Question: Authorization on query views

[jonashartwig]

Hi all and thanks for reading my question,

We wonder about the security model. I understand that the SystemAccessControl class supports checking an authorizer if a user has select on columns for tables.
What we would like to do is check if a user wants to select from a view, that that user also has access to the underlaying table columns.
In that particular case, the user running the query is not the same as the user creating the view.

Let me give you an example:

I create a view using the following query: create view data.v_test as select * from data.t_my secret_data; I create the view and I have access to the table data.t_my secret_data. Our permissions should be able to say that everyone can show and select from views.
However, now my friend Rosy wants to select from that view but has not access to data.t_my secret_data. We want Trino to check that a user issuing a query against a view is checked for table access as well.

Is that possible? If yes how is this done and if not, can we add a feature request? Does this line of thought makes sense?

Regards

[hashhar]

I think you would find https://trino.io/docs/current/sql/create-view.html#security useful. DEFINER security model sounds like what you want.

cc: @dain

[jonashartwig]

Great, I missed that. I will check this out and get back in case i need more help :)

[jonashartwig]

That absolutely helps us. Follow up question. Can we enforce (set as default INVOKER) and deny/remove DEFINER?

[jonashartwig]

I found this code, it does not seem like it, does it?

Optional<Identity> owner = Optional.of(session.getIdentity());
        if (statement.getSecurity().orElse(null) == INVOKER) {
            owner = Optional.empty();
        }

[hashhar]

I don't think it's possible to do that today. I'd suggest to create an issue to start discussion around it ("Add ability to change default view security model") since to me it sounds useful for a platform administrator (but I can see it causing issues when migrating between different SystemAccessControl implementations or between metastores).