Merge pull request #3 from ErmiasG/access-control

access control

Author: ErmiasG

Jenkinsfile

@@ -0,0 +1,82 @@
+@Library("jenkins-library@main")
+
+import com.logicalclocks.jenkins.k8s.ImageBuilder
+
+node("local") {
+    stage('Clone repository') {
+      checkout scm
+    }
+
+    // Set defaults via env (scripted pipeline doesn't support a declarative `environment` block)
+    env.ARCH = 'amd64'
+    env.TRINO_VERSION = ''
+    env.TAG_PREFIX = 'trino'
+    env.SERVER_ARTIFACT = 'trino-server'
+    env.JDKS_PATH = 'core/jdk'
+    env.SKIP_TESTS = 'false'
+    env.WORK_DIR = 'core/docker'
+
+    stage('Init') {
+        // use scripted pipeline style
+        def current = sh(script: "cat \"${env.JDKS_PATH}/current\" | tr -d '\\n\\r'", returnStdout: true).trim()
+        env.JDK_RELEASE = current
+
+        def jdk_download_link = sh(script: "grep '^distributionUrl=' \"${env.JDKS_PATH}/${env.JDK_RELEASE}/${env.ARCH}\" | cut -d'=' -f2-", returnStdout: true).trim()
+
+        env.JDK_DOWNLOAD_LINK = jdk_download_link
+
+        env.TRINO_VERSION = sh(script: './mvnw -f pom.xml --quiet help:evaluate -Dexpression=project.version -DforceStdout', returnStdout: true).trim()
+
+        echo "TRINO_VERSION=${env.TRINO_VERSION}"
+        echo "JDK_DOWNLOAD_LINK=${env.JDK_DOWNLOAD_LINK}"
+    }
+
+    stage('Maven Build') {
+        // ensure the wrapper is present and executable
+        sh "test -f ${env.WORKSPACE}/mvnw || (echo 'mvnw not found' && exit 1)"
+        sh "chmod +x ${env.WORKSPACE}/mvnw"
+
+        sh "wget -O jdk24.tar.gz \"${env.JDK_DOWNLOAD_LINK}\""
+        sh "mkdir -p ${env.WORKSPACE}/jdk"
+        sh "tar -xzf jdk24.tar.gz -C ${env.WORKSPACE}/jdk --strip-components=1"
+        sh "rm jdk24.tar.gz"
+
+        sh "JAVA_HOME=${env.WORKSPACE}/jdk ${env.WORKSPACE}/mvnw clean package -DskipTests"
+
+        // Archive artifacts
+        archiveArtifacts artifacts: "core/${env.SERVER_ARTIFACT}/target/${env.SERVER_ARTIFACT}-${env.TRINO_VERSION}.tar.gz", fingerprint: true, allowEmptyArchive: true
+        archiveArtifacts artifacts: "client/trino-cli/target/trino-cli-${env.TRINO_VERSION}-executable.jar", fingerprint: true, allowEmptyArchive: true
+    }
+
+    stage('Build and push trino') {
+      withCredentials([usernamePassword(credentialsId: 'a0770738-4ef3-4acc-a6ba-097ee6c85b44', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME')]) {
+        // copy artifacts into workspace
+        sh """#!/usr/bin/env bash
+          set -euo pipefail
+
+          cp -f \"core/${env.SERVER_ARTIFACT}/target/${env.SERVER_ARTIFACT}-${env.TRINO_VERSION}.tar.gz\" \"${env.WORK_DIR}/\"
+          cp -f \"client/trino-cli/target/trino-cli-${env.TRINO_VERSION}-executable.jar\" \"${env.WORK_DIR}/trino-cli.jar\"
+          tar -C \"${env.WORK_DIR}\" -xzf \"${WORK_DIR}/${env.SERVER_ARTIFACT}-${env.TRINO_VERSION}.tar.gz\"
+          rm -f \"${env.WORK_DIR}/${env.SERVER_ARTIFACT}-${env.TRINO_VERSION}.tar.gz\"
+
+          # Ensure the destination does not exist to avoid 'Directory not empty' errors
+          if [ -d "${env.WORK_DIR}/trino-server" ]; then
+            echo "Removing existing `trino-server` directory"
+            rm -rf "${env.WORK_DIR}/trino-server"
+          fi
+
+          mv \"${env.WORK_DIR}/${env.SERVER_ARTIFACT}-${env.TRINO_VERSION}\" \"${WORK_DIR}/trino-server\"
+
+          cp -R core/docker/bin \"${env.WORK_DIR}/trino-server\"
+          # same file core/docker == > WORK_DIR, so no need to copy
+          # cp -R core/docker/default \"${env.WORK_DIR}/\"
+        """
+
+        withEnv(["TAG_VERSION=${env.TRINO_VERSION}-${env.ARCH}", "JDK_RELEASE=${env.JDK_RELEASE}", "JDK_DOWNLOAD_LINK=${env.JDK_DOWNLOAD_LINK}", "ARCH=${env.ARCH}"]) {
+          def builder = new ImageBuilder(this)
+          def m = readFile "${env.WORKSPACE}/build-manifest.json"
+          builder.run(m)
+        }
+      }
+    }
+}

