Fix check_access_control_on_utilized_columns_only for CTE

rschlussel · rschlussel · commit ae19df1af928 · 2025-02-27T16:38:25.000-05:00
Previously we weren't associating the with query with the columns used
from it in the main part of the query, so we wouldn't consider any
columns as used.  When the usage within the cte or outside of it was
just an identifier, we would have the utilized column collected anyway
because the column collected in the main query kept the source table
information. However, if there was an expression in between, we would
lose that information, and we wouldn't check access control for the
column that was used in an expression in the cte.

Example:

For the following query
```
with cte as (select  x as c1, z + 1 as c2 from t13) select c1, c2 from (select * from cte)
```

Previously we would only check access permissions on t13.x, but not
t13.z.  With this change we will check column access on both 13.x and
t13.z.
diff --git a/presto-analyzer/src/main/java/com/facebook/presto/sql/analyzer/RelationId.java b/presto-analyzer/src/main/java/com/facebook/presto/sql/analyzer/RelationId.java
@@ -53,6 +53,10 @@ public boolean isAnonymous()
         return sourceNode == null;
     }
 
+    public Node getSourceNode()
+    {
+        return sourceNode;
+    }
     @Override
     public boolean equals(Object o)
     {
diff --git a/presto-main/src/main/java/com/facebook/presto/sql/analyzer/UtilizedColumnsAnalyzer.java b/presto-main/src/main/java/com/facebook/presto/sql/analyzer/UtilizedColumnsAnalyzer.java
@@ -37,6 +37,7 @@
 import com.facebook.presto.sql.tree.Lateral;
 import com.facebook.presto.sql.tree.Node;
 import com.facebook.presto.sql.tree.NodeRef;
+import com.facebook.presto.sql.tree.QualifiedName;
 import com.facebook.presto.sql.tree.Query;
 import com.facebook.presto.sql.tree.QuerySpecification;
 import com.facebook.presto.sql.tree.Relation;
@@ -48,6 +49,7 @@
 import com.facebook.presto.sql.tree.Union;
 import com.facebook.presto.sql.tree.Unnest;
 import com.facebook.presto.sql.tree.Values;
+import com.facebook.presto.sql.tree.WithQuery;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.ImmutableSet;
 
@@ -57,6 +59,8 @@
 import java.util.Map.Entry;
 import java.util.Set;
 
+import static com.google.common.base.Preconditions.checkState;
+import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.Sets.intersection;
 import static java.lang.String.format;
 
@@ -271,6 +275,15 @@ protected Void visitQuerySpecification(QuerySpecification querySpec, Context con
             return null;
         }
 
+        @Override
+        protected Void visitWithQuery(WithQuery withQuery, Context context)
+        {
+            context.copyFieldIdsToExploreForWithQuery(withQuery);
+            process(withQuery.getQuery(), context);
+
+            return null;
+        }
+
         @Override
         protected Void visitSampledRelation(SampledRelation sampledRelation, Context context)
         {
@@ -493,5 +506,19 @@ private void addFieldIdToExplore(FieldId fieldId)
         {
             fieldsToExplore.put(fieldId.getRelationId(), fieldId);
         }
+
+        // Associate the relation from the with clause with the fieldIdsToExplore that we collected for it
+        // when processing the main part of the query
+        public void copyFieldIdsToExploreForWithQuery(WithQuery withQuery)
+        {
+            QualifiedName name = QualifiedName.of(withQuery.getName().getValue());
+            List<RelationId> relationIds = fieldsToExplore.keySet().stream()
+                    .filter(key -> key.getSourceNode() instanceof Table && ((Table) key.getSourceNode()).getName().equals(name))
+                    .collect(toImmutableList());
+            checkState(relationIds.size() == 1, "expected only one matching relationId");
+            fieldsToExplore.putAll(
+                    RelationId.of(withQuery.getQuery().getQueryBody()),
+                    fieldsToExplore.get(relationIds.get(0)));
+        }
     }
 }
diff --git a/presto-main/src/test/java/com/facebook/presto/sql/analyzer/TestUtilizedColumnsAnalyzer.java b/presto-main/src/test/java/com/facebook/presto/sql/analyzer/TestUtilizedColumnsAnalyzer.java
@@ -519,6 +519,12 @@ public void testUDF()
                 ImmutableMap.of(QualifiedObjectName.valueOf("tpch.s1.t1"), ImmutableSet.of("a")));
     }
 
+    @Test
+    public void testCteWithExpressionInSelect()
+    {
+        assertUtilizedTableColumns("with cte as (select  x as c1, z + 1 as c2 from t13) select c1, c2 from (select * from cte)", ImmutableMap.of(QualifiedObjectName.valueOf("tpch.s1.t13"), ImmutableSet.of("x", "z")));
+    }
+
     private void assertUtilizedTableColumns(@Language("SQL") String query, Map<QualifiedObjectName, Set<String>> expected)
     {
         transaction(transactionManager, accessControl)

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,10 @@ public boolean isAnonymous()`
`53`	`53`	`return sourceNode == null;`
`54`	`54`	`}`
`55`	`55`
	`56`	`+ public Node getSourceNode()`
	`57`	`+ {`
	`58`	`+ return sourceNode;`
	`59`	`+ }`
`56`	`60`	`@Override`
`57`	`61`	`public boolean equals(Object o)`
`58`	`62`	`{`
Original file line number	Diff line number	Diff line change
`@@ -519,6 +519,12 @@ public void testUDF()`
`519`	`519`	`ImmutableMap.of(QualifiedObjectName.valueOf("tpch.s1.t1"), ImmutableSet.of("a")));`
`520`	`520`	`}`
`521`	`521`
	`522`	`+ @Test`
	`523`	`+ public void testCteWithExpressionInSelect()`
	`524`	`+ {`
	`525`	`+ assertUtilizedTableColumns("with cte as (select x as c1, z + 1 as c2 from t13) select c1, c2 from (select * from cte)", ImmutableMap.of(QualifiedObjectName.valueOf("tpch.s1.t13"), ImmutableSet.of("x", "z")));`
	`526`	`+ }`
	`527`	`+`
`522`	`528`	`private void assertUtilizedTableColumns(@Language("SQL") String query, Map<QualifiedObjectName, Set<String>> expected)`
`523`	`529`	`{`
`524`	`530`	`transaction(transactionManager, accessControl)`