Package io.prestosql.spi.connector

Interface ConnectorAccessControl

public interface ConnectorAccessControl

Method Summary

Modifier and Type	Method	Description
default void	checkCanAddColumn(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to add columns to the specified table in this catalog.
default void	checkCanCreateRole(ConnectorSecurityContext context, String role, Optional<PrestoPrincipal> grantor)
default void	checkCanCreateSchema(ConnectorSecurityContext context, String schemaName)	Check if identity is allowed to create the specified schema in this catalog.
default void	checkCanCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to create the specified table in this catalog.
default void	checkCanCreateView(ConnectorSecurityContext context, SchemaTableName viewName)	Check if identity is allowed to create the specified view in this catalog.
default void	checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames)	Check if identity is allowed to create a view that selects from the specified columns in a relation.
default void	checkCanDeleteFromTable(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to delete from the specified table in this catalog.
default void	checkCanDropColumn(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to drop columns from the specified table in this catalog.
default void	checkCanDropRole(ConnectorSecurityContext context, String role)
default void	checkCanDropSchema(ConnectorSecurityContext context, String schemaName)	Check if identity is allowed to drop the specified schema in this catalog.
default void	checkCanDropTable(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to drop the specified table in this catalog.
default void	checkCanDropView(ConnectorSecurityContext context, SchemaTableName viewName)	Check if identity is allowed to drop the specified view in this catalog.
default void	checkCanExecuteProcedure(ConnectorSecurityContext context, SchemaRoutineName procedure)
default void	checkCanGrantRoles(ConnectorSecurityContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
default void	checkCanGrantSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, PrestoPrincipal grantee, boolean grantOption)	Check if identity is allowed to grant to any other user the specified privilege on the specified schema.
default void	checkCanGrantTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal grantee, boolean grantOption)	Check if identity is allowed to grant to any other user the specified privilege on the specified table.
default void	checkCanInsertIntoTable(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to insert into the specified table in this catalog.
default void	checkCanRenameColumn(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to rename a column in the specified table in this catalog.
default void	checkCanRenameSchema(ConnectorSecurityContext context, String schemaName, String newSchemaName)	Check if identity is allowed to rename the specified schema in this catalog.
default void	checkCanRenameTable(ConnectorSecurityContext context, SchemaTableName tableName, SchemaTableName newTableName)	Check if identity is allowed to rename the specified table in this catalog.
default void	checkCanRenameView(ConnectorSecurityContext context, SchemaTableName viewName, SchemaTableName newViewName)	Check if identity is allowed to rename the specified view in this catalog.
default void	checkCanRevokeRoles(ConnectorSecurityContext context, Set<String> roles, Set<PrestoPrincipal> grantees, boolean adminOption, Optional<PrestoPrincipal> grantor, String catalogName)
default void	checkCanRevokeSchemaPrivilege(ConnectorSecurityContext context, Privilege privilege, String schemaName, PrestoPrincipal revokee, boolean grantOption)
default void	checkCanRevokeTablePrivilege(ConnectorSecurityContext context, Privilege privilege, SchemaTableName tableName, PrestoPrincipal revokee, boolean grantOption)	Check if identity is allowed to revoke the specified privilege on the specified table from any user.
default void	checkCanSelectFromColumns(ConnectorSecurityContext context, SchemaTableName tableName, Set<String> columnNames)	Check if identity is allowed to select from the specified columns in a relation.
default void	checkCanSetCatalogSessionProperty(ConnectorSecurityContext context, String propertyName)	Check if identity is allowed to set the specified property in this catalog.
default void	checkCanSetColumnComment(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to comment the column in the specified table in this catalog.
default void	checkCanSetRole(ConnectorSecurityContext context, String role, String catalogName)
default void	checkCanSetSchemaAuthorization(ConnectorSecurityContext context, String schemaName, PrestoPrincipal principal)	Check if identity is allowed to change the specified schema's user/role.
default void	checkCanSetTableAuthorization(ConnectorSecurityContext context, SchemaTableName tableName, PrestoPrincipal principal)	Check if identity is allowed to change the specified table's user/role.
default void	checkCanSetTableComment(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to comment the specified table in this catalog.
default void	checkCanSetViewAuthorization(ConnectorSecurityContext context, SchemaTableName viewName, PrestoPrincipal principal)	Check if identity is allowed to change the specified view's user/role.
default void	checkCanShowColumns(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.
default void	checkCanShowCreateSchema(ConnectorSecurityContext context, String schemaName)	Check if identity is allowed to execute SHOW CREATE SCHEMA.
default void	checkCanShowCreateTable(ConnectorSecurityContext context, SchemaTableName tableName)	Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW
default void	checkCanShowCurrentRoles(ConnectorSecurityContext context, String catalogName)	Check if identity is allowed to show current roles on the specified catalog.
default void	checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context, String catalogName)	Check if identity is allowed to show role authorization descriptors (i.e.
default void	checkCanShowRoleGrants(ConnectorSecurityContext context, String catalogName)	Check if identity is allowed to show its own role grants on the specified catalog.
default void	checkCanShowRoles(ConnectorSecurityContext context, String catalogName)	Check if identity is allowed to show roles on the specified catalog.
default void	checkCanShowSchemas(ConnectorSecurityContext context)	Check if identity is allowed to execute SHOW SCHEMAS in a catalog.
default void	checkCanShowTables(ConnectorSecurityContext context, String schemaName)	Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc.
default List<ColumnMetadata>	filterColumns(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnMetadata> columns)	Filter the list of columns to those visible to the identity.
default Set<String>	filterSchemas(ConnectorSecurityContext context, Set<String> schemaNames)	Filter the list of schemas to those visible to the identity.
default Set<SchemaTableName>	filterTables(ConnectorSecurityContext context, Set<SchemaTableName> tableNames)	Filter the list of tables and views to those visible to the identity.
default Optional<ViewExpression>	getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)	Get a column mask associated with the given table, column and identity.
default Optional<ViewExpression>	getRowFilter(ConnectorSecurityContext context, SchemaTableName tableName)	Get a row filter associated with the given table and identity.

