diff --git a/core/trino-main/src/test/java/io/trino/sql/query/TestColumnMask.java b/core/trino-main/src/test/java/io/trino/sql/query/TestColumnMask.java index e42a7a647563..a24920f08c47 100644 --- a/core/trino-main/src/test/java/io/trino/sql/query/TestColumnMask.java +++ b/core/trino-main/src/test/java/io/trino/sql/query/TestColumnMask.java @@ -179,6 +179,19 @@ public void testSimpleMask() assertThat(assertions.query("SELECT custkey FROM orders WHERE orderkey = 1")).matches("VALUES CAST(NULL AS BIGINT)"); } + @Test + public void testConditionalMask() + { + accessControl.reset(); + accessControl.columnMask( + new QualifiedObjectName(CATALOG, "tiny", "orders"), + "custkey", + USER, + new ViewExpression(USER, Optional.empty(), Optional.empty(), "IF (orderkey < 2, null, -custkey)")); + assertThat(assertions.query("SELECT custkey FROM orders LIMIT 2")) + .matches("VALUES (NULL), CAST('-781' AS BIGINT)"); + } + @Test public void testMultipleMasksOnSameColumn() { diff --git a/docs/src/main/sphinx/security/file-system-access-control.rst b/docs/src/main/sphinx/security/file-system-access-control.rst index 71b5d6c0f27f..7db5eb21c375 100644 --- a/docs/src/main/sphinx/security/file-system-access-control.rst +++ b/docs/src/main/sphinx/security/file-system-access-control.rst @@ -275,6 +275,8 @@ Filter and mask environment These rules do not apply to ``information_schema``. + ``mask`` can contain conditional expressions such as ``IF`` or ``CASE``, which achieves conditional masking. + The example below defines the following table access policy: * Role ``admin`` has all privileges across all tables and schemas @@ -627,6 +629,10 @@ These rules apply to ``filter_environment`` and ``mask_environment``. * ``user`` (optional): username for checking permission of subqueries in a mask. +.. note:: + + ``mask`` can contain conditional expressions such as ``IF`` or ``CASE``, which achieves conditional masking. + Session property rules ^^^^^^^^^^^^^^^^^^^^^^