Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST] Add Row Level and Column Level access control. #137

Open
silwalanish opened this issue Aug 10, 2024 · 2 comments
Open

[FEATURE REQUEST] Add Row Level and Column Level access control. #137

silwalanish opened this issue Aug 10, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@silwalanish
Copy link

Is your feature request related to a problem? Please describe.

Is there a way to define row/column level access control through the RBAC defined here?

Describe the solution you'd like

With row level access control, I would like to filter certain rows from result set for a given Role.
With column level access control, I would like to add data masking to certain columns for a given Role.

Describe alternatives you've considered

No response

Additional context

No response
@silwalanish silwalanish added the enhancement New feature or request label Aug 10, 2024
@shohamyamin
Copy link

I think that the catalog should return when a resource is requested the row filter expression and the column mask expression that way the Trino/spark will be able to force the row filter/column mask.

the catalog itself cannot make the filter/masking because he isn’t the one that access to the object storage and do the compute

@snazy
Copy link
Member

snazy commented Aug 23, 2024

RLAC/CLAC is IMO a very useful functionality/feature to restrict access to sensitive information to trusted client (e.g. query engines). Masking/hiding is technically probably the more straght-forward part, but getting "trust" right is tricky.

A table (or view referencing such a table directly or indirectly) that has CLAC/RLAC enabled, must not be accessible to untrusted clients, simply because once you give those access, they technically see everything. Or the catalog would have to intercept (and rewrite) manifest-lists, manifest-files and data/delete files according to the user's privileges and R/CLAC rules (masking) - that's quite expensive.

However, if you have an engine/client that you really trust to securely apply the CLAC/RLAC filters, the catalog can grant access to it and rely on the engine/client to do the right thing.

"Trust" itself has very different meanings for different people. Some say they're fine with running queries only on that engine X, Y or Z. Others say that the engine must run on extremely locked down hardware, ensuring that malicious users must not even be able to use side-channel attacks to get (some) knowledge of the protected data.

Don't get me wrong, definitely don't wanna shoot this down or so - it's the opposite. Just saying, that there's a lot of work to do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snazy @silwalanish @shohamyamin