Skip to content

[table] Support query-auth row filters and column masking at read time#513

Draft
plusplusjiajia wants to merge 1 commit into
apache:mainfrom
plusplusjiajia:query-auth-enforce-v2
Draft

[table] Support query-auth row filters and column masking at read time#513
plusplusjiajia wants to merge 1 commit into
apache:mainfrom
plusplusjiajia:query-auth-enforce-v2

Conversation

@plusplusjiajia

Copy link
Copy Markdown
Member

Stacked on #498 and #500 — the first two commits are those PRs; please review only the last commit ([table] Support query-auth row filters and column masking at read time). Will rebase once they merge.

Purpose

Apply the per-user query-auth grant on the read path. Since #447 the client fails closed on every query-auth.enabled table; with this change a granted read goes through: the row filter and column masking
returned by the REST catalog's authTableQuery are enforced exactly, and reads the grant cannot cover keep failing closed.

Brief change log

  • Plan-time transparent authorization: TableScan::plan / FormatTableScan::plan / search execute_scored fetch and verify the grant (where Java applies CatalogEnvironment.tableQueryAuth()), scoped to the
    planned projection ∪ filter columns; wider reads fail closed until re-plan.
  • Exact enforcement in TableRead::to_arrow: the physical read is widened with the grant's filter columns and mask inputs, each batch is filtered on raw values, masked columns are overwritten, then
    re-projected to the caller's columns (mirrors [core] Add row filter & column masking support for table read paimon#7034; cross-column masks per [WIP][core] Fix column masking correctness in query-auth reads paimon#8570).
  • Statistics stay safe: a row filter makes Plan::row_counts_exact() false — count-based limit pushdown is skipped and DataFusion cannot answer COUNT(*) from unfiltered statistics.
  • Fail-closed guards kept: unparseable grant, caller predicate on a masked column (value oracle), unauthorized columns, dynamic-option override.

@plusplusjiajia plusplusjiajia force-pushed the query-auth-enforce-v2 branch from 42dee01 to c061a12 Compare July 12, 2026 05:06
@plusplusjiajia plusplusjiajia force-pushed the query-auth-enforce-v2 branch from c061a12 to 71c6710 Compare July 12, 2026 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant