuthorizationDescriptors
public void checkCanShowRoleAuthorizationDescriptors(SecurityContext securityContext, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants).- Specified by:
checkCanShowRoleAuthorizationDescriptors
in interfaceAccessControl
-
checkCanShowRoles
public void checkCanShowRoles(SecurityContext securityContext, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to show roles on the specified catalog.- Specified by:
checkCanShowRoles
in interfaceAccessControl
-
checkCanShowCurrentRoles
public void checkCanShowCurrentRoles(SecurityContext securityContext, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to show current roles on the specified catalog.- Specified by:
checkCanShowCurrentRoles
in interfaceAccessControl
-
checkCanShowRoleGrants
public void checkCanShowRoleGrants(SecurityContext securityContext, String catalogName)
Description copied from interface:AccessControl
Check if identity is allowed to show its own role grants on the specified catalog.- Specified by:
checkCanShowRoleGrants
in interfaceAccessControl
-
checkCanExecuteProcedure
public void checkCanExecuteProcedure(SecurityContext securityContext, QualifiedObjectName procedureName)
Description copied from interface:AccessControl
Check if identity is allowed to execute procedure- Specified by:
checkCanExecuteProcedure
in interfaceAccessControl
-
checkCanExecuteFunction
public void checkCanExecuteFunction(SecurityContext context, String functionName)
Description copied from interface:AccessControl
Check if identity is allowed to execute function- Specified by:
checkCanExecuteFunction
in interfaceAccessControl
-
getRowFilters
public List<ViewExpression> getRowFilters(SecurityContext context, QualifiedObjectName tableName)
- Specified by:
getRowFilters
in interfaceAccessControl
-
getColumnMasks
public List<ViewExpression> getColumnMasks(SecurityContext context, QualifiedObjectName tableName, String columnName, Type type)
- Specified by:
getColumnMasks
in interfaceAccessControl
-
getAuthorizationSuccess
public io.airlift.stats.CounterStat getAuthorizationSuccess()
-
getAuthorizationFail
public io.airlift.stats.CounterStat getAuthorizationFail()
-
-