feat(analyzer): Add invoker and definer rights access control to materialized views

[tdcmeehan]

Depends on: #26492

Description

Adds SQL standard SECURITY DEFINER and SECURITY INVOKER syntax to materialized views. When specified, controls whether views execute with creator's permissions (DEFINER) or querying user's permissions (INVOKER). Defaults to default_view_security_mode when the SECURITY is not set (which is defaulted to DEFINER).

Motivation and Context

Well-defined access control that is consistent with views are industry standard. Materialized views should have an access control model that is consistent with views and configurable.

Impact

Adds optional SECURITY clause to CREATE MATERIALIZED VIEW:

  CREATE MATERIALIZED VIEW view_name SECURITY DEFINER AS ...
  CREATE MATERIALIZED VIEW view_name SECURITY INVOKER AS ...

If legacy_materialized_views=true, the SECURITY clause will throw if attempted for use in a CREATE statement, and there are no changes in behavior for refresh or query.

Test Plan

Unit and integration tests are included in this PR.

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.
• If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

== NO RELEASE NOTE ==

[sourcery-ai]

Reviewer's Guide

This PR extends materialized view support with SQL-standard SECURITY INVOKER/DEFINER control by tracking an optional owner in the view definition and wiring it through parsing, formatting, analysis, execution, and access control. The parser and AST builder now recognize an optional SECURITY clause, the SQL formatter emits it, and CreateMaterializedViewTask computes and stores an owner field (absent for INVOKER mode). Analyzer and StatementAnalyzer use the owner field to switch between invoker and definer sessions for queries and refreshes. Legacy mode bypasses the SECURITY clause and always applies definer behavior. The memory connector is updated to load file-based access control, and extensive unit and integration tests validate all new behaviors.

Sequence diagram for materialized view creation with SECURITY clause

sequenceDiagram
    actor User
    participant "SQL Parser"
    participant "AST Builder"
    participant "CreateMaterializedViewTask"
    participant "MaterializedViewDefinition"
    User->>"SQL Parser": CREATE MATERIALIZED VIEW ... SECURITY DEFINER/INVOKER ...
    "SQL Parser"->>"AST Builder": Parse SECURITY clause
    "AST Builder"->>"CreateMaterializedViewTask": Pass security mode
    "CreateMaterializedViewTask"->>"MaterializedViewDefinition": Store owner if DEFINER, none if INVOKER
    "CreateMaterializedViewTask"-->>User: Error if legacy mode and SECURITY clause

Loading

Sequence diagram for materialized view query/refresh with SECURITY mode

sequenceDiagram
    actor User
    participant "StatementAnalyzer"
    participant "Session"
    participant "AccessControl"
    participant "MaterializedViewDefinition"
    User->>"StatementAnalyzer": Query/refresh materialized view
    "StatementAnalyzer"->>"MaterializedViewDefinition": Check owner field
    alt SECURITY DEFINER
        "StatementAnalyzer"->>"Session": Build session as owner
        "StatementAnalyzer"->>"AccessControl": Use owner's permissions
    else SECURITY INVOKER
        "StatementAnalyzer"->>"Session": Use current user session
        "StatementAnalyzer"->>"AccessControl": Use invoker's permissions
    end

Loading

ER diagram for MaterializedViewDefinition owner field

erDiagram
    MATERIALIZED_VIEW_DEFINITION {
        string schema
        string objectName
        string sql
        string[] baseTables
        string[] columnMappings
        string[] directColumnMappings
        string[] baseTablesOnOuterJoinSide
        string owner
    }
    MATERIALIZED_VIEW_DEFINITION ||--o| USER : "owner (optional)"
    USER {
        string userName
    }

Loading

Class diagram for ViewSecurity and CreateMaterializedView changes

classDiagram
    class ViewSecurity {
        <<enum>>
        INVOKER
        DEFINER
    }
    class CreateMaterializedView {
        +QualifiedName name
        +Query query
        +boolean notExists
        +Optional<ViewSecurity> security
        +List<Property> properties
        +Optional<String> comment
        +getSecurity()
    }
    ViewSecurity <.. CreateMaterializedView : uses

