Skip to content

Commit

Permalink
Add security lake
Browse files Browse the repository at this point in the history 
Signed-off-by: Tomoyuki Morita <[email protected]>
  • Loading branch information
@ykmr1224
ykmr1224 committed Sep 18, 2024
1 parent 563e027 commit 15ae225
Show file tree
Hide file tree
Showing 4 changed files with 426 additions and 112 deletions.
1 change: 1 addition & 0 deletions async-query-core/src/main/java/org/opensearch/sql/spark/validator/GrammarElement.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ enum GrammarElement {
HAVING("HAVING"),
HINTS("HINTS"),
INLINE_TABLE("Inline Table(VALUES)"),
FILE("File"),
INNER_JOIN("INNER JOIN"),
CROSS_JOIN("CROSS JOIN"),
LEFT_OUTER_JOIN("LEFT OUTER JOIN"),
Expand Down
60 changes: 58 additions & 2 deletions ...core/src/main/java/org/opensearch/sql/spark/validator/GrammarElementValidatorFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ public class GrammarElementValidatorFactory {
private static final Set<GrammarElement> DEFAULT_DENY_LIST =
ImmutableSet.of(CREATE_FUNCTION, DROP_FUNCTION, INSERT, LOAD, HINTS, TABLESAMPLE);

// Deny List for CloudWatch Logs datasource
private static final Set<GrammarElement> CWL_DENY_LIST =
copyBuilder(DEFAULT_DENY_LIST)
.add(
Expand Down Expand Up @@ -71,18 +72,53 @@ public class GrammarElementValidatorFactory {
UDF)
.build();

// Deny list for S3 Glue datasource
private static final Set<GrammarElement> S3GLUE_DENY_LIST =
copyBuilder(DEFAULT_DENY_LIST)
.add(
ALTER_VIEW,
CREATE_VIEW,
DROP_VIEW,
REPAIR_TABLE,
DISTRIBUTE_BY,
INLINE_TABLE,
CLUSTER_BY,
DISTRIBUTE_BY,
CROSS_JOIN,
LEFT_SEMI_JOIN,
RIGHT_OUTER_JOIN,
FULL_OUTER_JOIN,
LEFT_ANTI_JOIN,
TABLESAMPLE,
TABLE_VALUED_FUNCTION,
TRANSFORM,
MANAGE_RESOURCE,
DESCRIBE_FUNCTION,
REFRESH_RESOURCE,
REFRESH_FUNCTION,
RESET,
SET,
SHOW_FUNCTIONS,
SHOW_VIEWS,
MISC_FUNCTIONS,
UDF)
.build();

// Deny list for Security Lake datasource
private static final Set<GrammarElement> SL_DENY_LIST =
copyBuilder(DEFAULT_DENY_LIST)
.add(
ALTER_NAMESPACE,
ALTER_VIEW,
CREATE_NAMESPACE,
CREATE_VIEW,
DROP_NAMESPACE,
DROP_VIEW,
REPAIR_TABLE,
TRUNCATE_TABLE,
CLUSTER_BY,
DISTRIBUTE_BY,
HINTS,
INLINE_TABLE,
CROSS_JOIN,
LEFT_SEMI_JOIN,
RIGHT_OUTER_JOIN,
Expand All @@ -92,19 +128,39 @@ public class GrammarElementValidatorFactory {
TABLE_VALUED_FUNCTION,
TRANSFORM,
MANAGE_RESOURCE,
ANALYZE_TABLE,
CACHE_TABLE,
CLEAR_CACHE,
DESCRIBE_NAMESPACE,
DESCRIBE_FUNCTION,
DESCRIBE_QUERY,
DESCRIBE_TABLE,
REFRESH_RESOURCE,
REFRESH_TABLE,
REFRESH_FUNCTION,
RESET,
SET,
SHOW_COLUMNS,
SHOW_CREATE_TABLE,
SHOW_NAMESPACES,
SHOW_FUNCTIONS,
SHOW_PARTITIONS,
SHOW_TABLE_EXTENDED,
SHOW_TABLES,
SHOW_TBLPROPERTIES,
SHOW_VIEWS,
UNCACHE_TABLE,
CSV_FUNCTIONS,
MISC_FUNCTIONS,
UDF)
.build();


private static Map<DataSourceType, GrammarElementValidator> validatorMap =
ImmutableMap.of(DataSourceType.S3GLUE, new DenyListGrammarElementValidator(S3GLUE_DENY_LIST));
ImmutableMap.of(
DataSourceType.S3GLUE, new DenyListGrammarElementValidator(S3GLUE_DENY_LIST),
DataSourceType.SECURITY_LAKE, new DenyListGrammarElementValidator(SL_DENY_LIST)
);

public GrammarElementValidator getValidatorForDatasource(DataSourceType dataSourceType) {
return validatorMap.get(dataSourceType);
Expand Down
128 changes: 128 additions & 0 deletions async-query-core/src/main/java/org/opensearch/sql/spark/validator/SQLQueryValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@
import lombok.AllArgsConstructor;
import org.antlr.v4.runtime.tree.TerminalNode;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AddTableColumnsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AddTablePartitionContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AlterClusterByContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AlterTableAlterColumnContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AlterViewQueryContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AlterViewSchemaBindingContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.AnalyzeContext;
Expand All @@ -16,6 +20,8 @@
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ClearCacheContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ClusterBySpecContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.CreateNamespaceContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.CreateTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.CreateTableLikeContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.CreateViewContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.CtesContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DescribeFunctionContext;
Expand All @@ -24,11 +30,15 @@
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DescribeRelationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DropFunctionContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DropNamespaceContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DropTableColumnsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DropTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DropTablePartitionsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.DropViewContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ExplainContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.FunctionIdentifierContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.FunctionNameContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.HintContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.HiveReplaceColumnsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.InlineTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.InsertIntoReplaceWhereContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.InsertIntoTableContext;
Expand All @@ -41,18 +51,25 @@
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.LoadDataContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ManageResourceContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.QueryOrganizationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RecoverPartitionsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RefreshFunctionContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RefreshResourceContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RefreshTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RelationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RenameTableColumnContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RenameTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RenameTablePartitionContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.RepairTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ReplaceTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ResetConfigurationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ResetQuotedConfigurationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SampleContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SetConfigurationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SetNamespaceLocationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SetNamespacePropertiesContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SetQuantifierContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SetTableLocationContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.SetTableSerDeContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ShowColumnsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ShowCreateTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ShowFunctionsContext;
Expand All @@ -64,6 +81,7 @@
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.ShowViewsContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.TableValuedFunctionContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.TransformClauseContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.TruncateTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.UncacheTableContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParser.UnsetNamespacePropertiesContext;
import org.opensearch.sql.spark.antlr.parser.SqlBaseParserBaseVisitor;
Expand Down Expand Up @@ -94,6 +112,80 @@ public Void visitUnsetNamespaceProperties(UnsetNamespacePropertiesContext ctx) {
return super.visitUnsetNamespaceProperties(ctx);
}

@Override
public Void visitAddTableColumns(AddTableColumnsContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitAddTableColumns(ctx);
}

@Override
public Void visitAddTablePartition(AddTablePartitionContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitAddTablePartition(ctx);
}

@Override
public Void visitRenameTableColumn(RenameTableColumnContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitRenameTableColumn(ctx);
}

@Override
public Void visitDropTableColumns(DropTableColumnsContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitDropTableColumns(ctx);
}

@Override
public Void visitAlterTableAlterColumn(AlterTableAlterColumnContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitAlterTableAlterColumn(ctx);
}

@Override
public Void visitHiveReplaceColumns(HiveReplaceColumnsContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitHiveReplaceColumns(ctx);
}

@Override
public Void visitSetTableSerDe(SetTableSerDeContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitSetTableSerDe(ctx);
}

@Override
public Void visitRenameTablePartition(RenameTablePartitionContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitRenameTablePartition(ctx);
}

@Override
public Void visitDropTablePartitions(DropTablePartitionsContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitDropTablePartitions(ctx);
}

@Override
public Void visitSetTableLocation(SetTableLocationContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitSetTableLocation(ctx);
}

@Override
public Void visitRecoverPartitions(RecoverPartitionsContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitRecoverPartitions(ctx);
}

@Override
public Void visitAlterClusterBy(AlterClusterByContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
return super.visitAlterClusterBy(ctx);
}



@Override
public Void visitSetNamespaceLocation(SetNamespaceLocationContext ctx) {
validateAllowed(GrammarElement.ALTER_NAMESPACE);
Expand Down Expand Up @@ -131,12 +223,36 @@ public Void visitCreateNamespace(CreateNamespaceContext ctx) {
return super.visitCreateNamespace(ctx);
}

@Override
public Void visitCreateTable(CreateTableContext ctx) {
validateAllowed(GrammarElement.CREATE_NAMESPACE);
return super.visitCreateTable(ctx);
}

@Override
public Void visitCreateTableLike(CreateTableLikeContext ctx) {
validateAllowed(GrammarElement.CREATE_NAMESPACE);
return super.visitCreateTableLike(ctx);
}

@Override
public Void visitReplaceTable(ReplaceTableContext ctx) {
validateAllowed(GrammarElement.CREATE_NAMESPACE);
return super.visitReplaceTable(ctx);
}

@Override
public Void visitDropNamespace(DropNamespaceContext ctx) {
validateAllowed(GrammarElement.DROP_NAMESPACE);
return super.visitDropNamespace(ctx);
}

@Override
public Void visitDropTable(DropTableContext ctx) {
validateAllowed(GrammarElement.DROP_NAMESPACE);
return super.visitDropTable(ctx);
}

@Override
public Void visitCreateView(CreateViewContext ctx) {
validateAllowed(GrammarElement.CREATE_VIEW);
Expand All @@ -155,6 +271,18 @@ public Void visitDropFunction(DropFunctionContext ctx) {
return super.visitDropFunction(ctx);
}

@Override
public Void visitRepairTable(RepairTableContext ctx) {
validateAllowed(GrammarElement.REPAIR_TABLE);
return super.visitRepairTable(ctx);
}

@Override
public Void visitTruncateTable(TruncateTableContext ctx) {
validateAllowed(GrammarElement.TRUNCATE_TABLE);
return super.visitTruncateTable(ctx);
}

@Override
public Void visitInsertOverwriteTable(InsertOverwriteTableContext ctx) {
validateAllowed(GrammarElement.INSERT);
Expand Down
Loading

0 comments on commit 15ae225

Please sign in to comment.