Re: [PR] Adding changes for supporting RLS [pinot]

Tue, 17 Jun 2025 22:03:59 -0700 


vrajat commented on code in PR #16043:
URL: https://github.com/apache/pinot/pull/16043#discussion_r2153640761


##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java:
##########
@@ -123,6 +126,12 @@ public TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity, S
       return new TableAuthorizationResult(failedTables);
     }
 
+    @Override

Review Comment:
   Remove ? The interface has a default implementation



##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -135,6 +138,32 @@ public TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity, S
       return new TableAuthorizationResult(failedTables);
     }
 
+    @Override
+    public TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {
+      Optional<BasicAuthPrincipal> principalOpt = 
getPrincipalOpt(requesterIdentity);
+
+      if (principalOpt.isEmpty()) {
+        throw new NotAuthorizedException("Basic");
+      }
+
+      if (table == null) {
+        return TableRowColAuthResultImpl.unrestricted();
+      }
+
+      TableRowColAuthResult tableRowColAuthResult = new 
TableRowColAuthResultImpl();
+
+      BasicAuthPrincipal principal = principalOpt.get();

Review Comment:
   No. I dont remember why I added this comment any more. Maybe because there 
was some code w.r.t authz ? Anyway please resolve it. 



##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/BaseSingleStageBrokerRequestHandler.java:
##########
@@ -434,6 +436,19 @@ protected BrokerResponse doHandleRequest(long requestId, 
String query, SqlNodeAn
         throwAccessDeniedError(requestId, query, requestContext, tableName, 
authorizationResult);
       }
 
+      TableRowColAuthResult rlsFilters = 
accessControl.getRowColFilters(requesterIdentity, tableName);
+
+      //rewrite query
+      Map<String, String> queryOptions =
+          pinotQuery.getQueryOptions() == null ? new HashMap<>() : 
pinotQuery.getQueryOptions();
+
+      rlsFilters.getRLSFilters().ifPresent(rowFilters -> {
+        String combinedFilters = String.join(" AND ", rowFilters);

Review Comment:
   Can you add parentheses and a test for complex expressions ? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to