prestodb · kevintang2022 · May 5, 2025 · Apr 23, 2025
@@ -32,13 +32,11 @@
 import com.facebook.presto.server.SessionSupplier;
 import com.facebook.presto.spi.PrestoException;
 import com.facebook.presto.spi.QueryId;
-import com.facebook.presto.spi.WarningCollector;
 import com.facebook.presto.spi.analyzer.AnalyzerOptions;
 import com.facebook.presto.spi.analyzer.QueryPreparerProvider;
 import com.facebook.presto.spi.resourceGroups.SelectionContext;
 import com.facebook.presto.spi.resourceGroups.SelectionCriteria;
 import com.facebook.presto.spi.security.AccessControl;
-import com.facebook.presto.spi.security.AccessControlContext;
 import com.facebook.presto.sql.analyzer.QueryPreparerProviderManager;
 import com.facebook.presto.transaction.TransactionManager;
 import com.google.common.util.concurrent.AbstractFuture;
@@ -273,18 +271,6 @@ private <C> void createQueryInternal(QueryId queryId, String slug, int retryCoun
 
             // decode session
             sessionBuilder = sessionSupplier.createSessionBuilder(queryId, sessionContext, warningCollectorFactory);
-
-            AccessControlContext accessControlContext = new AccessControlContext(
-                    queryId,
-                    Optional.ofNullable(sessionContext.getClientInfo()),
-                    sessionContext.getClientTags(),
-                    Optional.ofNullable(sessionContext.getSource()),
-                    WarningCollector.NOOP,
-                    sessionContext.getRuntimeStats(),
-                    Optional.empty(),
-                    Optional.ofNullable(sessionContext.getCatalog()),
-                    Optional.ofNullable(sessionContext.getSchema()));
-
             session = sessionBuilder.build();
 
             // prepare query

@@ -22,8 +22,10 @@
 import com.facebook.presto.spi.CatalogSchemaTableName;
 import com.facebook.presto.spi.ColumnMetadata;
 import com.facebook.presto.spi.ConnectorId;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.PrestoException;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.connector.ConnectorAccessControl;
 import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
 import com.facebook.presto.spi.security.AccessControl;
@@ -182,12 +184,12 @@ public AuthorizedIdentity selectAuthorizedIdentity(Identity identity, AccessCont
     }
 
     @Override
-    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
     {
         requireNonNull(identity, "identity is null");
         requireNonNull(query, "query is null");
 
-        authenticationCheck(() -> systemAccessControl.get().checkQueryIntegrity(identity, context, query));
+        authenticationCheck(() -> systemAccessControl.get().checkQueryIntegrity(identity, context, query, viewDefinitions, materializedViewDefinitions));
     }
 
     @Override
@@ -945,7 +947,7 @@ private static class InitializingSystemAccessControl
             implements SystemAccessControl
     {
         @Override
-        public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+        public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
         {
             throw new PrestoException(SERVER_STARTING_UP, "Presto server is still initializing");
         }

@@ -14,9 +14,12 @@
 package com.facebook.presto.security;
 
 import com.facebook.presto.common.CatalogSchemaName;
+import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.spi.CatalogSchemaTableName;
 import com.facebook.presto.spi.ColumnMetadata;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.security.AccessControlContext;
 import com.facebook.presto.spi.security.AuthorizedIdentity;
 import com.facebook.presto.spi.security.Identity;
@@ -64,7 +67,7 @@ public SystemAccessControl create(Map<String, String> config)
     }
 
     @Override
-    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
     {
     }
 

@@ -15,13 +15,16 @@
 
 import com.facebook.airlift.log.Logger;
 import com.facebook.presto.common.CatalogSchemaName;
+import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.plugin.base.security.ForwardingSystemAccessControl;
 import com.facebook.presto.plugin.base.security.SchemaAccessControlRule;
 import com.facebook.presto.security.CatalogAccessControlRule.AccessMode;
 import com.facebook.presto.spi.CatalogSchemaTableName;
 import com.facebook.presto.spi.ColumnMetadata;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.PrestoException;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.security.AccessControlContext;
 import com.facebook.presto.spi.security.AuthorizedIdentity;
 import com.facebook.presto.spi.security.Identity;
@@ -198,7 +201,7 @@ public AuthorizedIdentity selectAuthorizedIdentity(Identity identity, AccessCont
     }
 
     @Override
-    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
     {
     }
 

@@ -14,8 +14,11 @@
 package com.facebook.presto.security;
 
 import com.facebook.presto.common.CatalogSchemaName;
+import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.spi.CatalogSchemaTableName;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.security.AccessControlContext;
 import com.facebook.presto.spi.security.Identity;
 import com.facebook.presto.spi.security.SystemAccessControl;
@@ -60,7 +63,7 @@ public void checkCanSetUser(Identity identity, AccessControlContext context, Opt
     }
 
     @Override
-    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
     {
     }
 

@@ -1530,6 +1530,8 @@ private Scope processView(Table table, Optional<Scope> scope, QualifiedObjectNam
             }
             ViewDefinition view = optionalView.get();
 
