DispatcherManager makes a call to AccessControl.checkCanExecuteQuery using the identity from SessionContext. When the support for system roles was added in https://github.com/trinodb/trino/pull/9087, resolving enabled system roles was implemented in QuerySessionSupplier. Because of this, the identity passed to checkCanExecuteQuery will miss the enabled roles when all roles are enabled. This can lead to access denied if privilege to execute queries is not given to the user directly, but provided by one of the applicable roles.
Should the call to checkCanExecuteQuery be changed to use the decoded Session object?
Laonel
commented
9 months ago
DispatcherManagermakes a call toAccessControl.checkCanExecuteQueryusing the identity fromSessionContext. When the support for system roles was added in https://github.com/trinodb/trino/pull/9087, resolving enabled system roles was implemented inQuerySessionSupplier. Because of this, the identity passed tocheckCanExecuteQuerywill miss the enabled roles when all roles are enabled. This can lead to access denied if privilege to execute queries is not given to the user directly, but provided by one of the applicable roles.Should the call to
checkCanExecuteQuerybe changed to use the decodedSessionobject?