Interface ConnectorAccessControl
-
public interface ConnectorAccessControl
-
-
Method Summary
All Methods Instance Methods Default Methods Modifier and Type Method Description default void
checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to add columns to the specified table in this catalog.default void
checkCanCreateRole(ConnectorSecurityContext context, String role, Optional<PrestoPrincipal> grantor)
default void
checkCanCreateSchema(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to create the specified schema in this catalog.default void
checkCanCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to create the specified table in this catalog.default void
checkCanCreateView(ConnectorSecurityContext context, SchemaTableName viewName)
Check if identity is allowed to create the specified view in this catalog.default void
checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames)
Check if identity is allowed to create a view that selects from the specified columns in a relation.default void
checkCanDeleteFromTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to delete from the specified table in this catalog.default void
checkCanDropColumn(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to drop columns from the specified table in this catalog.default void
checkCanDropRole(ConnectorSecurityContext context, String role)
default void
checkCanDropSchema(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to drop the specified schema in this catalog.default void
checkCanDropTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to drop the specified table in this catalog.default void
checkCanDropView(ConnectorSecurityContext context, SchemaTableName viewName)
Check if identity is allowed to drop the specified view in this catalog.default void
checkCanExecuteProcedure(ConnectorSecurityContext context, SchemaRoutineName procedure)
default void
checkCanGrantRoles(ConnectorSecurityContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
default void
checkCanGrantSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, PrestoPrincipal grantee, boolean grantOption)
Check if identity is allowed to grant to any other user the specified privilege on the specified schema.default void
checkCanGrantTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal grantee, boolean grantOption)
Check if identity is allowed to grant to any other user the specified privilege on the specified table.default void
checkCanInsertIntoTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to insert into the specified table in this catalog.default void
checkCanRenameColumn(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to rename a column in the specified table in this catalog.default void
checkCanRenameSchema(ConnectorSecurityContext context, String schemaName, String newSchemaName)
Check if identity is allowed to rename the specified schema in this catalog.default void
checkCanRenameTable(ConnectorSecurityContext context, SchemaTableName tableName, SchemaTableName newTableName)
Check if identity is allowed to rename the specified table in this catalog.default void
checkCanRenameView(ConnectorSecurityContext context, SchemaTableName viewName, SchemaTableName newViewName)
Check if identity is allowed to rename the specified view in this catalog.default void
checkCanRevokeRoles(ConnectorSecurityContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
default void
checkCanRevokeSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, PrestoPrincipal revokee, boolean grantOption)
default void
checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal revokee, boolean grantOption)
Check if identity is allowed to revoke the specified privilege on the specified table from any user.default void
checkCanSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames)
Check if identity is allowed to select from the specified columns in a relation.default void
checkCanSetCatalogSessionProperty(ConnectorSecurityContext context, String propertyName)
Check if identity is allowed to set the specified property in this catalog.default void
checkCanSetColumnComment(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to comment the column in the specified table in this catalog.default void
checkCanSetRole(ConnectorSecurityContext context, String role, String catalogName)
default void
checkCanSetSchemaAuthorization(ConnectorSecurityContext context, String schemaName, PrestoPrincipal principal)
Check if identity is allowed to change the specified schema's user/role.default void
checkCanSetTableAuthorization(ConnectorSecurityContext context, SchemaTableName tableName, PrestoPrincipal principal)
Check if identity is allowed to change the specified table's user/role.default void
checkCanSetTableComment(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to comment the specified table in this catalog.default void
checkCanSetViewAuthorization(ConnectorSecurityContext context, SchemaTableName viewName, PrestoPrincipal principal)
Check if identity is allowed to change the specified view's user/role.default void
checkCanShowColumns(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.default void
checkCanShowCreateSchema(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to execute SHOW CREATE SCHEMA.default void
checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEWdefault void
checkCanShowCurrentRoles(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show current roles on the specified catalog.default void
checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show role authorization descriptors (i.e.default void
checkCanShowRoleGrants(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show its own role grants on the specified catalog.default void
checkCanShowRoles(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show roles on the specified catalog.default void
checkCanShowSchemas(ConnectorSecurityContext context)
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.default void
checkCanShowTables(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc.default List<ColumnMetadata>
filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnMetadata> columns)
Filter the list of columns to those visible to the identity.default Set<String>
filterSchemas(ConnectorSecurityContext context, Set<String> schemaNames)
Filter the list of schemas to those visible to the identity.default Set<SchemaTableName>
filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
Filter the list of tables and views to those visible to the identity.default Optional<ViewExpression>
getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
Get a column mask associated with the given table, column and identity.default Optional<ViewExpression>
getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName)
Get a row filter associated with the given table and identity.
