Skip to content

Rules.json for file-based access control can't allow only single tables. #25857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
meneizs opened this issue May 24, 2025 · 1 comment
Open

Rules.json for file-based access control can't allow only single tables. #25857

meneizs opened this issue May 24, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@meneizs
Copy link

meneizs commented May 24, 2025

I'm using trino 465 into a k8s cluster, and the access control is working as fine. But when i try to allow a user XPTO to read-only a single table, my whole rules stop working.

# This work: 
  rules:
    rules.json: |-
      {
        "catalogs": [
          {
            "user": "nelson.neto",
            "catalog": ".*",
            "allow": "all"
          },
          {
            "group": "datalake-trino-users",
            "catalog": "lakehouse",
            "allow": "read-only"
          }
        ]
      }


# This doesn't work:
  rules:
    rules.json: |-
      {
        "catalogs": [
          {
            "user": "nelson.neto",
            "catalog": ".*",
            "allow": "all"
          },
          {
            "group": "datalake-trino-users",
            "catalog": "lakehouse",
            "allow": "read-only"
          }
        ],
        "tables": [
          {
            "catalog": "lakehouse",
            "schema": "ani",
            "table": "hst_etapas_workflow",
            "user": "XPTO",
            "privileges": [
              "SELECT" 
            ]
          }
        ]
      }

Even when i try to remove catalogs rules and set only tables rules. When i pass ".*" it works well, but specifying the catalog/schema/table it doesn't work.

Example:

# This works: 
  rules:
    rules.json: |-
      {
        "tables": [
          {
            "catalog": ".*",
            "schema": ".*",
            "table": ".*",
            "user": "nelson.neto",
            "privileges": ["SELECT"]
          }
        ]
      }

# This doesn't work: 
  rules:
    rules.json: |-
      {
        "tables": [
          {
            "catalog": "lakehouse",
            "schema": ".*",
            "table": ".*",
            "user": "nelson.neto",
            "privileges": ["SELECT"]
          }
        ]
      }

The second rule returns me:

Erro SQL [4]: Query failed (#20250524_012011_00020_q8qtq): Access Denied: Cannot select from table system.jdbc.tables
  Query failed (#20250524_012011_00020_q8qtq): Access Denied: Cannot select from table system.jdbc.tables
  Query failed (#20250524_012011_00020_q8qtq): Access Denied: Cannot select from table system.jdbc.tables
    io.trino.spi.security.AccessDeniedException: Access Denied: Cannot select from table system.jdbc.tables
    Access Denied: Cannot select from table system.jdbc.tables
@kumiDa kumiDa added the bug Something isn't working label May 26, 2025
@xhuynx
Copy link

xhuynx commented Jun 5, 2025

in catalogs, you should add:

{
"user": "XPTO",
"catalog": "lakehouse",
"allow": "read-only"
},

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kumiDa @meneizs @xhuynx