Improve messages for column access error in FileBasedAccessControl

takezoe · takezoe · commit 99856ff6f805 · 2025-03-15T12:51:42.000+09:00
diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java
@@ -85,7 +85,7 @@
 import static io.trino.spi.security.AccessDeniedException.denyRevokeRoles;
 import static io.trino.spi.security.AccessDeniedException.denyRevokeSchemaPrivilege;
 import static io.trino.spi.security.AccessDeniedException.denyRevokeTablePrivilege;
-import static io.trino.spi.security.AccessDeniedException.denySelectTable;
+import static io.trino.spi.security.AccessDeniedException.denySelectColumns;
 import static io.trino.spi.security.AccessDeniedException.denySetCatalogSessionProperty;
 import static io.trino.spi.security.AccessDeniedException.denySetMaterializedViewProperties;
 import static io.trino.spi.security.AccessDeniedException.denySetRole;
@@ -389,7 +389,7 @@ public void checkCanSelectFromColumns(ConnectorSecurityContext context, SchemaTa
                 .findFirst()
                 .orElse(false);
         if (!allowed) {
-            denySelectTable(tableName.toString());
+            denySelectColumns(tableName.toString(), columnNames);
         }
     }
 
@@ -475,7 +475,7 @@ public void checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext con
                 .findFirst()
                 .orElse(null);
         if (rule == null || !rule.canSelectColumns(columnNames)) {
-            denySelectTable(tableName.toString());
+            denySelectColumns(tableName.toString(), columnNames);
         }
         if (!rule.getPrivileges().contains(GRANT_SELECT)) {
             denyCreateViewWithSelect(tableName.toString(), context.getIdentity());
diff --git a/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java b/lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java
@@ -105,6 +105,7 @@
 import static io.trino.spi.security.AccessDeniedException.denyRevokeRoles;
 import static io.trino.spi.security.AccessDeniedException.denyRevokeSchemaPrivilege;
 import static io.trino.spi.security.AccessDeniedException.denyRevokeTablePrivilege;
+import static io.trino.spi.security.AccessDeniedException.denySelectColumns;
 import static io.trino.spi.security.AccessDeniedException.denySelectTable;
 import static io.trino.spi.security.AccessDeniedException.denySetCatalogSessionProperty;
 import static io.trino.spi.security.AccessDeniedException.denySetMaterializedViewProperties;
@@ -683,7 +684,7 @@ public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSche
                 .findFirst()
                 .orElse(false);
         if (!allowed) {
-            denySelectTable(table.toString());
+            denySelectColumns(table.toString(), columns);
         }
     }
 
@@ -765,7 +766,7 @@ public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext contex
                 .findFirst()
                 .orElse(null);
         if (rule == null || !rule.canSelectColumns(columns)) {
-            denySelectTable(table.toString());
+            denySelectColumns(table.toString(), columns);
         }
         if (!rule.getPrivileges().contains(GRANT_SELECT)) {
             denyCreateViewWithSelect(table.toString(), context.getIdentity());
diff --git a/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java b/lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.java
@@ -103,7 +103,7 @@ public abstract class BaseFileBasedSystemAccessControlTest
     private static final String REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot revoke privilege %s on schema %s%s";
 
     private static final String SHOWN_TABLES_ACCESS_DENIED_MESSAGE = "Cannot show tables of .*";
-    private static final String SELECT_TABLE_ACCESS_DENIED_MESSAGE = "Cannot select from table .*";
+    private static final String SELECT_COLUMN_ACCESS_DENIED_MESSAGE = "Cannot select from columns .*";
     private static final String SHOW_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot show columns of table .*";
     private static final String ADD_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot add a column to table .*";
     private static final String DROP_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot drop a column from table .*";
@@ -450,21 +450,21 @@ public void testTableRulesForCheckCanSelectFromColumns()
                         CHARLIE,
                         new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"),
                         ImmutableSet.of("bobcolumn", "private")),
-                SELECT_TABLE_ACCESS_DENIED_MESSAGE);
+                SELECT_COLUMN_ACCESS_DENIED_MESSAGE);
         accessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
 
         assertAccessDenied(
                 () -> accessControl.checkCanSelectFromColumns(
                         ADMIN,
                         new CatalogSchemaTableName("secret", "secret", "secret"),
                         ImmutableSet.of()),
-                SELECT_TABLE_ACCESS_DENIED_MESSAGE);
+                SELECT_COLUMN_ACCESS_DENIED_MESSAGE);
         assertAccessDenied(
                 () -> accessControl.checkCanSelectFromColumns(
                         JOE,
                         new CatalogSchemaTableName("secret", "secret", "secret"),
                         ImmutableSet.of()),
-                SELECT_TABLE_ACCESS_DENIED_MESSAGE);
+                SELECT_COLUMN_ACCESS_DENIED_MESSAGE);
     }
 
     @Test
@@ -494,7 +494,7 @@ public void testTableRulesForCheckCanCreateViewWithSelectFromColumns()
                         CHARLIE,
                         new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"),
                         ImmutableSet.of("bobcolumn", "private")),
-                SELECT_TABLE_ACCESS_DENIED_MESSAGE);
+                SELECT_COLUMN_ACCESS_DENIED_MESSAGE);
     }
 
     @Test
diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/TestHiveFileBasedSecurity.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/TestHiveFileBasedSecurity.java
@@ -74,7 +74,7 @@ public void testNonAdminCannotRead()
         Session bob = getSession("bob");
         assertThatThrownBy(() -> queryRunner.execute(bob, "SELECT * FROM nation"))
                 .isInstanceOf(RuntimeException.class)
-                .hasMessageMatching(".*Access Denied: Cannot select from table tpch.nation.*");
+                .hasMessageMatching(".*Access Denied: Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table or view tpch\\.nation");
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ public void testNonAdminCannotRead()`
`74`	`74`	`Session bob = getSession("bob");`
`75`	`75`	`assertThatThrownBy(() -> queryRunner.execute(bob, "SELECT * FROM nation"))`
`76`	`76`	`.isInstanceOf(RuntimeException.class)`
`77`		`- .hasMessageMatching(".Access Denied: Cannot select from table tpch.nation.");`
	`77`	`+ .hasMessageMatching(".*Access Denied: Cannot select from columns \\[nationkey, regionkey, name, comment\\] in table or view tpch\\.nation");`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`@Test`