-
-
-
Method Detail
-
checkCanCreateSchema
default void checkCanCreateSchema(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to create the specified schema in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanDropSchema
default void checkCanDropSchema(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to drop the specified schema in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanRenameSchema
default void checkCanRenameSchema(ConnectorSecurityContext context, String schemaName, String newSchemaName)
Check if identity is allowed to rename the specified schema in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSetSchemaAuthorization
default void checkCanSetSchemaAuthorization(ConnectorSecurityContext context, String schemaName, PrestoPrincipal principal)
Check if identity is allowed to change the specified schema's user/role.- Throws:
AccessDeniedException
- if not allowed
-
checkCanShowSchemas
default void checkCanShowSchemas(ConnectorSecurityContext context)
Check if identity is allowed to execute SHOW SCHEMAS in a catalog.NOTE: This method is only present to give users an error message when listing is not allowed. The
filterSchemas(io.prestosql.spi.connector.ConnectorSecurityContext, java.util.Set<java.lang.String>)
method must handle filter all results for unauthorized users, since there are multiple way to list schemas.- Throws:
AccessDeniedException
- if not allowed
-
filterSchemas
default Set<String> filterSchemas(ConnectorSecurityContext context, Set<String> schemaNames)
Filter the list of schemas to those visible to the identity.
-
checkCanShowCreateSchema
default void checkCanShowCreateSchema(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to execute SHOW CREATE SCHEMA.- Throws:
AccessDeniedException
- if not allowed
-
checkCanShowCreateTable
default void checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW- Throws:
AccessDeniedException
- if not allowed
-
checkCanCreateTable
default void checkCanCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to create the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanDropTable
default void checkCanDropTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to drop the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanRenameTable
default void checkCanRenameTable(ConnectorSecurityContext context, SchemaTableName tableName, SchemaTableName newTableName)
Check if identity is allowed to rename the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSetTableComment
default void checkCanSetTableComment(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to comment the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSetColumnComment
default void checkCanSetColumnComment(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to comment the column in the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanShowTables
default void checkCanShowTables(ConnectorSecurityContext context, String schemaName)
Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.NOTE: This method is only present to give users an error message when listing is not allowed. The
filterTables(io.prestosql.spi.connector.ConnectorSecurityContext, java.util.Set<io.prestosql.spi.connector.SchemaTableName>)
method must filter all results for unauthorized users, since there are multiple ways to list tables.- Throws:
AccessDeniedException
- if not allowed
-
filterTables
default Set<SchemaTableName> filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)
Filter the list of tables and views to those visible to the identity.
-
checkCanShowColumns
default void checkCanShowColumns(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.NOTE: This method is only present to give users an error message when listing is not allowed. The
filterColumns(io.prestosql.spi.connector.ConnectorSecurityContext, io.prestosql.spi.connector.SchemaTableName, java.util.List<io.prestosql.spi.connector.ColumnMetadata>)
method must filter all results for unauthorized users, since there are multiple ways to list columns.- Throws:
AccessDeniedException
- if not allowed
-
filterColumns
default List<ColumnMetadata> filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnMetadata> columns)
Filter the list of columns to those visible to the identity.
