feat(analyzer): Add invoker and definer rights access control to materialized views (#26521)

Author: tdcmeehan

presto-analyzer/src/main/java/com/facebook/presto/sql/analyzer/Analysis.java

@@ -931,12 +931,12 @@ public Map<AccessControlInfo, Map<QualifiedObjectName, Set<String>>> getUtilized
         return ImmutableMap.copyOf(utilizedTableColumnReferences);
     }
 
-    public void populateTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields)
+    public void populateTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields, boolean isLegacyMaterializedViews)
     {
-        accessControlReferences.addTableColumnAndSubfieldReferencesForAccessControl(getTableColumnAndSubfieldReferencesForAccessControl(checkAccessControlOnUtilizedColumnsOnly, checkAccessControlWithSubfields));
+        accessControlReferences.addTableColumnAndSubfieldReferencesForAccessControl(getTableColumnAndSubfieldReferencesForAccessControl(checkAccessControlOnUtilizedColumnsOnly, checkAccessControlWithSubfields, isLegacyMaterializedViews));
     }
 
-    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> getTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields)
+    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> getTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields, boolean isLegacyMaterializedViews)
     {
         Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> references;
         if (!checkAccessControlWithSubfields) {
@@ -968,19 +968,26 @@ else if (!checkAccessControlOnUtilizedColumnsOnly) {
                                                     })
                                                     .collect(toImmutableSet())))));
         }
-        return buildMaterializedViewAccessControl(references);
+        return buildMaterializedViewAccessControl(references, isLegacyMaterializedViews);
     }
 
     /**
-     * For a query on materialized view, only check the actual required access controls for its base tables. For the materialized view,
-     * will not check access control by replacing with AllowAllAccessControl.
+     * For a query on materialized view:
+     * - When legacy_materialized_views=true: Only check access controls for base tables, bypass access control
+     *   for the materialized view itself by replacing with AllowAllAccessControl.
+     * - When legacy_materialized_views=false: Check access control for both the materialized view itself
+     *   and all base tables referenced in the view query.
      **/
-    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> buildMaterializedViewAccessControl(Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> tableColumnReferences)
+    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> buildMaterializedViewAccessControl(Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> tableColumnReferences, boolean isLegacyMaterializedViews)
     {
         if (!(getStatement() instanceof Query) || materializedViews.isEmpty()) {
             return tableColumnReferences;
         }
 
+        if (!isLegacyMaterializedViews) {
+            return tableColumnReferences;
+        }
+
         Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> newTableColumnReferences = new LinkedHashMap<>();
 
         tableColumnReferences.forEach((accessControlInfo, references) -> {

presto-docs/src/main/sphinx/admin/materialized-views.rst

@@ -18,7 +18,59 @@ subsets of large tables.
     Use at your own risk in production environments.
 
     To enable materialized views, set :ref:`admin/properties:\`\`experimental.legacy-materialized-views\`\`` = ``false``
-    in your configuration properties, or use ``SET SESSION legacy_materialized_views = false``.
+    in your configuration properties.
+
+    Alternatively, you can use ``SET SESSION legacy_materialized_views = false`` to enable them for a session,
+    but only if :ref:`admin/properties:\`\`experimental.allow-legacy-materialized-views-toggle\`\`` = ``true``
+    is set in the server configuration. The toggle option should only be used in non-production environments
+    for testing and migration purposes.
+
+Security Modes
+--------------
+
+When ``legacy_materialized_views=false``, materialized views support SQL standard security modes
+that control whose permissions are used when querying the view:
+
+**SECURITY DEFINER**
+  The materialized view executes with the permissions of the user who created it. This is the
+  default mode and matches the behavior of most SQL systems. When using DEFINER mode, column
+  masks and row filters on base tables are permitted.
+
+**SECURITY INVOKER**
+  The materialized view executes with the permissions of the user querying it. Each user must
+  have appropriate permissions on the underlying base tables. When using INVOKER mode and there
+  are column masks or row filters on the base tables, the materialized view is treated as stale,
+  since the data would vary by user.
+
+The default security mode can be configured using the ``default_view_security_mode`` session
+property. When the ``SECURITY`` clause is not specified in ``CREATE MATERIALIZED VIEW``, this
+default is used.
+
+.. note::
+
+    The ``REFRESH`` operation always uses DEFINER rights regardless of the view's security mode.
+
+Required Permissions
+--------------------
+
+The following permissions are required for materialized view operations when
+``legacy_materialized_views=false``:
+
+**CREATE MATERIALIZED VIEW**
+  * ``CREATE TABLE`` permission
+  * ``CREATE VIEW`` permission
+
+**REFRESH MATERIALIZED VIEW**
+  * ``INSERT`` permission (to write new data)
+  * ``DELETE`` permission (to remove old data)
+
+**DROP MATERIALIZED VIEW**
+  * ``DROP TABLE`` permission
+  * ``DROP VIEW`` permission
+
+**Querying a materialized view**
+  * For DEFINER mode: User needs ``SELECT`` permission on the view itself
+  * For INVOKER mode: User needs ``SELECT`` permission on all underlying base tables
 
