Replace originalIdentity's groups with identity's groups

[andythsu]

Description

Use identity's groups instead of OriginalIdentity's groups in session. Issue is described here

This PR specifically resolves Option 2 in the issue

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(X) Release notes are required, with the following suggested text:

## Section
* Fix access control check when access is granted through groups in `SET SESSION AUTHORIZATION`  ({issue}`26344`)

[kokosing]

@homar can you please provide the review here?

[kokosing]

@andythsu can you please provide unit tests?

[homar]

@homar can you please provide the review here?

Yep that was clearly a mistake from my side. If you check SessionRepresentation it is clear that we need groups from identity here not originalIdentity.
However adding a test would be very beneficial

[kokosing]

I believe such test could be added to TestImpersonation.

[andythsu]

There's also https://github.com/trinodb/trino/blob/master/testing/trino-tests/src/test/java/io/trino/execution/TestUserImpersonationAccessControl.java that although the name suggests "test impersonation", there are no tests in this file that actually touches on the impersonation part. I believe we can merge it with https://github.com/trinodb/trino/blob/master/testing/trino-tests/src/test/java/io/trino/security/TestAccessControl.java. Thoughts? (I can do it in a separate PR)

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: asu80.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[andythsu]

@kokosing I added a unit test

[kokosing]

Thank you!

[kokosing]

please remove these comments.

[kokosing]

Please instead run the SQL to check the. See https://trino.io/docs/current/functions/session.html and current_groups().

Also please make sure that this test is failing when you revert the change to make sure this test actually provides a true coverage.

[andythsu]

The current_groups() actually shows the right groups. This bug only happens in

• show schemas from <catalog>
• show tables from <catalog>.<schema>

Other operations will work fine.

It looks like other operations don't call toSessionRepresentation but only these two operations will call this method, and hence this error.

[kokosing]

Ok, please use current_group() and also test:

show schemas from <catalog>
show tables from <catalog>.<schema>

[andythsu]

@kokosing I moved my tests to a new file because it requires quite different setup from https://github.com/trinodb/trino/blob/master/testing/trino-tests/src/test/java/io/trino/security/TestImpersonation.java

In addition, I ran these tests without my change and it returned

which is expected

[kokosing]

Please squash the commits. Apply comment. Ping me once it is green to be merged. Thank you!

[kokosing]

add copyright

[andythsu]

@kokosing everything passed!

[kokosing]

I improved release notes a bit. Thank you!