Method Detail

checkCanCreateSchema

default void checkCanCreateSchema(ConnectorSecurityContext context,
                                  String schemaName)

Check if identity is allowed to create the specified schema in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanDropSchema

default void checkCanDropSchema(ConnectorSecurityContext context,
                                String schemaName)

Check if identity is allowed to drop the specified schema in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanRenameSchema

default void checkCanRenameSchema(ConnectorSecurityContext context,
                                  String schemaName,
                                  String newSchemaName)

Check if identity is allowed to rename the specified schema in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanSetSchemaAuthorization

default void checkCanSetSchemaAuthorization(ConnectorSecurityContext context,
                                            String schemaName,
                                            PrestoPrincipal principal)

Check if identity is allowed to change the specified schema's user/role.

Throws:

AccessDeniedException - if not allowed

checkCanShowSchemas

default void checkCanShowSchemas(ConnectorSecurityContext context)

Check if identity is allowed to execute SHOW SCHEMAS in a catalog.

NOTE: This method is only present to give users an error message when listing is not allowed. The filterSchemas(io.prestosql.spi.connector.ConnectorSecurityContext, java.util.Set<java.lang.String>) method must handle filter all results for unauthorized users, since there are multiple way to list schemas.

Throws:

AccessDeniedException - if not allowed

filterSchemas

default Set<String> filterSchemas(ConnectorSecurityContext context,
                                  Set<String> schemaNames)

Filter the list of schemas to those visible to the identity.

checkCanShowCreateSchema

default void checkCanShowCreateSchema(ConnectorSecurityContext context,
                                      String schemaName)

Check if identity is allowed to execute SHOW CREATE SCHEMA.

Throws:

AccessDeniedException - if not allowed

checkCanShowCreateTable

default void checkCanShowCreateTable(ConnectorSecurityContext context,
                                     SchemaTableName tableName)

Check if identity is allowed to execute SHOW CREATE TABLE, SHOW CREATE VIEW or SHOW CREATE MATERIALIZED VIEW

Throws:

AccessDeniedException - if not allowed

checkCanCreateTable

default void checkCanCreateTable(ConnectorSecurityContext context,
                                 SchemaTableName tableName)

Check if identity is allowed to create the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanDropTable

default void checkCanDropTable(ConnectorSecurityContext context,
                               SchemaTableName tableName)

Check if identity is allowed to drop the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanRenameTable

default void checkCanRenameTable(ConnectorSecurityContext context,
                                 SchemaTableName tableName,
                                 SchemaTableName newTableName)

Check if identity is allowed to rename the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanSetTableComment

default void checkCanSetTableComment(ConnectorSecurityContext context,
                                     SchemaTableName tableName)

Check if identity is allowed to comment the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanSetColumnComment

default void checkCanSetColumnComment(ConnectorSecurityContext context,
                                      SchemaTableName tableName)

Check if identity is allowed to comment the column in the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanShowTables

default void checkCanShowTables(ConnectorSecurityContext context,
                                String schemaName)

Check if identity is allowed to show metadata of tables by executing SHOW TABLES, SHOW GRANTS etc. in a catalog.