build-manifest.json

@@ -0,0 +1,16 @@
+[
+    {
+        "name": "hopsworks/trino",
+        "version": "env:TAG_VERSION",
+        "excludeRegistries": [
+            "ecr_prod"
+        ],
+        "variables": [
+            "JDK_RELEASE",
+            "JDK_DOWNLOAD_LINK",
+            "ARCH"
+        ],
+        "extraDockerArgs": "--build-arg ARCH=\"${ARCH}\" --build-arg JDK_VERSION=\"${JDK_RELEASE}\" --build-arg JDK_DOWNLOAD_LINK=\"${JDK_DOWNLOAD_LINK}\"",
+        "dockerFile": "core/docker/Dockerfile"
+    }
+]

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AnyCatalogSchemaPermissionsRule.java

@@ -37,11 +37,15 @@ public AnyCatalogSchemaPermissionsRule(Optional<Pattern> userRegex, Optional<Pat
 
     public boolean match(String user, Set<String> roles, Set<String> groups, String catalogName, String schemaName)
     {
-        return userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
-                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
-                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
-                catalogRegex.map(regex -> regex.matcher(catalogName).matches()).orElse(true) &&
-                schemaRegex.map(regex -> regex.matcher(schemaName).matches()).orElse(true);
+//        return userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
+//                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+//                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
+//                catalogRegex.map(regex -> regex.matcher(catalogName).matches()).orElse(true) &&
+//                schemaRegex.map(regex -> regex.matcher(schemaName).matches()).orElse(true);
+
+        ReplacePatternMatcher replacePatternMatcher = new ReplacePatternMatcher(userRegex, roleRegex, groupRegex, user, roles, groups);
+
+        return replacePatternMatcher.matchCatalogAndSchema(catalogRegex, catalogName, schemaRegex, schemaName);
     }
 
     @Override

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AnySchemaPermissionsRule.java

@@ -35,10 +35,14 @@ public AnySchemaPermissionsRule(Optional<Pattern> userRegex, Optional<Pattern> r
 
     public boolean match(String user, Set<String> roles, Set<String> groups, String schemaName)
     {
-        return userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
-                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
-                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
-                schemaRegex.map(regex -> regex.matcher(schemaName).matches()).orElse(true);
+//        return userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
+//                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+//                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
+//                schemaRegex.map(regex -> regex.matcher(schemaName).matches()).orElse(true);
+
+        ReplacePatternMatcher replacePatternMatcher = new ReplacePatternMatcher(userRegex, roleRegex, groupRegex, user, roles, groups);
+
+        return replacePatternMatcher.matchSchema(schemaRegex, schemaName);
     }
 
