Add definer and invoker rights access control to materialized views

Author: tdcmeehan

presto-analyzer/src/main/java/com/facebook/presto/sql/analyzer/Analysis.java

@@ -931,12 +931,12 @@ public Map<AccessControlInfo, Map<QualifiedObjectName, Set<String>>> getUtilized
         return ImmutableMap.copyOf(utilizedTableColumnReferences);
     }
 
-    public void populateTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields)
+    public void populateTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields, boolean isLegacyMaterializedViews)
     {
-        accessControlReferences.addTableColumnAndSubfieldReferencesForAccessControl(getTableColumnAndSubfieldReferencesForAccessControl(checkAccessControlOnUtilizedColumnsOnly, checkAccessControlWithSubfields));
+        accessControlReferences.addTableColumnAndSubfieldReferencesForAccessControl(getTableColumnAndSubfieldReferencesForAccessControl(checkAccessControlOnUtilizedColumnsOnly, checkAccessControlWithSubfields, isLegacyMaterializedViews));
     }
 
-    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> getTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields)
+    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> getTableColumnAndSubfieldReferencesForAccessControl(boolean checkAccessControlOnUtilizedColumnsOnly, boolean checkAccessControlWithSubfields, boolean isLegacyMaterializedViews)
     {
         Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> references;
         if (!checkAccessControlWithSubfields) {
@@ -968,19 +968,26 @@ else if (!checkAccessControlOnUtilizedColumnsOnly) {
                                                     })
                                                     .collect(toImmutableSet())))));
         }
-        return buildMaterializedViewAccessControl(references);
+        return buildMaterializedViewAccessControl(references, isLegacyMaterializedViews);
     }
 
     /**
-     * For a query on materialized view, only check the actual required access controls for its base tables. For the materialized view,
-     * will not check access control by replacing with AllowAllAccessControl.
+     * For a query on materialized view:
+     * - When legacy_materialized_views=true: Only check access controls for base tables, bypass access control
+     *   for the materialized view itself by replacing with AllowAllAccessControl.
+     * - When legacy_materialized_views=false: Check access control for both the materialized view itself
+     *   and all base tables referenced in the view query.
      **/
-    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> buildMaterializedViewAccessControl(Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> tableColumnReferences)
+    private Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> buildMaterializedViewAccessControl(Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> tableColumnReferences, boolean isLegacyMaterializedViews)
     {
         if (!(getStatement() instanceof Query) || materializedViews.isEmpty()) {
             return tableColumnReferences;
         }
 
+        if (!isLegacyMaterializedViews) {
+            return tableColumnReferences;
+        }
+
         Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> newTableColumnReferences = new LinkedHashMap<>();
 
         tableColumnReferences.forEach((accessControlInfo, references) -> {

presto-main-base/src/main/java/com/facebook/presto/SystemSessionProperties.java

@@ -49,7 +49,7 @@
 import com.facebook.presto.sql.analyzer.FeaturesConfig.SingleStreamSpillerChoice;
 import com.facebook.presto.sql.analyzer.FunctionsConfig;
 import com.facebook.presto.sql.planner.CompilerConfig;
-import com.facebook.presto.sql.tree.CreateView;
+import com.facebook.presto.sql.tree.ViewSecurity;
 import com.facebook.presto.tracing.TracingConfig;
 import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableList;
@@ -1901,15 +1901,15 @@ public SystemSessionProperties(
                 new PropertyMetadata<>(
                         DEFAULT_VIEW_SECURITY_MODE,
                         format("Set default view security mode. Options are: %s",
-                                Stream.of(CreateView.Security.values())
-                                        .map(CreateView.Security::name)
+                                Stream.of(ViewSecurity.values())
+                                        .map(ViewSecurity::name)
                                         .collect(joining(","))),
                         VARCHAR,
-                        CreateView.Security.class,
+                        ViewSecurity.class,
                         featuresConfig.getDefaultViewSecurityMode(),
                         false,
-                        value -> CreateView.Security.valueOf(((String) value).toUpperCase()),
-                        CreateView.Security::name),
+                        value -> ViewSecurity.valueOf(((String) value).toUpperCase()),
+                        ViewSecurity::name),
                 booleanProperty(
                         JOIN_PREFILTER_BUILD_SIDE,
                         "Prefiltering the build/inner side of a join with keys from the other side",
@@ -3303,9 +3303,9 @@ public static boolean isEagerPlanValidationEnabled(Session session)
         return session.getSystemProperty(EAGER_PLAN_VALIDATION_ENABLED, Boolean.class);
     }
 
