Remove deprecated getColumnMask

Author: wendigo

core/trino-main/src/main/java/io/trino/security/InjectedConnectorAccessControl.java

@@ -29,7 +29,6 @@
 import io.trino.spi.security.Privilege;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
@@ -574,17 +573,6 @@ public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sche
         throw new TrinoException(NOT_SUPPORTED, "Row filtering not supported");
     }
 
-    @Override
-    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        checkArgument(context == null, "context must be null");
-        ColumnSchema column = ColumnSchema.builder().setName(columnName).setType(type).build();
-        if (accessControl.getColumnMasks(securityContext, new QualifiedObjectName(catalogName, tableName.getSchemaName(), tableName.getTableName()), ImmutableList.of(column)).containsKey(column)) {
-            return Optional.empty();
-        }
-        throw new TrinoException(NOT_SUPPORTED, "Column masking not supported");
-    }
-
     @Override
     public Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {

core/trino-spi/src/main/java/io/trino/spi/connector/ConnectorAccessControl.java

@@ -18,13 +18,11 @@
 import io.trino.spi.security.Privilege;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import static io.trino.spi.security.AccessDeniedException.denyAddColumn;
 import static io.trino.spi.security.AccessDeniedException.denyAlterColumn;
@@ -794,21 +792,6 @@ default List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sch
         return emptyList();
     }
 
-    /**
-     * Get column mask associated with the given table, column and identity.
-     * <p>
-     * The mask must be a scalar SQL expression of a type coercible to the type of the column being masked. The expression
-     * must be written in terms of columns in the table.
-     *
-     * @return the mask if present, or empty if not applicable
-     * @deprecated use {@link #getColumnMasks(ConnectorSecurityContext, SchemaTableName, List)}
-     */
-    @Deprecated
-    default Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        return Optional.empty();
-    }
-
     /**
      * Bulk method for getting column masks for a subset of columns in a table.
      * <p>
@@ -819,9 +802,6 @@ default Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context,
      */
     default Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {
-        return columns.stream()
-                .map(column -> Map.entry(column, getColumnMask(context, tableName, column.getName(), column.getType())))
-                .filter(entry -> entry.getValue().isPresent())
-                .collect(Collectors.toMap(Map.Entry::getKey, entry -> entry.getValue().get()));
+        return emptyMap();
     }
 }

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/classloader/ClassLoaderSafeConnectorAccessControl.java

@@ -24,7 +24,6 @@
 import io.trino.spi.security.Privilege;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
@@ -638,14 +637,6 @@ public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sche
         }
     }
 
-    @Override
-    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        try (ThreadContextClassLoader _ = new ThreadContextClassLoader(classLoader)) {
-            return delegate.getColumnMask(context, tableName, columnName, type);
-        }
-    }
-
     @Override
     public Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/AllowAllAccessControl.java

@@ -24,7 +24,6 @@
 import io.trino.spi.security.Privilege;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
@@ -274,12 +273,6 @@ public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sche
         return ImmutableList.of();
     }
 
-    @Override
-    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        return Optional.empty();
-    }
-
     @Override
     public Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java

@@ -30,7 +30,6 @@
 import io.trino.spi.security.Privilege;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
@@ -111,7 +110,6 @@
 import static io.trino.spi.security.AccessDeniedException.denyShowTables;
 import static io.trino.spi.security.AccessDeniedException.denyTruncateTable;
 import static io.trino.spi.security.AccessDeniedException.denyUpdateTableColumns;
-import static java.lang.String.format;
 
 public class FileBasedAccessControl
         implements ConnectorAccessControl
@@ -807,30 +805,6 @@ public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sche
                 .collect(toImmutableList());
     }
 
-    @Override
-    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
-            return Optional.empty();
-        }
-
-        ConnectorIdentity identity = context.getIdentity();
-        List<ViewExpression> masks = tableRules.stream()
-                .filter(rule -> rule.matches(identity.getUser(), identity.getEnabledSystemRoles(), identity.getGroups(), tableName))
-                .map(rule -> rule.getColumnMask(catalogName, tableName.getSchemaName(), columnName))
-                // we return the first one we find
-                .findFirst()
-                .stream()
-                .flatMap(Optional::stream)
-                .toList();
-
-        if (masks.size() > 1) {
-            throw new TrinoException(INVALID_COLUMN_MASK, format("Multiple masks defined for %s.%s", tableName, columnName));
-        }
-
-        return masks.stream().findFirst();
-    }
-
     @Override
     public Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {

lib/trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/ForwardingConnectorAccessControl.java

@@ -22,7 +22,6 @@
 import io.trino.spi.security.Privilege;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
@@ -496,12 +495,6 @@ public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sche
         return delegate().getRowFilters(context, tableName);
     }
 
-    @Override
-    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        return delegate().getColumnMask(context, tableName, columnName, type);
-    }
-
     @Override
     public Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {

lib/trino-plugin-toolkit/src/test/java/io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.java

@@ -20,6 +20,7 @@
 import io.airlift.bootstrap.Bootstrap;
 import io.trino.spi.QueryId;
 import io.trino.spi.catalog.CatalogName;
+import io.trino.spi.connector.ColumnSchema;
 import io.trino.spi.connector.ConnectorAccessControl;
 import io.trino.spi.connector.ConnectorSecurityContext;
 import io.trino.spi.connector.ConnectorTransactionHandle;
@@ -395,16 +396,17 @@ public void testTableRulesForMixedGroupUsers()
         accessControl.checkCanDeleteFromTable(userGroup1Group2, myTable);
         accessControl.checkCanDropTable(userGroup1Group2, myTable);
         accessControl.checkCanSelectFromColumns(userGroup1Group2, myTable, ImmutableSet.of());
-        assertThat(accessControl.getColumnMask(userGroup1Group2, myTable, "col_a", VARCHAR)).isEqualTo(Optional.empty());
+        assertThat(accessControl.getColumnMasks(userGroup1Group2, myTable, List.of(ColumnSchema.builder().setName("col_a").setType(VARCHAR).build()))).isEmpty();
         assertThat(accessControl.getRowFilters(userGroup1Group2, myTable)).isEqualTo(ImmutableList.of());
 
         assertDenied(() -> accessControl.checkCanCreateTable(userGroup2, myTable, Map.of()));
         assertDenied(() -> accessControl.checkCanInsertIntoTable(userGroup2, myTable));
         assertDenied(() -> accessControl.checkCanDeleteFromTable(userGroup2, myTable));
         assertDenied(() -> accessControl.checkCanDropTable(userGroup2, myTable));
         accessControl.checkCanSelectFromColumns(userGroup2, myTable, ImmutableSet.of());
+        ColumnSchema colA = ColumnSchema.builder().setName("col_a").setType(VARCHAR).build();
         assertViewExpressionEquals(
-                accessControl.getColumnMask(userGroup2, myTable, "col_a", VARCHAR).orElseThrow(),
+                accessControl.getColumnMasks(userGroup2, myTable, List.of(colA)).get(colA),
                 ViewExpression.builder()
                         .catalog("test_catalog")
                         .schema("my_schema")
@@ -420,15 +422,14 @@ public void testTableRulesForMixedGroupUsers()
         accessControl.checkCanDeleteFromTable(userGroup1Group3, myTable);
         accessControl.checkCanDropTable(userGroup1Group3, myTable);
         accessControl.checkCanSelectFromColumns(userGroup1Group3, myTable, ImmutableSet.of());
-        assertThat(accessControl.getColumnMask(userGroup1Group3, myTable, "col_a", VARCHAR)).isEqualTo(Optional.empty());
-
+        assertThat(accessControl.getColumnMasks(userGroup1Group3, myTable, List.of(ColumnSchema.builder().setName("col_a").setType(VARCHAR).build()))).isEmpty();
         assertDenied(() -> accessControl.checkCanCreateTable(userGroup3, myTable, Map.of()));
         assertDenied(() -> accessControl.checkCanInsertIntoTable(userGroup3, myTable));
         assertDenied(() -> accessControl.checkCanDeleteFromTable(userGroup3, myTable));
         assertDenied(() -> accessControl.checkCanDropTable(userGroup3, myTable));
         accessControl.checkCanSelectFromColumns(userGroup3, myTable, ImmutableSet.of());
         assertViewExpressionEquals(
-                accessControl.getColumnMask(userGroup3, myTable, "col_a", VARCHAR).orElseThrow(),
+                accessControl.getColumnMasks(userGroup3, myTable, List.of(colA)).get(colA),
                 ViewExpression.builder()
                         .catalog("test_catalog")
                         .schema("my_schema")

plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java

@@ -36,7 +36,6 @@
 import io.trino.spi.security.RoleGrant;
 import io.trino.spi.security.TrinoPrincipal;
 import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
 
 import java.util.List;
 import java.util.Map;
@@ -709,12 +708,6 @@ public List<ViewExpression> getRowFilters(ConnectorSecurityContext context, Sche
         return ImmutableList.of();
     }
 
-    @Override
-    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext context, SchemaTableName tableName, String columnName, Type type)
-    {
-        return Optional.empty();
-    }
-
     @Override
     public Map<ColumnSchema, ViewExpression> getColumnMasks(ConnectorSecurityContext context, SchemaTableName tableName, List<ColumnSchema> columns)
     {