Add support for Metadata Restriction in Presto#25364
Conversation
|
@imjalpreet imported this issue as lakehouse/presto #25364 |
imjalpreet
requested review from
a team,
agrawalreetika,
elharo,
feilong-liu,
jaystarshot and
vivek-bharathan
as code owners
prestodb-ci
requested review from
a team and
ShahimSharafudeen
and removed request for
a team
imjalpreet
force-pushed
the
metadataRestriction
branch
from
5de7450 to
172f0c9
Compare
|
Should the documentation be updated for these, such as https://prestodb.io/docs/current/sql/show-create-table.html? Maybe an example? What do you think? |
agrawalreetika
left a comment
agrawalreetika
left a comment
There was a problem hiding this comment.
Thanks for the PR. Apart from one comment, Overall LGTM.
| false, | ||
| HiveColumnConverterProvider.DEFAULT_COLUMN_CONVERTER_PROVIDER, | ||
| context.getWarningCollector(), | ||
| context.getRuntimeStats()); |
There was a problem hiding this comment.
Let's reduce the redundant code and create a new method for creating MetastoreContext and reuse it across
There was a problem hiding this comment.
Refactored this in a different commit to keep it separate from actual feature commits.
imjalpreet
force-pushed
the
metadataRestriction
branch
from
172f0c9 to
d8439b4
Compare
@steveburnett Sorry, I missed your comment earlier. This PR only adds access control checks for a few specific types of SQL statements. I’ll review whether any existing doc already covers the access control checks that were already implemented. If not, we can see if it is helpful to create a more detailed document outlining the various access control checks that Presto supports for different types of authorization. |
hantangwangd
left a comment
hantangwangd
left a comment
There was a problem hiding this comment.
Thanks for the work, looks good to me overall! Just a few little things.
Sounds good! I appreciate your explanation. If you think we need a more detailed document, please open a issue with a docs label so we don't lose track of the need. |
SQL Standard Access Control change is based on this documentation: https://hive.apache.org/docs/latest/sql-standard-based-hive-authorization_40509928/
imjalpreet
force-pushed
the
metadataRestriction
branch
from
d8439b4 to
803ce20
Compare
@steveburnett I verified the current docs, we haven't documented SQL statement to required access control mapping for different types of authorization. I will think about what's the best way to document it and create an issue to track that. |
hantangwangd
left a comment
hantangwangd
left a comment
There was a problem hiding this comment.
Thanks for the fix, looks good to me!
|
This needs a much clearer "impact" description in the PR and a more descriptive release note to make clear that these new methods need to be implemented by any access control plugins or else all show/describe queries will start to fail with access denied. I also wonder if this should have defaulted to allow for Connector/System access control to keep backwards compatibility. |
|
@rschlussel I have updated the PR description to highlight the impact. |
6 participants
Description
Add authorization support for
SHOW CREATE TABLE/VIEW,SHOW COLUMNSandDESCRIBEqueriesMotivation and Context
Enhance metadata authorization support in Presto
Part of #20851
Impact
Newly introduced access control callbacks:
checkCanShowCreateTablecheckCanShowColummsMetadatafilterColumnsBy default, the newly introduced access control callback methods enforce a deny policy.
To achieve the intended behavior, all custom implementations of
SystemAccessControlorConnectorAccessControlmust explicitly implement these new callbacks.Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.