-    public static CreateView.Security getDefaultViewSecurityMode(Session session)
+    public static ViewSecurity getDefaultViewSecurityMode(Session session)
     {
-        return session.getSystemProperty(DEFAULT_VIEW_SECURITY_MODE, CreateView.Security.class);
+        return session.getSystemProperty(DEFAULT_VIEW_SECURITY_MODE, ViewSecurity.class);
     }
 
     public static boolean isJoinPrefilterEnabled(Session session)

presto-main-base/src/main/java/com/facebook/presto/execution/CreateMaterializedViewTask.java

@@ -33,6 +33,7 @@
 import com.facebook.presto.sql.tree.Expression;
 import com.facebook.presto.sql.tree.NodeRef;
 import com.facebook.presto.sql.tree.Parameter;
+import com.facebook.presto.sql.tree.ViewSecurity;
 import com.facebook.presto.transaction.TransactionManager;
 import com.google.common.util.concurrent.ListenableFuture;
 import jakarta.inject.Inject;
@@ -41,6 +42,8 @@
 import java.util.Map;
 import java.util.Optional;
 
+import static com.facebook.presto.SystemSessionProperties.getDefaultViewSecurityMode;
+import static com.facebook.presto.SystemSessionProperties.isLegacyMaterializedViews;
 import static com.facebook.presto.metadata.MetadataUtil.createQualifiedObjectName;
 import static com.facebook.presto.metadata.MetadataUtil.getConnectorIdOrThrow;
 import static com.facebook.presto.metadata.MetadataUtil.toSchemaTableName;
@@ -50,6 +53,9 @@
 import static com.facebook.presto.sql.analyzer.SemanticErrorCode.MATERIALIZED_VIEW_ALREADY_EXISTS;
 import static com.facebook.presto.sql.analyzer.SemanticErrorCode.NOT_SUPPORTED;
 import static com.facebook.presto.sql.analyzer.utils.ParameterUtils.parameterExtractor;
+import static com.facebook.presto.sql.tree.ViewSecurity.DEFINER;
+import static com.facebook.presto.sql.tree.ViewSecurity.INVOKER;
+import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.util.concurrent.Futures.immediateFuture;
 import static java.util.Objects.requireNonNull;
@@ -132,12 +138,33 @@ public ListenableFuture<?> execute(CreateMaterializedView statement, Transaction
                 .collect(toImmutableList());
 
         MaterializedViewColumnMappingExtractor extractor = new MaterializedViewColumnMappingExtractor(analysis, session, metadata);
+
+        if (isLegacyMaterializedViews(session) && statement.getSecurity().isPresent()) {
+            throw new SemanticException(
+                    NOT_SUPPORTED,
+                    statement,
+                    "SECURITY clause is not supported when legacy_materialized_views is enabled");
+        }
+
+        // Security is determined by presence of owner.  For definer rights, we store the owner's identity, and for invoker rights,
+        // we store nothing (absence indicates invoker rights). The legacy behavior is to always store the owner's identity.
+        ViewSecurity defaultViewSecurityMode = getDefaultViewSecurityMode(session);
+        Optional<String> owner = Optional.of(session.getUser());
+        if (!isLegacyMaterializedViews(session) && statement.getSecurity().orElse(defaultViewSecurityMode) == INVOKER) {
+            owner = Optional.empty();
+        }
+        else {
+            checkState(isLegacyMaterializedViews(session) || statement.getSecurity().orElse(defaultViewSecurityMode) == DEFINER,
+                    "Unexpected view security: %s",
+                    statement.getSecurity());
+        }
+
         MaterializedViewDefinition viewDefinition = new MaterializedViewDefinition(
                 sql,
                 viewName.getSchemaName(),
                 viewName.getObjectName(),
                 baseTables,
-                Optional.of(session.getUser()),
+                owner,
                 extractor.getMaterializedViewColumnMappings(),
                 extractor.getMaterializedViewDirectColumnMappings(),
                 extractor.getBaseTablesOnOuterJoinSide(),

