Re: [PR] [Feature] support data mask in doris internal auth [doris]

Mon, 29 Jul 2024 23:56:21 -0700 


zddr commented on code in PR #38301:
URL: https://github.com/apache/doris/pull/38301#discussion_r1696388612


##########
fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/logical/LogicalCheckPolicy.java:
##########
@@ -230,4 +235,62 @@ public RelatedPolicy(Optional<Expression> rowPolicyFilter, 
Optional<List<NamedEx
             this.dataMaskProjects = dataMaskProjects;
         }
     }
+
+    private Expression getMaskTypeDef(NereidsParser parser, DataMaskPolicy 
dataMaskPolicy, Slot slot) {
+        if (dataMaskPolicy instanceof DorisDataMaskPolicy) {

Review Comment:
   I don't understand why it's necessary to determine if it's an internal Doris 
DataMaskPolicy? What is the purpose of this code? If necessary, it should also 
be placed inside the Doris data mask logic, and there should be no concern 
about what type of data mask it is



##########
fe/fe-core/src/main/java/org/apache/doris/policy/PolicyMgr.java:
##########
@@ -379,6 +389,40 @@ public RowPolicy getMatchTablePolicy(String ctlName, 
String dbName, String table
         return mergeRowPolicies(res);
     }
 
+    public DorisDataMaskPolicy getDataMaskPolicy(String ctlName, String 
dbName, String tableName, String colName, UserIdentity user) {
+        if (!hasDataMaskPolicy(ctlName, dbName, tableName, colName)) {
+            return null;
+        }
+        readLock();
+        try {
+            if (!hasDataMaskPolicy(ctlName, dbName, tableName, colName)) {
+                return null;
+            }
+            List<DorisDataMaskPolicy> dorisDataMaskPolicies = 
dataMaskPolicies.get(ctlName).get(dbName).get(tableName)
+                    .get(colName);
+            Set<String> roles = 
Env.getCurrentEnv().getAccessManager().getAuth().getRolesByUserWithLdap(user).stream()
+                    .map(role -> 
ClusterNamespace.getNameFromFullName(role.getRoleName())).collect(Collectors.toSet());
+
+            for (DorisDataMaskPolicy dataMaskPolicy : dorisDataMaskPolicies) {
+                if ((dataMaskPolicy.getUser() != null && 
dataMaskPolicy.getUser().getQualifiedUser()

Review Comment:
   Unlike row policy, datamask can only return one piece of data.
   So is it better to filter out users first and then find roles? This way, 
there can be a priority.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to