Loading

File-Level Changes

Change	Details	Files
Add SECURITY INVOKER/DEFINER clause handling for CREATE MATERIALIZED VIEW	Extend ANTLR grammar and AST nodes to include optional security Update SqlFormatter to append SECURITY clause Modify CreateMaterializedViewTask to validate legacy mode and set owner optional Enhance ShowCreate rewrite to display SECURITY for non-legacy MVs	SqlBase.g4 AstBuilder.java CreateMaterializedView.java SqlFormatter.java CreateMaterializedViewTask.java ShowQueriesRewrite.java DefaultTreeRewriter.java SystemSessionProperties.java
Implement security enforcement in analysis and execution	Pass optional owner into MaterializedViewDefinition Use owner presence to build definer or invoker sessions in StatementAnalyzer Adjust Analysis to include MV in access control when not legacy Wire owner into refresh logic and check permissions accordingly	StatementAnalyzer.java Analyzer.java Analysis.java
Enhance memory connector to support file-based access control	Add MemorySecurityModule to load allow-all or file-based access control Expose ConnectorAccessControl in MemoryConnector Expose security config in pom and configuration classes	MemoryConnector.java MemoryConnectorFactory.java MemorySecurityModule.java MemorySecurityConfig.java TestMemorySecurityConfig.java
Add comprehensive unit and memory integration tests	Extend TestCreateMaterializedViewTask to cover SECURITY modes and legacy behavior Add MaterializedViewDefinition owner assertions in mock metadata Expand TestMemoryMaterializedViews with definer/invoker/ default modes, refresh and show-create cases	TestCreateMaterializedViewTask.java TestMemoryMaterializedViews.java MockMetadata changes

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[tdcmeehan]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `presto-main-base/src/main/java/com/facebook/presto/sql/analyzer/StatementAnalyzer.java:884-885` </location>
<code_context>
+                querySession = session;
+            }
+            else {
+                checkState(isLegacyMaterializedViews(session) || view.getOwner().isPresent(),
+                        "Expected materialized view to have owner (DEFINER security) when legacy materialized views are disabled");
+                querySession = buildOwnerSession(session, view.getOwner(), metadata.getSessionPropertyManager(), viewName.getCatalogName(), view.getSchema());
+            }
+
</code_context>

<issue_to_address>
**suggestion:** The checkState message could be more actionable for debugging.

Include details like the view name or session information in the error message to make failures easier to diagnose.

```suggestion
                checkState(isLegacyMaterializedViews(session) || view.getOwner().isPresent(),
                        String.format(
                                "Expected materialized view '%s' to have owner (DEFINER security) when legacy materialized views are disabled. Session user: '%s', Catalog: '%s', Schema: '%s'",
                                viewName,
                                session.getUser(),
                                viewName.getCatalogName(),
                                view.getSchema()));
```
</issue_to_address>

### Comment 2
<location> `presto-main-base/src/main/java/com/facebook/presto/sql/analyzer/StatementAnalyzer.java:2360-2361` </location>
<code_context>
+                Identity queryIdentity;
+                AccessControl queryAccessControl;
+
+                if (owner.isPresent()) {
+                    queryIdentity = new Identity(owner.get(), Optional.empty(), session.getIdentity().getExtraCredentials());
+                    queryAccessControl = new ViewAccessControl(accessControl);
+                }
+                else {
</code_context>

<issue_to_address>
**suggestion:** ViewAccessControl is used only when owner is present; clarify rationale.

