9aman commented on code in PR #16043:
URL: https://github.com/apache/pinot/pull/16043#discussion_r2149078853
##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +128,39 @@ default TableAuthorizationResult
authorize(RequesterIdentity requesterIdentity,
return hasAccess(requesterIdentity, tables) ?
TableAuthorizationResult.success()
: new TableAuthorizationResult(tables);
}
+
+
+ /**
+ * Returns RLS/CLS filters for a particular table. By default, there are no
RLS/CLS filters on any table.
+ * @param requesterIdentity requested identity
+ * @param table Table used in the query. Table name can be with or without
tableType.
+ * @return {@link TableRowColAuthResult} with the result of the access
control check
+ */
+ default TableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, String table) {
+ if (table.equals("upsertMeetupRsvp")) {
+ return new TableRowColAuthResultImpl(Map.of("policyID1",
List.of("event_id > 60", "event_id < 70")), Map.of(),
Review Comment:
Marking this as resolved. Please reopen if needed.
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -129,12 +132,43 @@ public TableAuthorizationResult
authorize(RequesterIdentity requesterIdentity, S
failedTables.add(table);
}
}
- if (failedTables.isEmpty()) {
- return TableAuthorizationResult.success();
- }
+// if (failedTables.isEmpty()) {
+// return TableAuthorizationResult.success();
+// }
return new TableAuthorizationResult(failedTables);
}
+ @Override
+ public TableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, String table) {
+ Optional<BasicAuthPrincipal> principalOpt =
getPrincipalOpt(requesterIdentity);
+
+ if (principalOpt.isEmpty()) {
+ throw new NotAuthorizedException("Basic");
+ }
+
+ if (table == null) {
+ return TableRowColAuthResultImpl.unrestricted();
+ }
+
+ TableRowColAuthResult tableRowColAuthResult = new
TableRowColAuthResultImpl();
+
+ BasicAuthPrincipal principal = principalOpt.get();
+
+ //precondition: The principal should have the table.
+ Preconditions.checkArgument(principal.hasTable(table),
+ "Principal: " + principal.getName() + " does not have access to
table: " + table);
+
+ Optional<Map<String, List<String>>> rlsFiltersMaybe =
principal.getRLSFilters(table);
+ Optional<Map<String, List<String>>> visibleColsMaybe =
principal.getVisibleCols(table);
Review Comment:
Marking this as resolved. Please reopen if needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