     @Override

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/CatalogAccessControlRule.java

@@ -60,10 +60,16 @@ public CatalogAccessControlRule(
 
     public Optional<AccessMode> match(String user, Set<String> roles, Set<String> groups, String catalog)
     {
-        if (userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
-                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
-                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
-                catalogRegex.map(regex -> regex.matcher(catalog).matches()).orElse(true)) {
+//        if (userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
+//                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+//                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
+//                catalogRegex.map(regex -> regex.matcher(catalog).matches()).orElse(true)) {
+//            return Optional.of(accessMode);
+//        }
+
+        ReplacePatternMatcher replacePatternMatcher = new ReplacePatternMatcher(userRegex, roleRegex, groupRegex, user, roles, groups);
+
+        if (replacePatternMatcher.matchCatalog(catalogRegex, catalog)) {
             return Optional.of(accessMode);
         }
         return Optional.empty();

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/QueryAccessRule.java

@@ -59,10 +59,16 @@ public QueryAccessRule(
 
     public Optional<Set<AccessMode>> match(String user, Set<String> roles, Set<String> groups, Optional<String> queryOwner)
     {
-        if (userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
-                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
-                groupRegex.map(regex -> groups.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
-                ((queryOwner.isEmpty() && queryOwnerRegex.isEmpty()) || (queryOwner.isPresent() && queryOwnerRegex.map(regex -> regex.matcher(queryOwner.get()).matches()).orElse(true)))) {
+//        if (userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
+//                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+//                groupRegex.map(regex -> groups.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+//                ((queryOwner.isEmpty() && queryOwnerRegex.isEmpty()) || (queryOwner.isPresent() && queryOwnerRegex.map(regex -> regex.matcher(queryOwner.get()).matches()).orElse(true)))) {
+//            return Optional.of(allow);
+//        }
+
+        ReplacePatternMatcher replacePatternMatcher = new ReplacePatternMatcher(userRegex, roleRegex, groupRegex, user, roles, groups);
+
+        if (replacePatternMatcher.matchQueryAccessRule(queryOwnerRegex, queryOwner)) {
             return Optional.of(allow);
         }
         return Optional.empty();