presto-main-base/src/main/java/com/facebook/presto/execution/CreateViewTask.java

@@ -29,6 +29,7 @@
 import com.facebook.presto.sql.tree.CreateView;
 import com.facebook.presto.sql.tree.Expression;
 import com.facebook.presto.sql.tree.Statement;
+import com.facebook.presto.sql.tree.ViewSecurity;
 import com.facebook.presto.transaction.TransactionManager;
 import com.google.common.util.concurrent.ListenableFuture;
 import jakarta.inject.Inject;
@@ -42,7 +43,7 @@
 import static com.facebook.presto.spi.analyzer.ViewDefinition.ViewColumn;
 import static com.facebook.presto.sql.SqlFormatterUtil.getFormattedSql;
 import static com.facebook.presto.sql.analyzer.utils.ParameterUtils.parameterExtractor;
-import static com.facebook.presto.sql.tree.CreateView.Security.INVOKER;
+import static com.facebook.presto.sql.tree.ViewSecurity.INVOKER;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.util.concurrent.Futures.immediateFuture;
 import static java.util.Objects.requireNonNull;
@@ -101,7 +102,7 @@ public ListenableFuture<?> execute(CreateView statement, TransactionManager tran
 
         ConnectorTableMetadata viewMetadata = new ConnectorTableMetadata(toSchemaTableName(name), columnMetadata);
 
-        CreateView.Security defaultViewSecurityMode = getDefaultViewSecurityMode(session);
+        ViewSecurity defaultViewSecurityMode = getDefaultViewSecurityMode(session);
         Optional<String> owner = Optional.of(session.getUser());
         if (statement.getSecurity().orElse(defaultViewSecurityMode) == INVOKER) {
             owner = Optional.empty();

presto-main-base/src/main/java/com/facebook/presto/sql/analyzer/Analyzer.java

@@ -37,6 +37,7 @@
 
 import static com.facebook.presto.SystemSessionProperties.isCheckAccessControlOnUtilizedColumnsOnly;
 import static com.facebook.presto.SystemSessionProperties.isCheckAccessControlWithSubfields;
+import static com.facebook.presto.SystemSessionProperties.isLegacyMaterializedViews;
 import static com.facebook.presto.sql.analyzer.ExpressionTreeUtils.extractAggregateFunctions;
 import static com.facebook.presto.sql.analyzer.ExpressionTreeUtils.extractExpressions;
 import static com.facebook.presto.sql.analyzer.ExpressionTreeUtils.extractExternalFunctions;
@@ -124,7 +125,7 @@ public Analysis analyzeSemantic(Statement statement, boolean isDescribe)
         StatementAnalyzer analyzer = new StatementAnalyzer(analysis, metadata, sqlParser, accessControl, session, warningCollector);
         analyzer.analyze(rewrittenStatement, Optional.empty());
         analyzeForUtilizedColumns(analysis, analysis.getStatement(), warningCollector);
-        analysis.populateTableColumnAndSubfieldReferencesForAccessControl(isCheckAccessControlOnUtilizedColumnsOnly(session), isCheckAccessControlWithSubfields(session));
+        analysis.populateTableColumnAndSubfieldReferencesForAccessControl(isCheckAccessControlOnUtilizedColumnsOnly(session), isCheckAccessControlWithSubfields(session), isLegacyMaterializedViews(session));
         return analysis;
     }
 

presto-main-base/src/main/java/com/facebook/presto/sql/analyzer/FeaturesConfig.java