 See Also
 --------

presto-docs/src/main/sphinx/admin/properties-session.rst

@@ -529,8 +529,24 @@ Use to configure how long a query can be queued before it is terminated.
 
 The corresponding configuration property is :ref:`admin/properties:\`\`query.max-queued-time\`\``.
 
-Materialized View Properties
-----------------------------
+View and Materialized View Properties
+--------------------------------------
+
+``default_view_security_mode``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* **Type:** ``string``
+* **Allowed values:** ``DEFINER``, ``INVOKER``
+* **Default value:** ``DEFINER``
+
+Sets the default security mode for views and materialized views when the ``SECURITY``
+clause is not explicitly specified in ``CREATE VIEW`` or ``CREATE MATERIALIZED VIEW``
+statements.
+
+* ``DEFINER``: Views execute with the permissions of the user who created them
+* ``INVOKER``: Views execute with the permissions of the user querying them
+
+The corresponding configuration property is :ref:`admin/properties:\`\`default-view-security-mode\`\``.
 
 ``legacy_materialized_views``
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -539,7 +555,13 @@ Materialized View Properties
 * **Default value:** ``true``
 
 Use legacy materialized views implementation. Set to ``false`` to enable the new materialized
-views implementation.
+views implementation with security modes (DEFINER and INVOKER), automatic query rewriting, and
+freshness tracking.
+
+By default, this session property is locked to the server configuration value and cannot be
+changed. To allow runtime toggling of this property (for testing/migration purposes only),
+set :ref:`admin/properties:\`\`experimental.allow-legacy-materialized-views-toggle\`\`` = ``true``
+in the server configuration.
 
 The corresponding configuration property is :ref:`admin/properties:\`\`experimental.legacy-materialized-views\`\``.
 

presto-docs/src/main/sphinx/admin/properties.rst

@@ -1244,8 +1244,24 @@ fails with one of these error codes, it can be automatically retried on a backup
 cluster if a retry URL is provided. Available error codes include standard Presto
 error codes such as ``REMOTE_TASK_ERROR``, ``CLUSTER_OUT_OF_MEMORY``, etc.
 
-Materialized View Properties
-----------------------------
+View and Materialized View Properties
+-------------------------------------
+
+``default-view-security-mode``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* **Type:** ``string``
+* **Allowed values:** ``DEFINER``, ``INVOKER``
+* **Default value:** ``DEFINER``
+
+Sets the default security mode for views and materialized views when the ``SECURITY``
+clause is not explicitly specified in ``CREATE VIEW`` or ``CREATE MATERIALIZED VIEW``
+statements.
+
+* ``DEFINER``: Views execute with the permissions of the user who created them
+* ``INVOKER``: Views execute with the permissions of the user querying them
+
+The corresponding session property is :ref:`admin/properties-session:\`\`default_view_security_mode\`\``.
 
