search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.42k stars 3k forks source link

Add ability to change default view security model #14817

Open jonashartwig opened 2 years ago

jonashartwig commented 2 years ago

Hi all,

I would like to request a new feature. When creating views one can set the security model (https://trino.io/docs/current/sql/create-view.html#security) between DEFINER (default) and INVOKER. In our system we want to change that behavior. We want to set INVOKER as default and disallow DEFINER completely.

I can see this feature working in two steps:

  1. add a config parameter for system administrators to define the default security model. When that config key is set the default DEFINER (by code) would be replaced by what that config said. 2a. In the AccessControl plugin io.trino.security.AccessControl to add a function to allow/deny security model for view. (e.g. deny or allow DEFINER and/or invoker) 2b. Also have config keys that disable security model DEFINER/INVOKER, which will be validated on startup and Trino will complain if both are enabled.

This request is based on this discussion: https://github.com/trinodb/trino/discussions/14790

regards Jonas

hashhar commented 2 years ago

cc: @dain @kokosing

jack-o-hara commented 7 months ago

Plus one on this. Our permissions are dynamic and a user can lose permissions they initially created views with - leading to access errors for other users that should have permission to query the underlying data.

dejangvozdenac commented 3 months ago

plus one on this too! we have a plugin that checks permissions and we want consistent permissions to be used for all tables in the query. trino views with DEFINER cause inconsistent permissions to be applied as username gets mapped to the definer for some resources