Skip to content

Commit

Permalink
add missing stub and use insert/delete permission on update column pe…
Browse files Browse the repository at this point in the history 
…rmission check
  • Loading branch information
@okayhooni
okayhooni committed Apr 5, 2024
1 parent d60ba09 commit e8926e7
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 1 deletion.
12 changes: 11 additions & 1 deletion ...main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -676,9 +676,19 @@ public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) {
}
}

/**
* This is evaluated on table column level
*/
@Override
public void checkCanUpdateTableColumns(SystemSecurityContext securityContext, CatalogSchemaTableName table, Set<String> updatedColumnNames) {
SystemAccessControl.super.checkCanUpdateTableColumns(securityContext, table, updatedColumnNames);
// SystemAccessControl.super.checkCanUpdateTableColumns(securityContext, table, updatedColumnNames); // ALWAYS DENY
try {
// USE INSERT AND DELETE PERMISSIONS INSTEAD
checkCanInsertIntoTable(securityContext, table);
checkCanDeleteFromTable(securityContext, table);
} catch (AccessDeniedException ade) {
AccessDeniedException.denyUpdateTableColumns(table.toString(), updatedColumnNames);
}
}

/** FUNCTIONS **/
Expand Down
20 changes: 20 additions & 0 deletions ...main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,26 @@ public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) {
}
}

@Override
public void checkCanUpdateTableColumns(SystemSecurityContext securityContext, CatalogSchemaTableName table, Set<String> updatedColumnNames) {
try {
activatePluginClassLoader();
systemAccessControlImpl.checkCanUpdateTableColumns(securityContext, table, updatedColumnNames);
} finally {
deactivatePluginClassLoader();
}
}

@Override
public void checkCanAlterColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
try {
activatePluginClassLoader();
systemAccessControlImpl.checkCanAlterColumn(context, table);
} finally {
deactivatePluginClassLoader();
}
}

@Override
public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
try {
Expand Down

0 comments on commit e8926e7

Please sign in to comment.