+            analysis.getAccessControlReferences().addViewDefinitionReference(name, view);
+
             Query query = parseView(view.getOriginalSql(), name, table);
 
             analysis.registerNamedQuery(table, query, true);
@@ -1568,6 +1570,8 @@ private Scope processMaterializedView(
         {
             MaterializedViewPlanValidator.validate((Query) sqlParser.createStatement(materializedViewDefinition.getOriginalSql(), createParsingOptions(session, warningCollector)));
 
+            analysis.getAccessControlReferences().addMaterializedViewDefinitionReference(materializedViewName, materializedViewDefinition);
+
             analysis.registerMaterializedViewForAnalysis(materializedViewName, materializedView, materializedViewDefinition.getOriginalSql());
             String newSql = getMaterializedViewSQL(materializedView, materializedViewName, materializedViewDefinition, scope);
 

@@ -16,6 +16,7 @@
 import com.facebook.presto.Session;
 import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.common.transaction.TransactionId;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.PrestoWarning;
 import com.facebook.presto.spi.VariableAllocator;
 import com.facebook.presto.spi.WarningCollector;
@@ -25,13 +26,15 @@
 import com.facebook.presto.spi.analyzer.AnalyzerOptions;
 import com.facebook.presto.spi.analyzer.MetadataResolver;
 import com.facebook.presto.spi.analyzer.QueryAnalyzer;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.plan.PlanNodeIdAllocator;
 import com.facebook.presto.spi.security.AccessControl;
 import com.facebook.presto.spi.security.AccessControlContext;
 import com.facebook.presto.spi.security.Identity;
 import com.facebook.presto.sql.analyzer.BuiltInQueryAnalyzer;
 import com.facebook.presto.sql.parser.ParsingOptions;
 
+import java.util.Map;
 import java.util.Optional;
 
 import static com.facebook.presto.SystemSessionProperties.getWarningHandlingLevel;
@@ -114,7 +117,10 @@ private static void checkAccessPermissionsForQuery(AccessControlReferences acces
             AccessControl queryAccessControl = queryAccessControlInfo.getAccessControl();
             Identity identity = queryAccessControlInfo.getIdentity();
             AccessControlContext queryAccessControlContext = queryAccessControlInfo.getAccessControlContext();
-            queryAccessControl.checkQueryIntegrity(identity, queryAccessControlContext, query);
+            Map<QualifiedObjectName, ViewDefinition> viewDefinitionMap = accessControlReferences.getViewDefinitions();
+            Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitionMap = accessControlReferences.getMaterializedViewDefinitions();
+
+            queryAccessControl.checkQueryIntegrity(identity, queryAccessControlContext, query, viewDefinitionMap, materializedViewDefinitionMap);
         }
     }
 

@@ -26,10 +26,12 @@
 import com.facebook.presto.spi.CatalogSchemaTableName;
 import com.facebook.presto.spi.ColumnMetadata;
 import com.facebook.presto.spi.ConnectorId;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.PrestoException;
 import com.facebook.presto.spi.QueryId;
 import com.facebook.presto.spi.SchemaTableName;
 import com.facebook.presto.spi.WarningCollector;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.connector.Connector;
 import com.facebook.presto.spi.connector.ConnectorAccessControl;
 import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
@@ -171,6 +173,8 @@ public void testCheckQueryIntegrity()
         accessControlManager.addSystemAccessControlFactory(accessControlFactory);
         accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
         String testQuery = "test_query";
+        Map<QualifiedObjectName, ViewDefinition> viewDefinitions = ImmutableMap.of();
+        Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions = ImmutableMap.of();
 
         accessControlManager.checkQueryIntegrity(
                 new Identity(
@@ -182,7 +186,9 @@ public void testCheckQueryIntegrity()
                         Optional.empty(),
                         Optional.empty()),
                 context,
-                testQuery);
+                testQuery,
+                viewDefinitions,
+                materializedViewDefinitions);
         assertEquals(accessControlFactory.getCheckedUserName(), USER_NAME);
         assertEquals(accessControlFactory.getCheckedPrincipal(), Optional.of(PRINCIPAL));
         assertEquals(accessControlFactory.getCheckedQuery(), testQuery);
@@ -199,7 +205,9 @@ public void testCheckQueryIntegrity()
                                 Optional.empty(),
                                 Optional.empty()),
                         context,
-                        testQuery));
+                        testQuery,
+                        viewDefinitions,
+                        materializedViewDefinitions));
     }
 
     @Test
@@ -298,7 +306,7 @@ public void checkCanSetUser(Identity identity, AccessControlContext context, Opt
                     }
 
                     @Override
-                    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+                    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitionMap)
                     {
                     }
 
@@ -369,6 +377,8 @@ private static class TestSystemAccessControlFactory
         private Optional<Principal> checkedPrincipal;
         private String checkedUserName;
         private String checkedQuery;
+        private Map<QualifiedObjectName, ViewDefinition> checkedViewDefinitions;
+        private Map<QualifiedObjectName, MaterializedViewDefinition> checkedMaterializedViewDefinitions;
 
         public TestSystemAccessControlFactory(String name)
         {
@@ -410,14 +420,16 @@ public void checkCanSetUser(Identity identity, AccessControlContext context, Opt
                 }
 
