Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CREATE CATALOG with Access Control #22022

Closed
TonBits opened this issue May 19, 2024 · 1 comment
Closed

CREATE CATALOG with Access Control #22022

TonBits opened this issue May 19, 2024 · 1 comment

Comments

@TonBits
Copy link

TonBits commented May 19, 2024
edited

When enabling file based access control in trino, there is no way for CREATE CATALOG to work.
Even though specifying any catalog for admin user in the rules. It still ends up with Access Denied.

{
  "catalogs": [
    {
      "catalog": ".*",
      "user": "admin",
      "allow": "all"
    }]
}

CREATE CATALOG tpch USING tpch;

io.trino.spi.security.AccessDeniedException: Access Denied: Cannot create catalog tpch
	at io.trino.spi.security.AccessDeniedException.denyCreateCatalog(AccessDeniedException.java:131)
	at io.trino.spi.security.AccessDeniedException.denyCreateCatalog(AccessDeniedException.java:126)
	at io.trino.plugin.base.security.FileBasedSystemAccessControl.checkCanCreateCatalog(FileBasedSystemAccessControl.java:414)
	at io.trino.plugin.base.security.ForwardingSystemAccessControl.checkCanCreateCatalog(ForwardingSystemAccessControl.java:136)
	at io.trino.security.AccessControlManager.lambda$checkCanCreateCatalog$8(AccessControlManager.java:356)
	at io.trino.security.AccessControlManager.systemAuthorizationCheck(AccessControlManager.java:1503)
	at io.trino.security.AccessControlManager.checkCanCreateCatalog(AccessControlManager.java:356)
	at io.trino.security.ForwardingAccessControl.checkCanCreateCatalog(ForwardingAccessControl.java:110)
	at io.trino.tracing.TracingAccessControl.checkCanCreateCatalog(TracingAccessControl.java:142)
	at io.trino.execution.CreateCatalogTask.execute(CreateCatalogTask.java:78)
	at io.trino.execution.CreateCatalogTask.execute(CreateCatalogTask.java:44)
	at io.trino.execution.DataDefinitionExecution.start(DataDefinitionExecution.java:146)
	at io.trino.execution.SqlQueryManager.createQuery(SqlQueryManager.java:272)
	at io.trino.dispatcher.LocalDispatchQuery.startExecution(LocalDispatchQuery.java:150)
	at io.trino.dispatcher.LocalDispatchQuery.lambda$waitForMinimumWorkers$2(LocalDispatchQuery.java:134)
	at io.airlift.concurrent.MoreFutures.lambda$addSuccessCallback$12(MoreFutures.java:570)
	at io.airlift.concurrent.MoreFutures$3.onSuccess(MoreFutures.java:545)
	at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1137)
	at io.trino.$gen.Trino_448____20240518_231645_2.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1570)

When removing the access control config and restarting trino, the CREATE CATALOG works without issues.
Is there a way to define a rule so CREATE CATALOG still works even when access control is defined?

Trino Version: 448
@TonBits TonBits closed this as completed May 24, 2024
@rilyu
Copy link

rilyu commented May 27, 2024

  1. add the following lines to the config.properties file and restart trino
catalog.management=dynamic
  1. allow user to have "owner" access to any catalog, not "all"
{
  "catalogs": [
    {
      "catalog": ".*",
      "user": "admin",
      "allow": "owner"
    }]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rilyu @TonBits