Re: [PR] Adding changes for supporting RLS [pinot]

Thu, 12 Jun 2025 00:42:34 -0700 


9aman commented on code in PR #16043:
URL: https://github.com/apache/pinot/pull/16043#discussion_r2141951090


##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +128,39 @@ default TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity,
     return hasAccess(requesterIdentity, tables) ? 
TableAuthorizationResult.success()
         : new TableAuthorizationResult(tables);
   }
+
+
+  /**
+   * Returns RLS/CLS filters for a particular table. By default, there are no 
RLS/CLS filters on any table.
+   * @param requesterIdentity requested identity
+   * @param table Table used in the query. Table name can be with or without 
tableType.
+   * @return {@link TableRowColAuthResult} with the result of the access 
control check
+   */
+  default TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {
+    if (table.equals("upsertMeetupRsvp")) {
+      return new TableRowColAuthResultImpl(Map.of("policyID1", 
List.of("event_id > 60", "event_id < 70")), Map.of(),
+          Map.of());
+    } else if (table.equals("upsertPartialMeetupRsvp")) {
+      return new TableRowColAuthResultImpl(Map.of("policyID1", 
List.of("event_id > 60", "event_id < 70")), Map.of(),
+          Map.of());
+    }
+    return TableRowColAuthResultImpl.unrestricted();
+  }
+
+  /**
+   * Convenience method to get RLS/CLS filters for a set of tables. By 
default, we iterate through each table and do
+   * the check using {@link AccessControl#getRowColFilters(RequesterIdentity, 
String)} and construct the final
+   * response by returning an instance of {@link MultiTableRowColAuthResult}
+   * @param requesterIdentity requester identity
+   * @param tables Set of pinot tables used in the query. Table name can be 
with or without tableType.
+   * @return {@link MultiTableRowColAuthResult} with the result of the access 
control check.
+   */
+  default MultiTableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, Set<String> tables) {

Review Comment:
   removed it and relied on TableRowColAuthResult in MSQE as well. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to