                 @Override
-                public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+                public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
                 {
                     if (!query.equals(identity.getExtraCredentials().get(QUERY_TOKEN_FIELD))) {
                         denyQueryIntegrityCheck();
                     }
                     checkedUserName = identity.getUser();
                     checkedPrincipal = identity.getPrincipal();
                     checkedQuery = query;
+                    checkedViewDefinitions = viewDefinitions;
+                    checkedMaterializedViewDefinitions = materializedViewDefinitions;
                 }
 
                 @Override

@@ -14,9 +14,12 @@
 package com.facebook.presto.plugin.base.security;
 
 import com.facebook.presto.common.CatalogSchemaName;
+import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.spi.CatalogSchemaTableName;
 import com.facebook.presto.spi.ColumnMetadata;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 import com.facebook.presto.spi.security.AccessControlContext;
 import com.facebook.presto.spi.security.AuthorizedIdentity;
 import com.facebook.presto.spi.security.Identity;
@@ -66,9 +69,9 @@ public AuthorizedIdentity selectAuthorizedIdentity(Identity identity, AccessCont
     }
 
     @Override
-    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
     {
-        delegate().checkQueryIntegrity(identity, context, query);
+        delegate().checkQueryIntegrity(identity, context, query, viewDefinitions, materializedViewDefinitions);
     }
 
     @Override

@@ -15,6 +15,7 @@
 
 import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.common.Subfield;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
@@ -29,11 +30,15 @@ public class AccessControlReferences
     private final Map<AccessControlRole, Set<AccessControlInfoForTable>> tableReferences;
     private final Map<AccessControlInfo, Map<QualifiedObjectName, Set<Subfield>>> tableColumnAndSubfieldReferencesForAccessControl;
     private AccessControlInfo queryAccessControlInfo;
+    private final Map<QualifiedObjectName, ViewDefinition> viewDefinitions;
+    private final Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions;
 
     public AccessControlReferences()
     {
         tableReferences = new LinkedHashMap<>();
         tableColumnAndSubfieldReferencesForAccessControl = new LinkedHashMap<>();
+        viewDefinitions = new LinkedHashMap<>();
+        materializedViewDefinitions = new LinkedHashMap<>();
     }
 
     public Map<AccessControlRole, Set<AccessControlInfoForTable>> getTableReferences()
@@ -67,4 +72,24 @@ public AccessControlInfo getQueryAccessControlInfo()
     {
         return queryAccessControlInfo;
     }
+
+    public void addViewDefinitionReference(QualifiedObjectName viewDefinitionName, ViewDefinition viewDefinition)
+    {
+        viewDefinitions.put(viewDefinitionName, viewDefinition);
+    }
+
+    public void addMaterializedViewDefinitionReference(QualifiedObjectName viewDefinitionName, MaterializedViewDefinition materializedViewDefinition)
+    {
+        materializedViewDefinitions.put(viewDefinitionName, materializedViewDefinition);
+    }
+
+    public Map<QualifiedObjectName, ViewDefinition> getViewDefinitions()
+    {
+        return unmodifiableMap(new LinkedHashMap<>(viewDefinitions));
+    }
+
+    public Map<QualifiedObjectName, MaterializedViewDefinition> getMaterializedViewDefinitions()
+    {
+        return unmodifiableMap(new LinkedHashMap<>(materializedViewDefinitions));
+    }
 }
@@ -18,7 +18,9 @@
 import com.facebook.presto.common.Subfield;
 import com.facebook.presto.common.transaction.TransactionId;
 import com.facebook.presto.spi.ColumnMetadata;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 
 import java.security.Principal;
 import java.security.cert.X509Certificate;
@@ -46,7 +48,7 @@ default AuthorizedIdentity selectAuthorizedIdentity(Identity identity, AccessCon
      * Check if the query is unexpectedly modified using the credentials passed in the identity.
      * @throws com.facebook.presto.spi.security.AccessDeniedException if query is modified.
      */
-    void checkQueryIntegrity(Identity identity, AccessControlContext context, String query);
+    void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions);
 
     /**
      * Filter the list of catalogs to those visible to the identity.

@@ -17,7 +17,9 @@
 import com.facebook.presto.common.QualifiedObjectName;
 import com.facebook.presto.common.Subfield;
 import com.facebook.presto.common.transaction.TransactionId;
+import com.facebook.presto.spi.MaterializedViewDefinition;
 import com.facebook.presto.spi.SchemaTableName;
+import com.facebook.presto.spi.analyzer.ViewDefinition;
 
 import java.security.Principal;
 import java.util.Map;
@@ -33,7 +35,7 @@ public void checkCanSetUser(Identity identity, AccessControlContext context, Opt
     }
 
     @Override
-    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query)
+    public void checkQueryIntegrity(Identity identity, AccessControlContext context, String query, Map<QualifiedObjectName, ViewDefinition> viewDefinitions, Map<QualifiedObjectName, MaterializedViewDefinition> materializedViewDefinitions)
     {
     }