 ``experimental.legacy-materialized-views``
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -1262,3 +1278,21 @@ The corresponding session property is :ref:`admin/properties-session:\`\`legacy_
 .. warning::
 
     Materialized views are experimental. The SPI and behavior may change in future releases.
+
+``experimental.allow-legacy-materialized-views-toggle``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* **Type:** ``boolean``
+* **Default value:** ``false``
+
+Allow the ``legacy_materialized_views`` session property to be changed at runtime.
+By default, the session property value is locked to the server configuration value
+and cannot be changed per-session.
+
+Set this to ``true`` to allow users to toggle between legacy and new materialized
+views implementations using the session property. This is intended for testing and
+migration purposes only.
+
+.. warning::
+
+    This should only be enabled in non-production environments.

presto-docs/src/main/sphinx/sql/create-materialized-view.rst

@@ -16,6 +16,7 @@ Synopsis
 
     CREATE MATERIALIZED VIEW [ IF NOT EXISTS ] view_name
     [ COMMENT 'string' ]
+    [ SECURITY { DEFINER | INVOKER } ]
     [ WITH ( property_name = expression [, ...] ) ]
     AS query
 
@@ -31,6 +32,15 @@ not already exist.
 
 The optional ``COMMENT`` clause stores a description of the materialized view in the metastore.
 
+The optional ``SECURITY`` clause specifies the security mode for the materialized view. When
+``legacy_materialized_views=false``:
+
+* ``SECURITY DEFINER``: The view executes with the permissions of the user who created it.  This is the default mode if ``SECURITY`` is not specified and matches the behavior of most SQL systems.
+* ``SECURITY INVOKER``: The view executes with the permissions of the user querying it.  Each user must have appropriate permissions on the underlying base tables.
+
+When ``legacy_materialized_views=true``, the ``SECURITY`` clause is not supported and will
+cause an error if used.
+
 The optional ``WITH`` clause specifies connector-specific properties. Connector properties vary by
 connector implementation. Consult connector documentation for supported properties.
 
@@ -47,6 +57,26 @@ Create a materialized view with daily aggregations::
     FROM orders
     GROUP BY date_trunc('day', order_date), region
 
+Create a materialized view with DEFINER security mode::
+
+    CREATE MATERIALIZED VIEW daily_sales
+    SECURITY DEFINER
+    AS
+    SELECT date_trunc('day', order_date) AS day,
+           region,
+           SUM(amount) AS total_sales
+    FROM orders
+    GROUP BY date_trunc('day', order_date), region
+
+Create a materialized view with INVOKER security mode::
+
+    CREATE MATERIALIZED VIEW user_specific_sales
+    SECURITY INVOKER
+    AS
+    SELECT date_trunc('day', order_date) AS day,
+           SUM(amount) AS total_sales
+    FROM orders
+    GROUP BY date_trunc('day', order_date)
 
 Create a materialized view with connector properties::
 

presto-hive/src/main/java/com/facebook/presto/hive/HiveMetadata.java

@@ -2525,6 +2525,7 @@ public void createMaterializedView(ConnectorSession session, ConnectorTableMetad
                 viewDefinition.getTable(),
                 viewDefinition.getBaseTables(),
                 viewDefinition.getOwner(),
+                viewDefinition.getSecurityMode(),
                 viewDefinition.getColumnMappings(),
                 viewDefinition.getBaseTablesOnOuterJoinSide(),
                 Optional.of(getPartitionedBy(viewMetadata.getProperties())));

presto-hive/src/test/java/com/facebook/presto/hive/TestHiveMaterializedViewLogicalPlanner.java

@@ -101,7 +101,7 @@ protected QueryRunner createQueryRunner()
     {
         return HiveQueryRunner.createQueryRunner(
                 ImmutableList.of(ORDERS, LINE_ITEM, CUSTOMER, NATION, SUPPLIER),
-                ImmutableMap.of(),
+                ImmutableMap.of("experimental.allow-legacy-materialized-views-toggle", "true"),
                 Optional.empty());
     }
 

presto-hive/src/test/java/com/facebook/presto/hive/TestHiveMaterializedViewUtils.java

@@ -659,6 +659,6 @@ private static MaterializedViewDefinition getConnectorMaterializedViewDefinition
             List<SchemaTableName> tables,
             Map<String, Map<SchemaTableName, String>> originalColumnMapping)
     {
-        return new MaterializedViewDefinition(SQL, SCHEMA_NAME, TABLE_NAME, tables, Optional.empty(), originalColumnMapping, originalColumnMapping, ImmutableList.of(), Optional.empty());
+        return new MaterializedViewDefinition(SQL, SCHEMA_NAME, TABLE_NAME, tables, Optional.empty(), Optional.empty(), originalColumnMapping, originalColumnMapping, ImmutableList.of(), Optional.empty());
     }
 }