NOTE: This method is only present to give users an error message when listing is not allowed. The filterTables(io.prestosql.spi.connector.ConnectorSecurityContext, java.util.Set<io.prestosql.spi.connector.SchemaTableName>) method must filter all results for unauthorized users, since there are multiple ways to list tables.

Throws:

AccessDeniedException - if not allowed

filterTables

default Set<SchemaTableName> filterTables(ConnectorSecurityContext context,
                                          Set<SchemaTableName> tableNames)

Filter the list of tables and views to those visible to the identity.

checkCanShowColumns

default void checkCanShowColumns(ConnectorSecurityContext context,
                                 SchemaTableName tableName)

Check if identity is allowed to show columns of tables by executing SHOW COLUMNS, DESCRIBE etc.

NOTE: This method is only present to give users an error message when listing is not allowed. The filterColumns(io.prestosql.spi.connector.ConnectorSecurityContext, io.prestosql.spi.connector.SchemaTableName, java.util.List<io.prestosql.spi.connector.ColumnMetadata>) method must filter all results for unauthorized users, since there are multiple ways to list columns.

Throws:

AccessDeniedException - if not allowed

filterColumns

default List<ColumnMetadata> filterColumns(ConnectorSecurityContext context,
                                           SchemaTableName tableName,
                                           List<ColumnMetadata> columns)

Filter the list of columns to those visible to the identity.

checkCanAddColumn

default void checkCanAddColumn(ConnectorSecurityContext context,
                               SchemaTableName tableName)

Check if identity is allowed to add columns to the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanDropColumn

default void checkCanDropColumn(ConnectorSecurityContext context,
                                SchemaTableName tableName)

Check if identity is allowed to drop columns from the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanSetTableAuthorization

default void checkCanSetTableAuthorization(ConnectorSecurityContext context,
                                           SchemaTableName tableName,
                                           PrestoPrincipal principal)

Check if identity is allowed to change the specified table's user/role.

Throws:

AccessDeniedException - if not allowed

checkCanRenameColumn

default void checkCanRenameColumn(ConnectorSecurityContext context,
                                  SchemaTableName tableName)

Check if identity is allowed to rename a column in the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanSelectFromColumns

default void checkCanSelectFromColumns(ConnectorSecurityContext context,
                                       SchemaTableName tableName,
                                       Set<String> columnNames)

Check if identity is allowed to select from the specified columns in a relation. The column set can be empty.

Throws:

AccessDeniedException - if not allowed

checkCanInsertIntoTable

default void checkCanInsertIntoTable(ConnectorSecurityContext context,
                                     SchemaTableName tableName)

Check if identity is allowed to insert into the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanDeleteFromTable

default void checkCanDeleteFromTable(ConnectorSecurityContext context,
                                     SchemaTableName tableName)

Check if identity is allowed to delete from the specified table in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanCreateView

default void checkCanCreateView(ConnectorSecurityContext context,
                                SchemaTableName viewName)

Check if identity is allowed to create the specified view in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanRenameView

default void checkCanRenameView(ConnectorSecurityContext context,
                                SchemaTableName viewName,
                                SchemaTableName newViewName)

Check if identity is allowed to rename the specified view in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanSetViewAuthorization

default void checkCanSetViewAuthorization(ConnectorSecurityContext context,
                                          SchemaTableName viewName,
                                          PrestoPrincipal principal)

Check if identity is allowed to change the specified view's user/role.

Throws:

AccessDeniedException - if not allowed

checkCanDropView

default void checkCanDropView(ConnectorSecurityContext context,
                              SchemaTableName viewName)

Check if identity is allowed to drop the specified view in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanCreateViewWithSelectFromColumns

default void checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext context,
                                                     SchemaTableName tableName,
                                                     Set<String> columnNames)

Check if identity is allowed to create a view that selects from the specified columns in a relation.