Consider adding a comment explaining why ViewAccessControl is only assigned when owner is present and how legacy mode affects this logic, to aid future maintainers.

```suggestion
                Identity queryIdentity;
                AccessControl queryAccessControl;

                // ViewAccessControl is only assigned when owner is present (definer rights).
                // In legacy mode, owner may be absent and invoker rights are used (no ViewAccessControl).
                // This ensures correct security semantics for materialized views depending on legacy mode and owner presence.
```
</issue_to_address>

### Comment 3
<location> `presto-main-base/src/main/java/com/facebook/presto/execution/CreateMaterializedViewTask.java:142-147` </location>
<code_context>

         MaterializedViewColumnMappingExtractor extractor = new MaterializedViewColumnMappingExtractor(analysis, session, metadata);
+
+        if (isLegacyMaterializedViews(session) && statement.getSecurity().isPresent()) {
+            throw new SemanticException(
+                    NOT_SUPPORTED,
+                    statement,
+                    "SECURITY clause is not supported when legacy_materialized_views is enabled");
+        }
+
</code_context>

<issue_to_address>
**suggestion:** Blocking use of SECURITY clause in legacy mode is appropriate, but error message could be more informative.

Including the rejected SECURITY clause value or relevant session details in the error message would make it clearer for users.

```suggestion
        if (isLegacyMaterializedViews(session) && statement.getSecurity().isPresent()) {
            String securityClause = statement.getSecurity().get().toString();
            String sessionInfo = session.getUser() + "@" + session.getSource();
            throw new SemanticException(
                    NOT_SUPPORTED,
                    statement,
                    String.format(
                        "SECURITY clause '%s' is not supported when legacy_materialized_views is enabled (session: %s)",
                        securityClause,
                        sessionInfo));
        }
```
</issue_to_address>

### Comment 4
<location> `presto-memory/src/test/java/com/facebook/presto/plugin/memory/TestMemoryMaterializedViews.java:677` </location>
<code_context>
+    }
+
+    @Test
+    public void testDefaultSecurityModeIsDefiner()
+    {
+        Session adminSession = createSessionForUser("admin");
</code_context>

<issue_to_address>
**suggestion (testing):** Missing test for explicit SECURITY clause precedence over default_view_security_mode.

Please add a test case where both are set to confirm the SECURITY clause overrides default_view_security_mode.
</issue_to_address>

### Comment 5
<location> `presto-memory/src/test/java/com/facebook/presto/plugin/memory/TestMemoryMaterializedViews.java:837` </location>
<code_context>
+    }
+
+    @Test
+    public void testAccessControlOnMaterializedViewObject()
+    {
+        Session adminSession = createSessionForUser("admin");
</code_context>

<issue_to_address>
**suggestion (testing):** Missing test for access control on materialized view with SECURITY INVOKER.

Please add a test for SECURITY INVOKER to verify correct access control enforcement on materialized views with INVOKER rights.

Suggested implementation:

```java
    @Test
    public void testAccessControlOnMaterializedViewSecurityInvoker()
    {
        Session adminSession = createSessionForUser("admin");
        Session restrictedSession = createSessionForUser("restricted_user");
        Session allowedSession = createSessionForUser("allowed_user");

        // Admin creates base table and grants SELECT to allowed_user only
        assertUpdate(adminSession, "CREATE TABLE secure_base_invoker (id BIGINT, secret VARCHAR, value BIGINT)");
        assertUpdate(adminSession, "INSERT INTO secure_base_invoker VALUES (1, 'confidential', 100), (2, 'classified', 200)", 2);
        assertUpdate(adminSession, "GRANT SELECT ON secure_base_invoker TO allowed_user");

        // Admin creates materialized view with SECURITY INVOKER
        assertUpdate(adminSession,
                "CREATE MATERIALIZED VIEW mv_invoker " +
                "SECURITY INVOKER AS " +
                "SELECT id, secret, value FROM secure_base_invoker");

        // allowed_user can query the view
        assertQuery(allowedSession, "SELECT * FROM mv_invoker", "VALUES (1, 'confidential', 100), (2, 'classified', 200)");

        // restricted_user cannot query the view due to lack of SELECT on base table
        assertQueryFails(restrictedSession, "SELECT * FROM mv_invoker", "Access Denied: Cannot select from table secure_base_invoker");

        // Cleanup
        assertUpdate(adminSession, "DROP MATERIALIZED VIEW mv_invoker");
        assertUpdate(adminSession, "DROP TABLE secure_base_invoker");
    }

        Session restrictedSession = createSessionForUser("restricted_user");

        assertUpdate(adminSession, "CREATE TABLE secure_base (id BIGINT, secret VARCHAR, value BIGINT)");
        assertUpdate(adminSession, "INSERT INTO secure_base VALUES (1, 'confidential', 100), (2, 'classified', 200)", 2);

        assertUpdate(adminSession,
                "CREATE MATERIALIZED VIEW mv_definer " +
                "SECURITY DEFINER AS " +
                "SELECT id, secret, value FROM secure_base");

