Skip to content

Support role management (v5) #11645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sopel39 wants to merge 61 commits into from
Closed

Support role management (v5) #11645

sopel39 wants to merge 61 commits into from

Conversation

@sopel39
Copy link
Contributor

@sopel39 sopel39 commented Oct 5, 2018

Supersedes #11475

FYI: @martint @arhimondr

Andrii Rosa added 15 commits October 5, 2018 17:08
@sopel39
Introduce CREATE ROLE and DROP ROLE statements
2f86b56
@sopel39
Move PrincipalType to presto-spi
22086ae
@sopel39
Expose Create/Drop/List roles methods in SPI
eb26dbc
@sopel39
Introduce <catalog>.information_schema.roles table
db6f21a
@sopel39
Assign admin role to subset of users in FileHiveMetastore
c72355a
@sopel39
Implement Create/Drop/List roles in Hive connector
a8c461e
@sopel39
Introduce GRANT/REVOKE roles statements
e7e1fcc
@sopel39
Add Grant/Revoke/List roles authorization to the SPI
be4e46f
@sopel39
Introduce APPLICABLE_ROLES view
434412d
@sopel39
Implement Grant/Revoke/ListApplicableRoles in Hive
223b8cb
@sopel39
Refactor GRANT/REVOKE in Hive
0b1c7ff 
Leverage newly introduced method for recursive role grants traversal
@sopel39
Introduce access control for GRANT/REVOKE ROLE
b6881d1
@sopel39
Prepare metastore interface to accept ROLE for GRANT/REVOKE
c77cf06
@sopel39
Introduce SET ROLE statement
76476ba
@sopel39
Introduce ConnectorIdentity
d9fe960 
Identity must hold all the selected roles for all the catalogs.
ConnectorIdentity holds only the role selected for some particular catalog.
@sopel39 sopel39 requested a review from findepi October 5, 2018 15:33
@sopel39 sopel39 mentioned this pull request Oct 5, 2018
Closed
arhimondr
arhimondr reviewed Oct 5, 2018
View reviewed changes
presto-parser/src/main/antlr4/com/facebook/presto/sql/parser/SqlBase.g4 Outdated
| CALL qualifiedName '(' (callArgument (',' callArgument)*)? ')' #call
| CREATE ROLE name=identifier
(WITH ADMIN grantor)?
(IN catalog=identifier)? #createRole
Copy link
Member

@arhimondr arhimondr Oct 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we agreed that the IN extension should not be supported. ROLE manipulations should be allowed only within the session catalog.

Copy link
Contributor

@kokosing kokosing Oct 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we agreed to merge this as it is and fix it later. Would you accept a fix on top of this? Instead of doing rebase one more time?

Copy link
Member

@arhimondr arhimondr Oct 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed that part

Copy link
Contributor Author

@sopel39 sopel39 Oct 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we agreed to merge this as it is and fix it later. Would you accept a fix on top of this? Instead of doing rebase one more time?

That's what I also think was decided.

@ilfrin @martint you have more context.

Copy link
Contributor

@martint martint Oct 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided to leave that functionality out since it's not clear exactly how it should work and there's an easy workaround.

Copy link
Contributor

@kokosing kokosing Oct 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. Would you accept a fix on top of this? Instead of doing rebase one more time?

@sopel39 sopel39 mentioned this pull request Oct 8, 2018
Closed
@sopel39 sopel39 force-pushed the epic/support-role-management/pr5 branch from 75ecb25 to 8ba37e2 Compare October 8, 2018 15:49
kokosing and others added 5 commits October 8, 2018 22:21
@kokosing @sopel39
Make ThriftMetastoreUtil.list*Roles methods to return Stream
73535bb 
That way roles are enumerated lazily.
@kokosing @sopel39
Make list*TablePrivileges to return Stream
5c6d4f8 
This way table privileges are enumerated lazily.
@anusudarsan @sopel39
Fix listing privileges of tables owned by an user
d1422e4 
Currently Presto shows that the owner of a table
has ALL privileges, even after some privileges are revoked.
This commit fixes this issue by listing only privileges
actually present in the metastore.
@anusudarsan @sopel39
Fix listing privileges when admin role is set
e471250 
Presto currently lists only privilges of the
tables owned by the current user, even after the
admin role is set. This commit fixes this and lists all
privileges for admins.
@kokosing @sopel39
Fix rewrite SHOW GRANTS as a SELECT query
4c93a9b 
When tables of the same name exist across different schemas, Presto lists privileges
of the table from all schemas instead of the single schema mentioned in the
SHOW GRANTS query. This commit fixes the issue.
@sopel39 sopel39 force-pushed the epic/support-role-management/pr5 branch from 8ba37e2 to 4c93a9b Compare October 8, 2018 20:25
@sopel39
Copy link
Contributor Author

sopel39 commented Oct 8, 2018

It's green, so maybe merge it?

@anusudarsan anusudarsan force-pushed the epic/support-role-management/pr5 branch from 918eb71 to 26f9a22 Compare October 26, 2018 21:46
@anusudarsan
fixup! Implement SET ROLE
b431446 
The roles set during a CLI session were not being set and thus SHOW CURRENT ROLES returned incorrect results.
@anusudarsan anusudarsan force-pushed the epic/support-role-management/pr5 branch from 26f9a22 to b431446 Compare October 29, 2018 14:32
@arhimondr
Copy link
Member

arhimondr commented Nov 6, 2018

@kokosing

Remove 'IN catalog' syntax from role management commands

Thanks for doing this

@sopel39
Copy link
Contributor Author

sopel39 commented Nov 6, 2018

@arhimondr is it ok to land with it?

@arhimondr
Copy link
Member

arhimondr commented Nov 6, 2018

@sopel39 I think it should be. @martint ?

@findepi findepi mentioned this pull request Jan 24, 2019
Closed
@findepi
Copy link
Contributor

findepi commented Jan 25, 2019

@kokosing said there was some unnoticed problem during rebase, when the source branch of this PR was created.
Let me close this PR as it should not be merged in its current shape.

@findepi findepi closed this Jan 25, 2019
@sopel39 sopel39 mentioned this pull request Jan 29, 2019
Merged
@findepi findepi deleted the epic/support-role-management/pr5 branch January 29, 2019 12:52
@findepi findepi restored the epic/support-role-management/pr5 branch January 29, 2019 12:54
@findepi findepi deleted the epic/support-role-management/pr5 branch January 29, 2019 12:58
@tooptoop4
Copy link

tooptoop4 commented Feb 22, 2019

gentle ping

@highker
Copy link

highker commented Feb 23, 2019

I will take a look; @arhimondr do you wanna chime in?

@highker highker self-assigned this Feb 23, 2019
@arhimondr
Copy link
Member

arhimondr commented Feb 23, 2019 via email
edited
Loading

@highker highker assigned arhimondr and unassigned highker Feb 23, 2019
@arhimondr arhimondr mentioned this pull request Feb 25, 2019
Merged
@arhimondr
Copy link
Member

arhimondr commented Feb 25, 2019

@tooptoop4 #12383

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arhimondr arhimondr arhimondr left review comments

@findepi findepi Awaiting requested review from findepi

+2 more reviewers

@martint martint martint left review comments

@kokosing kokosing kokosing approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@arhimondr arhimondr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@sopel39 @arhimondr @findepi @tooptoop4 @highker @martint @kokosing @facebook-github-bot @cawallin @anusudarsan