-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for row filtering and column masking access control #24277
base: master
Are you sure you want to change the base?
Conversation
There are some followup commits that I did not include here, we can add these in or look into as a followup: Apply filters and masks for view object Apply filters and masks for tables referenced by views Add test for join on masked column Record filter and mask information in query event |
@tdcmeehan Its high time that we consider merging this stuff, as we discussed last time in the meeting doing in connector optimizer is not feasible for all cases and offerrs no benefit |
0c28887
to
3d1ecda
Compare
I'm in favor of this approach. While it does increase our SPI footprint, I think it's nice to align with Trino's approach in this case because it makes porting plugins easier for folks. I think this is worth the small increase in footprint. |
3d1ecda
to
1aefdf0
Compare
…rinodb/trino@827de57 Krzysztof Sobolewski [email protected]\nAllow returning multiple filters and masks in SystemAccessControl trinodb/trino@ae66a8b Krzysztof Sobolewski [email protected]
…odb/trino@1dbbcb3 Add access control SPI function for table column masks. Cristian Osiac [email protected], trinodb/trino@5da64a9
Updated to include followup commits to retrieve a list of row filters and multiple column masks with a single call to the interface. |
{ | ||
String column = columnMetadata.getName(); | ||
if (analysis.hasColumnMask(tableName, column, currentIdentity)) { | ||
throw new PrestoException(INVALID_ROW_FILTER, format("Column mask for '%s.%s' is recursive", tableName, column), null); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Can you please use INVALID_COLUMN_MASK error code in this method?
|
||
planBuilder = subqueryPlanner.handleSubqueries(planBuilder, mask, mask, context); | ||
|
||
Map<VariableReferenceExpression, RowExpression> assignments = new LinkedHashMap<>(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please move the creation of assignments and the new planBuilder outside the for loop? This will allow invoking planBuilder.withNewRoot only once per method invocation, rather than creating a new planBuilder for each mask. It will improve efficiency and make the logic cleaner.
Map<String, Expression> columnMasks = analysis.getColumnMasks(table); | ||
|
||
List<VariableReferenceExpression> mappings = plan.getFieldMappings(); | ||
TranslationMap translations = new TranslationMap(plan, analysis, lambdaDeclarationToVariableMap); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: We can simplify this section by reusing some code. Instead of directly using translations.rewrite(mask)
, you could initialize the PlanBuilder with PlanBuilder planBuilder = initializePlanBuilder(plan);
. Then, use planBuilder.rewrite(mask)
to leverage the translations map already stored internally within planBuilder.
Description
This adds support for row filtering and column masking to access control as part of governance requirements. Filters/masks are supplied as part of an access control implementation and then applied to queries according to matching table and column names supplied by access control.
These changes are cherry-picked from the following commits:
Adding support for row filters
Cherry-pick of trinodb/trino@fae3147
Co-authored-by: Martin Traverso [email protected]
Adding support for column masks
Cherry-pick of trinodb/trino@7e0d88e
Co-authored-by: Martin Traverso [email protected]
Disallow multiple masks on a given column
Cherry-pick of trinodb/trino@bdd1cb5
Co-authored-by: Martin Traverso [email protected]
Add access control SPI function for table column masks.
Cherry-pick of trinodb/trino@5da64a9
Co-authored-by: Cristian Osiac [email protected]
Update core access control to fetch column masks in bulk
Cherry-pick of trinodb/trino@1dbbcb3
Co-authored-by: Cristian Osiac [email protected]
For original IBM Presto port
Co-authored-by: Reetika Agrawal [email protected]
From #24278
Motivation and Context
Governance requirements include the ability to restrict access to certain rows of tables or sensitive data in certain columns. This adds the ability to provide filters/masks as expressions to Presto where they will then be applied to relevant queries.
Impact
Additions to SPI include access control interfaces to get row filters and column masks.
ConnectorAccessControl
Test Plan
Unit tests added.
Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.
If release note is NOT required, use: