Skip to content

Clarify the support for conditional column masking #12214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kokosing merged 2 commits into from
May 13, 2022
Merged

Clarify the support for conditional column masking #12214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f76c31
Clarify the support for conditional column masking
weiatwork May 2, 2022
37f4926
Empty commit to trigger CI rerun
weiatwork May 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions core/trino-main/src/test/java/io/trino/sql/query/TestColumnMask.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,19 @@ public void testSimpleMask()
assertThat(assertions.query("SELECT custkey FROM orders WHERE orderkey = 1")).matches("VALUES CAST(NULL AS BIGINT)");
}

@Test
public void testConditionalMask()
Comment thread
weiatwork marked this conversation as resolved.
{
accessControl.reset();
accessControl.columnMask(
new QualifiedObjectName(CATALOG, "tiny", "orders"),
"custkey",
USER,
new ViewExpression(USER, Optional.empty(), Optional.empty(), "IF (orderkey < 2, null, -custkey)"));
assertThat(assertions.query("SELECT custkey FROM orders LIMIT 2"))
.matches("VALUES (NULL), CAST('-781' AS BIGINT)");
}

@Test
public void testMultipleMasksOnSameColumn()
{
Expand Down
6 changes: 6 additions & 0 deletions docs/src/main/sphinx/security/file-system-access-control.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,8 @@ Filter and mask environment

These rules do not apply to ``information_schema``.

``mask`` can contain conditional expressions such as ``IF`` or ``CASE``, which achieves conditional masking.
Comment thread
weiatwork marked this conversation as resolved.

The example below defines the following table access policy:

* Role ``admin`` has all privileges across all tables and schemas
Expand Down Expand Up @@ -627,6 +629,10 @@ These rules apply to ``filter_environment`` and ``mask_environment``.

* ``user`` (optional): username for checking permission of subqueries in a mask.

.. note::

``mask`` can contain conditional expressions such as ``IF`` or ``CASE``, which achieves conditional masking.

Session property rules
^^^^^^^^^^^^^^^^^^^^^^

Expand Down