Throws:

AccessDeniedException - if not allowed

checkCanSetCatalogSessionProperty

default void checkCanSetCatalogSessionProperty(ConnectorSecurityContext context,
                                               String propertyName)

Check if identity is allowed to set the specified property in this catalog.

Throws:

AccessDeniedException - if not allowed

checkCanGrantSchemaPrivilege

default void checkCanGrantSchemaPrivilege(ConnectorSecurityContext context,
                                          Privilege privilege,
                                          String schemaName,
                                          PrestoPrincipal grantee,
                                          boolean grantOption)

Check if identity is allowed to grant to any other user the specified privilege on the specified schema.

Throws:

AccessDeniedException - if not allowed

checkCanRevokeSchemaPrivilege

default void checkCanRevokeSchemaPrivilege(ConnectorSecurityContext context,
                                           Privilege privilege,
                                           String schemaName,
                                           PrestoPrincipal revokee,
                                           boolean grantOption)

checkCanGrantTablePrivilege

default void checkCanGrantTablePrivilege(ConnectorSecurityContext context,
                                         Privilege privilege,
                                         SchemaTableName tableName,
                                         PrestoPrincipal grantee,
                                         boolean grantOption)

Check if identity is allowed to grant to any other user the specified privilege on the specified table.

Throws:

AccessDeniedException - if not allowed

checkCanRevokeTablePrivilege

default void checkCanRevokeTablePrivilege(ConnectorSecurityContext context,
                                          Privilege privilege,
                                          SchemaTableName tableName,
                                          PrestoPrincipal revokee,
                                          boolean grantOption)

Check if identity is allowed to revoke the specified privilege on the specified table from any user.

Throws:

AccessDeniedException - if not allowed

checkCanCreateRole

default void checkCanCreateRole(ConnectorSecurityContext context,
                                String role,
                                Optional<PrestoPrincipal> grantor)

checkCanDropRole

default void checkCanDropRole(ConnectorSecurityContext context,
                              String role)

checkCanGrantRoles

default void checkCanGrantRoles(ConnectorSecurityContext context,
                                Set<String> roles,
                                Set<PrestoPrincipal> grantees,
                                boolean adminOption,
                                Optional<PrestoPrincipal> grantor,
                                String catalogName)

checkCanRevokeRoles

default void checkCanRevokeRoles(ConnectorSecurityContext context,
                                 Set<String> roles,
                                 Set<PrestoPrincipal> grantees,
                                 boolean adminOption,
                                 Optional<PrestoPrincipal> grantor,
                                 String catalogName)

checkCanSetRole

default void checkCanSetRole(ConnectorSecurityContext context,
                             String role,
                             String catalogName)

checkCanShowRoleAuthorizationDescriptors

default void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext context,
                                                      String catalogName)

Check if identity is allowed to show role authorization descriptors (i.e. RoleGrants).

Throws:

AccessDeniedException - if not allowed

checkCanShowRoles

default void checkCanShowRoles(ConnectorSecurityContext context,
                               String catalogName)

Check if identity is allowed to show roles on the specified catalog.

Throws:

AccessDeniedException - if not allowed

checkCanShowCurrentRoles

default void checkCanShowCurrentRoles(ConnectorSecurityContext context,
                                      String catalogName)

Check if identity is allowed to show current roles on the specified catalog.

Throws:

AccessDeniedException - if not allowed

checkCanShowRoleGrants

default void checkCanShowRoleGrants(ConnectorSecurityContext context,
                                    String catalogName)

Check if identity is allowed to show its own role grants on the specified catalog.

Throws:

AccessDeniedException - if not allowed

checkCanExecuteProcedure

default void checkCanExecuteProcedure(ConnectorSecurityContext context,
                                      SchemaRoutineName procedure)

getRowFilter

default Optional<ViewExpression> getRowFilter(ConnectorSecurityContext context,
                                              SchemaTableName tableName)

Get a row filter associated with the given table and identity.

The filter must be a scalar SQL expression of boolean type over the columns in the table.

Returns:

the filter, or Optional.empty() if not applicable

getColumnMask

default Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context,
                                               SchemaTableName tableName,
                                               String columnName,
                                               Type type)

Get a column mask associated with the given table, column and identity.

The mask must be a scalar SQL expression of a type coercible to the type of the column being masked. The expression must be written in terms of columns in the table.

Returns:

the mask, or Optional.empty() if not applicable