-
checkCanAddColumn
default void checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to add columns to the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanDropColumn
default void checkCanDropColumn(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to drop columns from the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSetTableAuthorization
default void checkCanSetTableAuthorization(ConnectorSecurityContext context, SchemaTableName tableName, PrestoPrincipal principal)
Check if identity is allowed to change the specified table's user/role.- Throws:
AccessDeniedException
- if not allowed
-
checkCanRenameColumn
default void checkCanRenameColumn(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to rename a column in the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSelectFromColumns
default void checkCanSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames)
Check if identity is allowed to select from the specified columns in a relation. The column set can be empty.- Throws:
AccessDeniedException
- if not allowed
-
checkCanInsertIntoTable
default void checkCanInsertIntoTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to insert into the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanDeleteFromTable
default void checkCanDeleteFromTable(ConnectorSecurityContext context, SchemaTableName tableName)
Check if identity is allowed to delete from the specified table in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanCreateView
default void checkCanCreateView(ConnectorSecurityContext context, SchemaTableName viewName)
Check if identity is allowed to create the specified view in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanRenameView
default void checkCanRenameView(ConnectorSecurityContext context, SchemaTableName viewName, SchemaTableName newViewName)
Check if identity is allowed to rename the specified view in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSetViewAuthorization
default void checkCanSetViewAuthorization(ConnectorSecurityContext context, SchemaTableName viewName, PrestoPrincipal principal)
Check if identity is allowed to change the specified view's user/role.- Throws:
AccessDeniedException
- if not allowed
-
checkCanDropView
default void checkCanDropView(ConnectorSecurityContext context, SchemaTableName viewName)
Check if identity is allowed to drop the specified view in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanCreateViewWithSelectFromColumns
default void checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames)
Check if identity is allowed to create a view that selects from the specified columns in a relation.- Throws:
AccessDeniedException
- if not allowed
-
checkCanSetCatalogSessionProperty
default void checkCanSetCatalogSessionProperty(ConnectorSecurityContext context, String propertyName)
Check if identity is allowed to set the specified property in this catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanGrantSchemaPrivilege
default void checkCanGrantSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, PrestoPrincipal grantee, boolean grantOption)
Check if identity is allowed to grant to any other user the specified privilege on the specified schema.- Throws:
AccessDeniedException
- if not allowed
-
checkCanRevokeSchemaPrivilege
default void checkCanRevokeSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, PrestoPrincipal revokee, boolean grantOption)
-
checkCanGrantTablePrivilege
default void checkCanGrantTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal grantee, boolean grantOption)
Check if identity is allowed to grant to any other user the specified privilege on the specified table.- Throws:
AccessDeniedException
- if not allowed
-
checkCanRevokeTablePrivilege
default void checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal revokee, boolean grantOption)
Check if identity is allowed to revoke the specified privilege on the specified table from any user.- Throws:
AccessDeniedException
- if not allowed
-
checkCanCreateRole
default void checkCanCreateRole(ConnectorSecurityContext context, String role, Optional<PrestoPrincipal> grantor)
-
checkCanDropRole
default void checkCanDropRole(ConnectorSecurityContext context, String role)
-
checkCanGrantRoles
default void checkCanGrantRoles(ConnectorSecurityContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
-
checkCanRevokeRoles
default void checkCanRevokeRoles(ConnectorSecurityContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
-
checkCanSetRole
default void checkCanSetRole(ConnectorSecurityContext context, String role, String catalogName)
-
checkCanShowRoleAuthorizationDescriptors
default void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants).- Throws:
AccessDeniedException
- if not allowed
-
checkCanShowRoles
default void checkCanShowRoles(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show roles on the specified catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanShowCurrentRoles
default void checkCanShowCurrentRoles(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show current roles on the specified catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanShowRoleGrants
default void checkCanShowRoleGrants(ConnectorSecurityContext context, String catalogName)
Check if identity is allowed to show its own role grants on the specified catalog.- Throws:
AccessDeniedException
- if not allowed
-
checkCanExecuteProcedure
default void checkCanExecuteProcedure(ConnectorSecurityContext context, SchemaRoutineName procedure)
-
getRowFilter
default Optional<ViewExpression> getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName)
Get a row filter associated with the given table and identity.The filter must be a scalar SQL expression of boolean type over the columns in the table.
- Returns:
- the filter, or
Optional.empty()
if not applicable
-
getColumnMask
default Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
Get a column mask associated with the given table, column and identity.The mask must be a scalar SQL expression of a type coercible to the type of the column being masked. The expression must be written in terms of columns in the table.
- Returns:
- the mask, or
Optional.empty()
if not applicable
-
-