SET ROLE admin fails using SQLStandardAccessControll

[wobrycki]

In trino 363, using hive and iceberg plugins, after granting role admin to the user, the user cannot assume this role with: set role admin (Role 'admin' does not exist). This was working with trino 358.

User, that we are logging in to trino have admin role specified in metastore-site.xml:

<configuration>
    <property>
        <name>hive.users.in.admin.role</name>
        <value>user</value>
    </property>

I created a test case in Trino code (probably does not reflect 100% of the problem) in AbstractTestHiveRoles.java in order to reproduce this.

    @Test
    public void testGrantAdminRoleToUserAndCreateSchema()
    {
        executeFromAdmin(grantRoleToUserSql("admin", "user"));
        assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "admin", "NO"));
        executeFromUser("user", setRoleSql("admin"));
        executeFromUser("user", "CREATE SCHEMA web AUTHORIZATION user");
    }

    private String setRoleSql(String role)
    {
        return "SET ROLE " + role + optionalCatalogDeclaration();
    }

In this case set role admin; works. However, creating a schema afterwards with a user was not possible.

[kokosing]

AbstractTestHiveRoles is an unit tests. In unit tests statement that should modify the session does not work properly (they don't change the session actually).

Would it be possible to reproduce the problem using trino-cli?

[kokosing]

Also please take a look at: https://trino.io/docs/current/release/release-362.html#security

Now you need to use IN catalog syntax. So previous SET ROLE admin now is SET ROLE admin IN your_hive_catalog.

Alternatively, to restore previous behavior please use deprecated.legacy-catalog-roles=true in your config.properties