@@ -25,7 +25,7 @@
 import com.facebook.presto.common.resourceGroups.QueryType;
 import com.facebook.presto.spi.PrestoException;
 import com.facebook.presto.spi.function.FunctionMetadata;
-import com.facebook.presto.sql.tree.CreateView;
+import com.facebook.presto.sql.tree.ViewSecurity;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableList;
@@ -47,7 +47,7 @@
 import static com.facebook.presto.sql.analyzer.FeaturesConfig.JoinNotNullInferenceStrategy.NONE;
 import static com.facebook.presto.sql.analyzer.FeaturesConfig.TaskSpillingStrategy.ORDER_BY_CREATE_TIME;
 import static com.facebook.presto.sql.expressions.ExpressionOptimizerManager.DEFAULT_EXPRESSION_OPTIMIZER_NAME;
-import static com.facebook.presto.sql.tree.CreateView.Security.DEFINER;
+import static com.facebook.presto.sql.tree.ViewSecurity.DEFINER;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static java.lang.String.format;
 import static java.util.Objects.requireNonNull;
@@ -296,7 +296,7 @@ public class FeaturesConfig
     private boolean generateDomainFilters;
     private boolean printEstimatedStatsFromCache;
     private boolean removeCrossJoinWithSingleConstantRow = true;
-    private CreateView.Security defaultViewSecurityMode = DEFINER;
+    private ViewSecurity defaultViewSecurityMode = DEFINER;
     private boolean useHistograms;
 
     private boolean isInlineProjectionsOnValuesEnabled;
@@ -2929,14 +2929,14 @@ public FeaturesConfig setOptimizeConditionalApproxDistinct(boolean optimizeCondi
         return this;
     }
 
-    public CreateView.Security getDefaultViewSecurityMode()
+    public ViewSecurity getDefaultViewSecurityMode()
     {
         return this.defaultViewSecurityMode;
     }
 
     @Config("default-view-security-mode")
     @ConfigDescription("Sets the default security mode for view creation. The options are definer/invoker.")
-    public FeaturesConfig setDefaultViewSecurityMode(CreateView.Security securityMode)
+    public FeaturesConfig setDefaultViewSecurityMode(ViewSecurity securityMode)
     {
         this.defaultViewSecurityMode = securityMode;
         return this;

presto-main-base/src/main/java/com/facebook/presto/sql/analyzer/StatementAnalyzer.java

@@ -528,7 +528,7 @@ protected Scope visitInsert(Insert insert, Optional<Scope> scope)
                     Column::new);
 
             analysis.setUpdatedSourceColumns(Optional.of(Streams.zip(
-                    columnStream, queryScope.getRelationType().getVisibleFields().stream(), (column, field) -> new OutputColumnMetadata(column.getName(), column.getType(), analysis.getSourceColumns(field)))
+                            columnStream, queryScope.getRelationType().getVisibleFields().stream(), (column, field) -> new OutputColumnMetadata(column.getName(), column.getType(), analysis.getSourceColumns(field)))
                     .collect(toImmutableList())));
 