presto-main-base/src/main/java/com/facebook/presto/SystemSessionProperties.java

@@ -29,6 +29,7 @@
 import com.facebook.presto.memory.NodeMemoryConfig;
 import com.facebook.presto.spi.PrestoException;
 import com.facebook.presto.spi.eventlistener.CTEInformation;
+import com.facebook.presto.spi.security.ViewSecurity;
 import com.facebook.presto.spi.session.PropertyMetadata;
 import com.facebook.presto.spiller.NodeSpillConfig;
 import com.facebook.presto.sql.analyzer.FeaturesConfig;
@@ -49,7 +50,6 @@
 import com.facebook.presto.sql.analyzer.FeaturesConfig.SingleStreamSpillerChoice;
 import com.facebook.presto.sql.analyzer.FunctionsConfig;
 import com.facebook.presto.sql.planner.CompilerConfig;
-import com.facebook.presto.sql.tree.CreateView;
 import com.facebook.presto.tracing.TracingConfig;
 import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableList;
@@ -1357,12 +1357,24 @@ public SystemSessionProperties(
                         "Enable query optimization with materialized view",
                         featuresConfig.isQueryOptimizationWithMaterializedViewEnabled(),
                         true),
-                booleanProperty(
+                new PropertyMetadata<>(
                         LEGACY_MATERIALIZED_VIEWS,
-                        "Experimental: Use legacy materialized views.  This feature is under active development and may change" +
-                                "or be removed at any time.  Do not disable in production environments.",
+                        "Experimental: Use legacy materialized views.  This feature is under active development and may change " +
+                                "or be removed at any time.  Do not disable in production environments. " +
+                                "To allow toggling this property via session, set experimental.allow-legacy-materialized-views-toggle=true in config.",
+                        BOOLEAN,
+                        Boolean.class,
                         featuresConfig.isLegacyMaterializedViews(),
-                        true),
+                        true,
+                        value -> {
+                            if (!featuresConfig.isAllowLegacyMaterializedViewsToggle()) {
+                                throw new PrestoException(INVALID_SESSION_PROPERTY,
+                                        "Cannot toggle legacy_materialized_views session property. " +
+                                        "Set experimental.allow-legacy-materialized-views-toggle=true in config to allow changing this setting.");
+                            }
+                            return (Boolean) value;
+                        },
+                        object -> object),
                 booleanProperty(
                         MATERIALIZED_VIEW_ALLOW_FULL_REFRESH_ENABLED,
                         "Allow full refresh of MV when it's empty - potentially high cost.",
@@ -1913,15 +1925,15 @@ public SystemSessionProperties(
                 new PropertyMetadata<>(
                         DEFAULT_VIEW_SECURITY_MODE,
                         format("Set default view security mode. Options are: %s",
-                                Stream.of(CreateView.Security.values())
-                                        .map(CreateView.Security::name)
+                                Stream.of(ViewSecurity.values())
+                                        .map(ViewSecurity::name)
                                         .collect(joining(","))),
                         VARCHAR,
-                        CreateView.Security.class,
+                        ViewSecurity.class,
                         featuresConfig.getDefaultViewSecurityMode(),
                         false,
-                        value -> CreateView.Security.valueOf(((String) value).toUpperCase()),
-                        CreateView.Security::name),
+                        value -> ViewSecurity.valueOf(((String) value).toUpperCase()),
+                        ViewSecurity::name),
                 booleanProperty(
                         JOIN_PREFILTER_BUILD_SIDE,
                         "Prefiltering the build/inner side of a join with keys from the other side",
@@ -3320,9 +3332,9 @@ public static boolean isEagerPlanValidationEnabled(Session session)
         return session.getSystemProperty(EAGER_PLAN_VALIDATION_ENABLED, Boolean.class);
     }
 
-    public static CreateView.Security getDefaultViewSecurityMode(Session session)
+    public static ViewSecurity getDefaultViewSecurityMode(Session session)
     {
-        return session.getSystemProperty(DEFAULT_VIEW_SECURITY_MODE, CreateView.Security.class);
+        return session.getSystemProperty(DEFAULT_VIEW_SECURITY_MODE, ViewSecurity.class);
     }
 
     public static boolean isJoinPrefilterEnabled(Session session)