Re: [PR] Adding changes for supporting RLS [pinot]

Mon, 09 Jun 2025 04:41:52 -0700 


vrajat commented on code in PR #16043:
URL: https://github.com/apache/pinot/pull/16043#discussion_r2135513783


##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -129,12 +132,43 @@ public TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity, S
           failedTables.add(table);
         }
       }
-      if (failedTables.isEmpty()) {
-        return TableAuthorizationResult.success();
-      }
+//      if (failedTables.isEmpty()) {
+//        return TableAuthorizationResult.success();
+//      }
       return new TableAuthorizationResult(failedTables);
     }
 
+    @Override
+    public TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {
+      Optional<BasicAuthPrincipal> principalOpt = 
getPrincipalOpt(requesterIdentity);
+
+      if (principalOpt.isEmpty()) {
+        throw new NotAuthorizedException("Basic");
+      }
+
+      if (table == null) {
+        return TableRowColAuthResultImpl.unrestricted();
+      }
+
+      TableRowColAuthResult tableRowColAuthResult = new 
TableRowColAuthResultImpl();
+
+      BasicAuthPrincipal principal = principalOpt.get();
+
+      //precondition: The principal should have the table.
+      Preconditions.checkArgument(principal.hasTable(table),
+          "Principal: " + principal.getName() + " does not have access to 
table: " + table);
+
+      Optional<Map<String, List<String>>> rlsFiltersMaybe = 
principal.getRLSFilters(table);
+      Optional<Map<String, List<String>>> visibleColsMaybe = 
principal.getVisibleCols(table);

Review Comment:
   These are out of scope ?



##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -129,12 +132,43 @@ public TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity, S
           failedTables.add(table);
         }
       }
-      if (failedTables.isEmpty()) {
-        return TableAuthorizationResult.success();
-      }
+//      if (failedTables.isEmpty()) {
+//        return TableAuthorizationResult.success();
+//      }
       return new TableAuthorizationResult(failedTables);
     }
 
+    @Override
+    public TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {
+      Optional<BasicAuthPrincipal> principalOpt = 
getPrincipalOpt(requesterIdentity);
+
+      if (principalOpt.isEmpty()) {

Review Comment:
   This should return an empty list ?



##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +128,39 @@ default TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity,
     return hasAccess(requesterIdentity, tables) ? 
TableAuthorizationResult.success()
         : new TableAuthorizationResult(tables);
   }
+
+
+  /**
+   * Returns RLS/CLS filters for a particular table. By default, there are no 
RLS/CLS filters on any table.
+   * @param requesterIdentity requested identity
+   * @param table Table used in the query. Table name can be with or without 
tableType.
+   * @return {@link TableRowColAuthResult} with the result of the access 
control check
+   */
+  default TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {
+    if (table.equals("upsertMeetupRsvp")) {
+      return new TableRowColAuthResultImpl(Map.of("policyID1", 
List.of("event_id > 60", "event_id < 70")), Map.of(),
+          Map.of());
+    } else if (table.equals("upsertPartialMeetupRsvp")) {
+      return new TableRowColAuthResultImpl(Map.of("policyID1", 
List.of("event_id > 60", "event_id < 70")), Map.of(),
+          Map.of());
+    }
+    return TableRowColAuthResultImpl.unrestricted();
+  }
+
+  /**
+   * Convenience method to get RLS/CLS filters for a set of tables. By 
default, we iterate through each table and do
+   * the check using {@link AccessControl#getRowColFilters(RequesterIdentity, 
String)} and construct the final
+   * response by returning an instance of {@link MultiTableRowColAuthResult}
+   * @param requesterIdentity requester identity
+   * @param tables Set of pinot tables used in the query. Table name can be 
with or without tableType.
+   * @return {@link MultiTableRowColAuthResult} with the result of the access 
control check.
+   */
+  default MultiTableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, Set<String> tables) {

Review Comment:
   This was an ongoing discussion. Its not clear to me why 
`MultiTableRowColAuthResult` is required. I suggest you remove it and see if it 
is still usable by MSE.



##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +128,39 @@ default TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity,
     return hasAccess(requesterIdentity, tables) ? 
TableAuthorizationResult.success()
         : new TableAuthorizationResult(tables);
   }
+
+
+  /**
+   * Returns RLS/CLS filters for a particular table. By default, there are no 
RLS/CLS filters on any table.
+   * @param requesterIdentity requested identity
+   * @param table Table used in the query. Table name can be with or without 
tableType.
+   * @return {@link TableRowColAuthResult} with the result of the access 
control check
+   */
+  default TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {
+    if (table.equals("upsertMeetupRsvp")) {
+      return new TableRowColAuthResultImpl(Map.of("policyID1", 
List.of("event_id > 60", "event_id < 70")), Map.of(),

Review Comment:
   IMO, the results should be a list. I dont think the concept of policy is 
required.



##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -105,9 +108,9 @@ public AuthorizationResult authorize(RequesterIdentity 
requesterIdentity, Broker
       if (!principal.hasTable(brokerRequest.getQuerySource().getTableName())) {
         failedTables.add(brokerRequest.getQuerySource().getTableName());
       }
-      if (failedTables.isEmpty()) {
-        return TableAuthorizationResult.success();
-      }
+//      if (failedTables.isEmpty()) {

Review Comment:
   Is this change based on some other yet to be merged PR ? 



##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java:
##########
@@ -304,6 +306,27 @@ private void checkAuthorization(RequesterIdentity 
requesterIdentity, RequestCont
       if (!tableAuthorizationResult.hasAccess()) {
         throwTableAccessError(tableAuthorizationResult);
       }
+      AccessControl accessControl = _accessControlFactory.create();
+      MultiTableRowColAuthResult rowColFilters = 
accessControl.getRowColFilters(requesterIdentity, tables);

Review Comment:
   Can you check if TableRowColAuthResult can be used instead ? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to