```

You may need to ensure that the users "allowed_user" and "restricted_user" exist and have the correct privileges in your test setup. Adjust the user creation and privilege granting logic as needed to match your environment.
</issue_to_address>

### Comment 6
<location> `presto-main-base/src/test/java/com/facebook/presto/execution/TestCreateMaterializedViewTask.java:210` </location>
<code_context>
+    }
+
+    @Test
+    public void testCreateMaterializedViewWithDefaultDefinerSecurity()
+    {
+        SqlParser parser = new SqlParser();
</code_context>

<issue_to_address>
**suggestion (testing):** Missing test for invalid default_view_security_mode value.

Add a test to confirm that an invalid default_view_security_mode triggers the correct error, ensuring configuration validation works as intended.
</issue_to_address>

### Comment 7
<location> `presto-parser/src/test/java/com/facebook/presto/sql/parser/TestSqlParser.java:1786-1787` </location>
<code_context>

-        assertStatement("CREATE VIEW a SECURITY DEFINER AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.of(CreateView.Security.DEFINER)));
-        assertStatement("CREATE VIEW a SECURITY INVOKER AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.of(CreateView.Security.INVOKER)));
+        assertStatement("CREATE VIEW a SECURITY DEFINER AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.of(DEFINER)));
+        assertStatement("CREATE VIEW a SECURITY INVOKER AS SELECT * FROM t", new CreateView(QualifiedName.of("a"), query, false, Optional.of(INVOKER)));

         assertStatement("CREATE VIEW bar.foo AS SELECT * FROM t", new CreateView(QualifiedName.of("bar", "foo"), query, false, Optional.empty()));
</code_context>

<issue_to_address>
**nitpick (testing):** Nitpick: Consider adding parser tests for materialized views with SECURITY clause.

Adding tests for CREATE MATERIALIZED VIEW with SECURITY DEFINER and SECURITY INVOKER would enhance test coverage and maintain consistency with existing view tests.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: The checkState message could be more actionable for debugging.

Include details like the view name or session information in the error message to make failures easier to diagnose.

Suggested change

	checkState(isLegacyMaterializedViews(session) || view.getOwner().isPresent(),
	"Expected materialized view to have owner (DEFINER security) when legacy materialized views are disabled");
	checkState(isLegacyMaterializedViews(session) || view.getOwner().isPresent(),
	String.format(
	"Expected materialized view '%s' to have owner (DEFINER security) when legacy materialized views are disabled. Session user: '%s', Catalog: '%s', Schema: '%s'",
	viewName,
	session.getUser(),
	viewName.getCatalogName(),
	view.getSchema()));

[sourcery-ai]

suggestion: ViewAccessControl is used only when owner is present; clarify rationale.

Consider adding a comment explaining why ViewAccessControl is only assigned when owner is present and how legacy mode affects this logic, to aid future maintainers.

Suggested change

	Identity queryIdentity;
	AccessControl queryAccessControl;
	Identity queryIdentity;
	AccessControl queryAccessControl;
	// ViewAccessControl is only assigned when owner is present (definer rights).
	// In legacy mode, owner may be absent and invoker rights are used (no ViewAccessControl).
	// This ensures correct security semantics for materialized views depending on legacy mode and owner presence.

[sourcery-ai]

suggestion: Blocking use of SECURITY clause in legacy mode is appropriate, but error message could be more informative.

