Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support role management #7898

Closed
wants to merge 51 commits into from
Closed

Support role management #7898

wants to merge 51 commits into from

Conversation

arhimondr
Copy link
Member

@arhimondr arhimondr commented Apr 25, 2017
edited
Loading

This PR enables roles management through Presto.

It covers all the syntax explained here: Teradata#494

Although the PR is enormous - it can be reviewed and merged partially.

  1. CREATE/DROP/LIST ROLES - commits through Introduce CREATE ROLE and DROP ROLE statements to Implement Create/Drop/List roles in Hive connector

  2. GRANT/REVOKE ROLES - commits through Introduce GRANT/REVOKE roles statements to Prepare metastore interface to accept ROLE for GRANT/REVOKE

  3. SET ROLE - commits through Introduce SET ROLE statement to Accept ROLE in GRANT/REVOKE Privileges statements

  4. SHOW ROLES, SHOW CURRENT ROLES, SHOW ROLE GRANTS shortcuts - commits through Add SHOW ROLES to the parser to Access control for SHOW ROLE GRANTS and SHOW CURRENT ROLES

  5. Consider role set with SET ROLE when checking permissions - commits through Remove redundant checkDatabasePermission methods to More product tests for SET ROLE

  6. Roles management documentation - Document role management

@arhimondr arhimondr force-pushed the support_role_management branch 3 times, most recently from 5744956 to 0ce6e29 Compare April 25, 2017 21:13
@arhimondr arhimondr force-pushed the support_role_management branch from 0ce6e29 to 8f35e71 Compare April 27, 2017 18:47
@arhimondr arhimondr force-pushed the support_role_management branch from 8f35e71 to 08b367a Compare May 16, 2017 15:21
@arhimondr arhimondr force-pushed the support_role_management branch 2 times, most recently from 24eaa60 to 31de171 Compare May 31, 2017 20:13
@arhimondr arhimondr force-pushed the support_role_management branch from 31de171 to bf1739f Compare June 12, 2017 15:08
@amrutagokhale amrutagokhale force-pushed the support_role_management branch from bf1739f to 73a38b1 Compare June 27, 2017 20:01
@arhimondr arhimondr force-pushed the support_role_management branch from 73a38b1 to 77c464d Compare July 28, 2017 21:36
@arhimondr arhimondr force-pushed the support_role_management branch from 77c464d to b9dca17 Compare August 25, 2017 15:55
Andrii Rosa added 17 commits August 28, 2017 11:41
Introduce CREATE ROLE and DROP ROLE statements
3be3e85
Move PrincipalType to presto-spi
9b868b3
Expose Create/Drop/List roles methods in SPI
d6a7b2b
Introduce <catalog>.information_schema.roles table
83fa644
Remove unused InMemoryHiveMetastore
1a92680
Assign admin role to subset of users in FileHiveMetastore
4ecf5b0
Speedup TestHiveFileBasedSecurity
698b266 
Instead of creating the entire TPCH table set it is enough to create
one small table, such as nation.

After closing a query executor reference must be nullified to prevent
memory leaks.
Implement Create/Drop/List roles in Hive connector
735b7a1
Introduce GRANT/REVOKE roles statements
186d5f1
Add Grant/Revoke/List roles authorization to the SPI
9d4344b
Introduce APPLICABLE_ROLES view
f211fc9
Implement Grant/Revoke/ListApplicableRoles in Hive
b3c3c95
Refactor GRANT/REVOKE in Hive
71347fa 
Leverage newly introduced method for recursive role grants traversal
Introduce access control for GRANT/REVOKE ROLE
90c3a2c
Prepare metastore interface to accept ROLE for GRANT/REVOKE
24eda47
Introduce SET ROLE statement
826cdfe
Introduce ConnectorIdentity
1643b0c 
Identity must hold all the selected roles for all the catalogs.
ConnectorIdentity holds only the role selected for some particular catalog.
cawallin and others added 26 commits August 28, 2017 13:02
@cawallin
Add docs for SHOW ROLES
54f7cff
@cawallin
Product tests for SHOW ROLES
72bbff2
@cawallin
Add SHOW CURRENT ROLES
60d6487 
Instead of select * from information_schema.roles, SHOW CURRENT ROLES
rewrites to select * from information_schema.enabled_roles.

All users can see what roles they're currently using, so no need
for access control checks.
@cawallin
Add SHOW ROLE GRANTS syntax
e38826d
@cawallin
Add listRoleGrants to the SPI
8e74399
@cawallin
Implement listRoleGrants() in Hive
1df6402
@cawallin
Implement SHOW ROLE GRANTS rewrite
bef94cc
@cawallin
Add docs for SHOW ROLE GRANTS
f7829cd
@cawallin
Access control for SHOW ROLE GRANTS and SHOW CURRENT ROLES
6127a23
Remove redundant checkDatabasePermission methods
3c59752 
Currently the only database permission we support is OWNERSHIP.
Instead of creating that permission, and checking if it is granted
it is more readable to just call `isDatabaseOwner` directly.
Reorder methods in SqlStandardAccessControl
455a904
Rename getGrantOptionForPrivilege to hasGrantOptionForPrivilege
e878ee5
Remove hive privilege null check
3560f62
Allow all for admin role
ccc3c4e 
Admin user has all the available permissions for all the entities
implicitly. So it may be considered as a database and table "owner"
for all tables and databases. Also it has all the SELECT, INSERT, DELETE
permissions implicitly.
Introduce isTableOwner method for readability
12bb097
Simplify checkTablePermission
255925d
Refactor canCreateView security checks
4df82ef 
hasGrantOptionForPrivilege cannot be used in security checks for createView
because it doesn't consider the session role.
Consider enabled roles for permissions
6aeb17f
Refactor HivePrivilegeInfo
ac6aa23
Reorder methods in HivePrivilegeInfo
c6e28f9
Move parsePrivilege to MetastoreUtil
d693e0e
Add grantor to HivePrivilegeInfo
6298f30
Add grantor_type and grantee_type columns to table_privileges
166e375
More product tests for SET ROLE
983c059 
Verify that role set with `SET ROLE` is considering during the access check.
Document role management
9a587bc
Catalog access control for roles
8f09296
@arhimondr arhimondr force-pushed the support_role_management branch from b9dca17 to 8f09296 Compare August 28, 2017 17:36
@findepi findepi mentioned this pull request Nov 17, 2017
Closed
@findepi
Copy link
Contributor

findepi commented Nov 17, 2017

Superseded by #9366

@findepi findepi closed this Nov 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@martint martint

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@arhimondr @findepi @martint @facebook-github-bot @cawallin