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ReplacePatternMatcher.java

@@ -0,0 +1,174 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.base.security;
+
+import io.trino.spi.TrinoException;
+
+import java.util.Optional;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static io.trino.spi.StandardErrorCode.CONFIGURATION_INVALID;
+
+public class ReplacePatternMatcher
+{
+    private final Optional<Pattern> userRegex;
+    private final Optional<Pattern> roleRegex;
+    private final Optional<Pattern> groupRegex;
+
+    private final String user;
+    private final Set<String> roles;
+    private final Set<String> groups;
+
+    private final Optional<Matcher> userMatcher;
+    private final Optional<Matcher> roleMatcher;
+    private final Optional<Matcher> groupMatcher;
+
+    public ReplacePatternMatcher(Optional<Pattern> userRegex, Optional<Pattern> roleRegex, Optional<Pattern> groupRegex, String user, Set<String> roles, Set<String> groups)
+    {
+        this.userRegex = userRegex;
+        this.roleRegex = roleRegex;
+        this.groupRegex = groupRegex;
+
+        this.user = user;
+        this.roles = roles;
+        this.groups = groups;
+
+        this.userMatcher = userRegex.map(regex -> regex.matcher(user));
+        this.roleMatcher = roleRegex.flatMap(regex -> roles.stream().map(regex::matcher).filter(Matcher::matches).findAny());
+        this.groupMatcher = groupRegex.flatMap(regex -> groups.stream().map(regex::matcher).filter(Matcher::matches).findAny());
+    }
+
+    private boolean match()
+    {
+        return userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
+                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true);
+    }
+
+    private boolean matchCatalogInternal(final Optional<Pattern> catalogRegex, String catalog)
+    {
+        validateMatchers(userMatcher, roleMatcher, groupMatcher);
+
+        Optional<Pattern> userReplacedCatalogPattern = replaceRegex(userMatcher, catalogRegex, "catalog", "user");
+        Optional<Pattern> roleReplacedCatalogPattern = replaceRegex(roleMatcher, catalogRegex, "catalog", "role");
+        Optional<Pattern> groupReplacedCatalogPattern = replaceRegex(groupMatcher, catalogRegex, "catalog", "group");
+
+        return matchPattern(userReplacedCatalogPattern, catalog) || matchPattern(roleReplacedCatalogPattern, catalog)
+                || matchPattern(groupReplacedCatalogPattern, catalog);
+    }
+
+    public boolean matchCatalog(final Optional<Pattern> catalogRegex, String catalog)
+    {
+        return match() && matchCatalogInternal(catalogRegex, catalog);
+    }
+
+    private boolean matchSchemaInternal(final Optional<Pattern> schemaRegex, String schema)
+    {
+        validateMatchers(userMatcher, roleMatcher, groupMatcher);
+
+        Optional<Pattern> userReplacedSchemaPattern = replaceRegex(userMatcher, schemaRegex, "schema", "user");
+        Optional<Pattern> roleReplacedSchemaPattern = replaceRegex(roleMatcher, schemaRegex, "schema", "role");
+        Optional<Pattern> groupReplacedSchemaPattern = replaceRegex(groupMatcher, schemaRegex, "schema", "group");
+
+        return matchPattern(userReplacedSchemaPattern, schema) || matchPattern(roleReplacedSchemaPattern, schema)
+                || matchPattern(groupReplacedSchemaPattern, schema);
+    }
+
+    public boolean matchSchema(final Optional<Pattern> schemaRegex, String schema)
+    {
+        return match() && matchSchemaInternal(schemaRegex, schema);
+    }
+
+    public boolean matchCatalogAndSchema(final Optional<Pattern> catalogRegex, String catalog, final Optional<Pattern> schemaRegex, String schema)
+    {
+        return match() && matchCatalogInternal(catalogRegex, catalog) && matchSchemaInternal(schemaRegex, schema);
+    }
+
+    private boolean matchTableInternal(final Optional<Pattern> tableRegex, String table)
+    {
+        validateMatchers(userMatcher, roleMatcher, groupMatcher);
+
+        Optional<Pattern> userReplacedTablePattern = replaceRegex(userMatcher, tableRegex, "table", "user");
+        Optional<Pattern> roleReplacedTablePattern = replaceRegex(roleMatcher, tableRegex, "table", "role");
+        Optional<Pattern> groupReplacedTablePattern = replaceRegex(groupMatcher, tableRegex, "table", "group");
+
+        return matchPattern(userReplacedTablePattern, table) || matchPattern(roleReplacedTablePattern, table)
+                || matchPattern(groupReplacedTablePattern, table);
+    }
+
+    public boolean matchTable(final Optional<Pattern> tableRegex, String table)
+    {
+        return match() && matchTableInternal(tableRegex, table);