Including the rejected SECURITY clause value or relevant session details in the error message would make it clearer for users.

Suggested change

	if (isLegacyMaterializedViews(session) && statement.getSecurity().isPresent()) {
	throw new SemanticException(
	NOT_SUPPORTED,
	statement,
	"SECURITY clause is not supported when legacy_materialized_views is enabled");
	}
	if (isLegacyMaterializedViews(session) && statement.getSecurity().isPresent()) {
	String securityClause = statement.getSecurity().get().toString();
	String sessionInfo = session.getUser() + "@" + session.getSource();
	throw new SemanticException(
	NOT_SUPPORTED,
	statement,
	String.format(
	"SECURITY clause '%s' is not supported when legacy_materialized_views is enabled (session: %s)",
	securityClause,
	sessionInfo));
	}

[sourcery-ai]

suggestion (testing): Missing test for explicit SECURITY clause precedence over default_view_security_mode.

Please add a test case where both are set to confirm the SECURITY clause overrides default_view_security_mode.

[sourcery-ai]

suggestion (testing): Missing test for access control on materialized view with SECURITY INVOKER.

Please add a test for SECURITY INVOKER to verify correct access control enforcement on materialized views with INVOKER rights.

Suggested implementation:

    @Test
    public void testAccessControlOnMaterializedViewSecurityInvoker()
    {
        Session adminSession = createSessionForUser("admin");
        Session restrictedSession = createSessionForUser("restricted_user");
        Session allowedSession = createSessionForUser("allowed_user");

        // Admin creates base table and grants SELECT to allowed_user only
        assertUpdate(adminSession, "CREATE TABLE secure_base_invoker (id BIGINT, secret VARCHAR, value BIGINT)");
        assertUpdate(adminSession, "INSERT INTO secure_base_invoker VALUES (1, 'confidential', 100), (2, 'classified', 200)", 2);
        assertUpdate(adminSession, "GRANT SELECT ON secure_base_invoker TO allowed_user");

        // Admin creates materialized view with SECURITY INVOKER
        assertUpdate(adminSession,
                "CREATE MATERIALIZED VIEW mv_invoker " +
                "SECURITY INVOKER AS " +
                "SELECT id, secret, value FROM secure_base_invoker");

        // allowed_user can query the view
        assertQuery(allowedSession, "SELECT * FROM mv_invoker", "VALUES (1, 'confidential', 100), (2, 'classified', 200)");

        // restricted_user cannot query the view due to lack of SELECT on base table
        assertQueryFails(restrictedSession, "SELECT * FROM mv_invoker", "Access Denied: Cannot select from table secure_base_invoker");

        // Cleanup
        assertUpdate(adminSession, "DROP MATERIALIZED VIEW mv_invoker");
        assertUpdate(adminSession, "DROP TABLE secure_base_invoker");
    }

        Session restrictedSession = createSessionForUser("restricted_user");

        assertUpdate(adminSession, "CREATE TABLE secure_base (id BIGINT, secret VARCHAR, value BIGINT)");
        assertUpdate(adminSession, "INSERT INTO secure_base VALUES (1, 'confidential', 100), (2, 'classified', 200)", 2);

        assertUpdate(adminSession,
                "CREATE MATERIALIZED VIEW mv_definer " +
                "SECURITY DEFINER AS " +
                "SELECT id, secret, value FROM secure_base");

You may need to ensure that the users "allowed_user" and "restricted_user" exist and have the correct privileges in your test setup. Adjust the user creation and privilege granting logic as needed to match your environment.

[sourcery-ai]

suggestion (testing): Missing test for invalid default_view_security_mode value.

Add a test to confirm that an invalid default_view_security_mode triggers the correct error, ensuring configuration validation works as intended.

[sourcery-ai]

nitpick (testing): Nitpick: Consider adding parser tests for materialized views with SECURITY clause.

Adding tests for CREATE MATERIALIZED VIEW with SECURITY DEFINER and SECURITY INVOKER would enhance test coverage and maintain consistency with existing view tests.