             return createAndAssignScope(insert, scope, Field.newUnqualified(insert.getLocation(), "rows", BIGINT));
@@ -873,13 +873,25 @@ protected Scope visitRefreshMaterializedView(RefreshMaterializedView node, Optio
             Query refreshQuery = tablePredicates.containsKey(toSchemaTableName(viewName)) ?
                     buildSubqueryWithPredicate(viewQuery, tablePredicates.get(toSchemaTableName(viewName)))
                     : viewQuery;
-            // Check if the owner has SELECT permission on the base tables
+
+            // Security is determined by presence of owner, like Views.  For definer rights, we store the owner's identity, and for invoker rights,
+            // we store nothing (absence indicates invoker rights). The legacy behavior is to always store the owner's identity.
+            Session querySession;
+            if (!isLegacyMaterializedViews(session) && !view.getOwner().isPresent()) {
+                querySession = session;
+            }
+            else {
+                checkState(isLegacyMaterializedViews(session) || view.getOwner().isPresent(),
+                        "Expected materialized view to have owner (DEFINER security) when legacy materialized views are disabled");
+                querySession = buildOwnerSession(session, view.getOwner(), metadata.getSessionPropertyManager(), viewName.getCatalogName(), view.getSchema());
+            }
+
             StatementAnalyzer queryAnalyzer = new StatementAnalyzer(
                     analysis,
                     metadata,
                     sqlParser,
                     accessControl,
-                    buildOwnerSession(session, view.getOwner(), metadata.getSessionPropertyManager(), viewName.getCatalogName(), view.getSchema()),
+                    querySession,
                     warningCollector);
             queryAnalyzer.analyze(refreshQuery, Scope.create());
 
@@ -1667,7 +1679,7 @@ private ArgumentsAnalysis mapTableFunctionArgsByPosition(List<ArgumentSpecificat
         private ArgumentAnalysis analyzeArgument(ArgumentSpecification argumentSpecification, TableFunctionArgument argument, Optional<Scope> scope)
         {
             String actualType = getArgumentTypeString(argument);
-            switch (argumentSpecification.getArgumentType()){
+            switch (argumentSpecification.getArgumentType()) {
                 case TableArgumentSpecification.argumentType:
                     return analyzeTableArgument(argument, (TableArgumentSpecification) argumentSpecification, scope, actualType);
                 case DescriptorArgumentSpecification.argumentType:
@@ -2343,8 +2355,38 @@ private Scope processMaterializedView(
                         materializedViewDefinition);
                 analysis.setMaterializedViewInfo(materializedView, mvInfo);
 
-                // Process the view query to analyze base tables for access control
-                process(viewQuery, scope);
+                // Security is determined by presence of owner.  Definer rights if owner is present, invoker rights otherwise.
+                Optional<String> owner = materializedViewDefinition.getOwner();
+                Identity queryIdentity;
+                AccessControl queryAccessControl;
+
+                // ViewAccessControl is only assigned when owner is present (definer rights).
+                // For definer rights, we wrap the access control to allow access to the view definition itself
+                // while still enforcing access control on the underlying base tables using the owner's identity.
+                // For invoker rights (owner absent), we use the session's identity and standard access control,
+                // ensuring the current user's permissions are checked on all tables including the view itself.
+                if (owner.isPresent()) {
+                    queryIdentity = new Identity(owner.get(), Optional.empty(), session.getIdentity().getExtraCredentials());
+                    queryAccessControl = new ViewAccessControl(accessControl);
+                }
+                else {
+                    queryIdentity = session.getIdentity();
+                    queryAccessControl = accessControl;
+                }
+
+                Session mvQuerySession = createViewSession(
+                        Optional.of(materializedViewName.getCatalogName()),
+                        Optional.of(materializedViewDefinition.getSchema()),
+                        queryIdentity);
+
+                StatementAnalyzer mvAnalyzer = new StatementAnalyzer(
+                        analysis,
+                        metadata,
+                        sqlParser,
+                        queryAccessControl,
+                        mvQuerySession,
+                        warningCollector);
+                mvAnalyzer.analyze(viewQuery, scope);
 
                 Scope queryScope = process(dataTable, scope);
                 RelationType relationType = queryScope.getRelationType().withOnlyVisibleFields().withAlias(materializedViewName.getObjectName(), null);