+    }
+
+    public boolean matchSchemaAndTable(final Optional<Pattern> schemaRegex, String schema, final Optional<Pattern> tableRegex, String table)
+    {
+        return match() && matchSchemaInternal(schemaRegex, schema) && matchTableInternal(tableRegex, table);
+    }
+
+    public boolean matchQueryAccessRule(final Optional<Pattern> queryOwnerRegex, Optional<String> queryOwner)
+    {
+        if (queryOwner.isEmpty() && queryOwnerRegex.isEmpty()) {
+            return true;
+        }
+
+        validateMatchers(userMatcher, roleMatcher, groupMatcher);
+
+        Optional<Pattern> userReplacedQueryAccessRulePattern = replaceRegex(userMatcher, queryOwnerRegex, "query_owner", "user");
+        Optional<Pattern> roleReplacedQueryAccessRulePattern = replaceRegex(roleMatcher, queryOwnerRegex, "query_owner", "role");
+        Optional<Pattern> groupReplacedQueryAccessRulePattern = replaceRegex(groupMatcher, queryOwnerRegex, "query_owner", "group");
+
+        return match() && queryOwner.isPresent() && (matchPattern(userReplacedQueryAccessRulePattern, queryOwner.get())
+                || matchPattern(roleReplacedQueryAccessRulePattern, queryOwner.get()) || matchPattern(groupReplacedQueryAccessRulePattern, queryOwner.get()));
+    }
+
+    // check if more than one matcher is used to replace patterns
+    private void validateMatchers(Optional<Matcher> userMatcher, Optional<Matcher> roleMatcher, Optional<Matcher> groupMatcher)
+    {
+        if ((userMatcher.isPresent() && userMatcher.get().matches() && userMatcher.get().groupCount() > 0 ? 1 : 0) +
+                (roleMatcher.isPresent() && roleMatcher.get().matches() && roleMatcher.get().groupCount() > 0 ? 1 : 0) +
+                (groupMatcher.isPresent() && groupMatcher.get().matches() && groupMatcher.get().groupCount() > 0 ? 1 : 0) > 1) {
+            throw new TrinoException(CONFIGURATION_INVALID, "Multiple matchers that contain capturing groups are used" +
+                    " to replace patterns. This may lead to unexpected results.");
+        }
+    }
+
+    private Optional<Pattern> replaceRegex(Optional<Matcher> matcher, Optional<Pattern> patternToReplace, String toReplace, String capturingGroup)
+    {
+        if (matcher.isEmpty()) {
+            return patternToReplace;
+        }
+        if (patternToReplace.isPresent() && patternToReplace.get().pattern().matches(".*\\$\\d+.*")) {
+            if (matcher.get().matches() && matcher.get().groupCount() > 0) {
+                StringBuilder stringBuilder = new StringBuilder();
+                try {
+                    matcher.get().appendReplacement(stringBuilder, patternToReplace.get().pattern());
+                }
+                catch (IndexOutOfBoundsException e) {
+                    throw new TrinoException(CONFIGURATION_INVALID,
+                            toReplace + " in replace pattern refers to a capturing group that does not exist in " + capturingGroup, e);
+                }
+                return Optional.of(Pattern.compile(stringBuilder.toString()));
+            }
+        }
+        return patternToReplace;
+    }
+
+    private boolean matchPattern(Optional<Pattern> pattern, String value)
+    {
+        return pattern.map(regex -> regex.matcher(value).matches()).orElse(true);
+    }
+}

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/SchemaAccessControlRule.java

@@ -54,10 +54,16 @@ public SchemaAccessControlRule(
 
     public Optional<Boolean> match(String user, Set<String> roles, Set<String> groups, String schema)
     {
-        if (userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
-                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
-                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
-                schemaRegex.map(regex -> regex.matcher(schema).matches()).orElse(true)) {
+//        if (userRegex.map(regex -> regex.matcher(user).matches()).orElse(true) &&
+//                roleRegex.map(regex -> roles.stream().anyMatch(role -> regex.matcher(role).matches())).orElse(true) &&
+//                groupRegex.map(regex -> groups.stream().anyMatch(group -> regex.matcher(group).matches())).orElse(true) &&
+//                schemaRegex.map(regex -> regex.matcher(schema).matches()).orElse(true)) {
+//            return Optional.of(owner);
+//        }
+
+        ReplacePatternMatcher replacePatternMatcher = new ReplacePatternMatcher(userRegex, roleRegex, groupRegex, user, roles, groups);
+
+        if (replacePatternMatcher.matchSchema(schemaRegex, schema)) {
             return Optional.of(owner);
         }
         return Optional.empty();