Allow multiple filters and masks from access control#11654
Merged
kokosing merged 3 commits intotrinodb:masterfrom Apr 3, 2022
Merged
Conversation
kokosing
reviewed
Mar 25, 2022
...plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedSystemAccessControl.java
Outdated
Show resolved
Hide resolved
...trino-plugin-toolkit/src/main/java/io/trino/plugin/base/security/FileBasedAccessControl.java
Outdated
Show resolved
Hide resolved
Member
|
A couple of comments:
|
Member
|
In regards to SPI, please see #11667
There are authorization systems that allows to configure row filters and column masking on schema as well as on table. So there is a case where it is set on both entities and so multiple filters or masks are returned. |
ksobolew
force-pushed
the
kudi/allow-multiple-filters-and-masks-from-access-control
branch
from
0320401 to
151164e
Compare
Contributor
Author
|
I modified the commits to add new methods and deprecated the old ones instead of replacing. |
ksobolew
force-pushed
the
kudi/allow-multiple-filters-and-masks-from-access-control
branch
2 times, most recently
from
85742c4 to
3184de1
Compare
Can just collect to array directly.
The engine is perfectly capable of processing multiple row filter and column mask expressions, given that it supports running multiple system access controls and each of them can provide an expression. See: `io.trino.security.AccessControlManager#getColumnMasks` and `io.trino.security.AccessControlManager#getRowFilters`. So inability to provide more than one expression per access control looks like an artificial restriction. Case in point: the file-based access control, which is also already capable of providing multiple expressions for both row filters and column masks (it just picked the first one and discarded the rest).
Now that the `SystemAccessControl` can provide multiple filtering and masking expressions, there's no reason for the `ConnectorAccessControl` not to follow suit.
ksobolew
force-pushed
the
kudi/allow-multiple-filters-and-masks-from-access-control
branch
from
3184de1 to
a63e04b
Compare
kokosing
approved these changes
Apr 1, 2022
ksobolew
deleted the
kudi/allow-multiple-filters-and-masks-from-access-control
branch
This was referenced May 1, 2022
findepi
reviewed
Jun 27, 2022
| */ | ||
| default List<ViewExpression> getRowFilters(ConnectorSecurityContext context, SchemaTableName tableName) | ||
| { | ||
| return emptyList(); |
Member
There was a problem hiding this comment.
The new method should delegate to the old method.
Contributor
Author
There was a problem hiding this comment.
True. As I was removing them I realized the same, not sure how it happened
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
It's an improvement to the SPI between the engine and the access control interfaces.
SPI interfaces
The engine is perfectly capable of processing multiple row filter and column mask expressions, given that it supports running multiple system access controls and each of them can provide an expression. See:
io.trino.security.AccessControlManager#getColumnMasksandio.trino.security.AccessControlManager#getRowFilters. So inability to provide more than one expression per access control looks like an artificial restriction. Case in point: the file-based access control, which is also already capable of providing multiple expressions for both row filters and column masks (it just picked the first one and discarded the rest).Documentation
(x) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
(x) No release notes entries required. (I guess)
( ) Release notes entries required with the following suggested text: