search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.26k stars 2.95k forks source link

Read-only on catalog has an inconsistent behavior #22874

Open tlegrave opened 2 months ago

tlegrave commented 2 months ago

Hello there,

We can restrict permissions on Trino with system access control. Putting access-control.name=read-only in etc/access-control.properties works well. Example with an OPTIMIZE:

Capture d’écran 2024-07-30 à 10 58 11

I tried to apply the same behavior with file-based access control. The docs says:

allow (required): string indicating whether a user has access to the catalog. This value can be all, read-only or none, and defaults to none. Setting this value to read-only has the same behavior as the read-only system access control plugin.

So I made the following configuration for rules.json:

{
    "catalogs": [
        {
            "catalog": "iceberg",
            "allow": "read-only"
        }
    ]
}

This effectively prevents INSERT / DELETE / UPDATES operations to tables, but some operations can still be done. For example:

ALTER TABLE iceberg.default.demo EXECUTE optimize

ALTER TABLE iceberg.default.demo EXECUTE expire_snapshots(retention_threshold => '7s')

ALTER TABLE iceberg.default.demo EXECUTE remove_orphan_files(retention_threshold => '7s')

I tried to add empty sets of rules for procedures and functions, but it doesn't change the result:

{
    "catalogs": [
        {
            "catalog": "iceberg",
            "allow": "read-only"
        }
    ],
    "schemas": [],
    "tables": [
        {
            "privileges": [
                "SELECT"
            ]
        }
    ],
    "functions": [],
    "procedures": []
}

Am I missing something?

Thanks

hashhar commented 2 months ago

FileBasedAccessControl doesn't implement checkCanExecuteTableProcedure yet.