NihalJain opened a new issue, #17220: URL: https://github.com/apache/pinot/issues/17220
### Summary Currently, Row-Level Security (RLS) filters are not supported when using ZooKeeper-based authentication (`ZkBasicAuthAccessControlFactory`). While the RLS infrastructure exists and works with file-based authentication, the ZK authentication implementation passes an empty RLS filters. This PR adds full RLS support to ZK-based authentication by: 1. Extending `UserConfig` to store RLS filters per table 2. Updating `BasicAuthUtils` to extract and pass RLS filters to `ZkBasicAuthPrincipal` 3. Updating the REST API documentation with RLS filter examples ### Background Related commits that introduced initial RLS work: - https://github.com/apache/pinot/commit/f1cbec74aad225460cd301a3aed4465ed87cc4f9 - https://github.com/apache/pinot/commit/3ecbb61dfb201aa51e099a0668550d66d2898de6 ### Problem When creating users via the ZK-based authentication REST API, there was no way to specify RLS filters. The `BasicAuthUtils.extractBasicAuthPrincipals(List<UserConfig>)` method was hardcoded to pass `Map.of()` (empty map) for RLS filters, resulting in: - RLS filters being ignored for all ZK-authenticated users ### Proposed Solution Goal is to implement RLS support by: 1. **UserConfig Changes** (`pinot-spi/src/main/java/org/apache/pinot/spi/config/user/UserConfig.java`) - Added `rlsFilters` field of type `Map<String, List<String>>` - Added JSON property key `RLS_FILTERS_KEY` - Added getter method and validation 2. **BasicAuthUtils Changes** (`pinot-core/src/main/java/org/apache/pinot/core/auth/BasicAuthUtils.java`) - Modified `extractBasicAuthPrincipals(List<UserConfig>)` to extract RLS filters from UserConfig - Replaced empty `Map.of()` with actual RLS filter extraction - RLS filters now properly passed to `ZkBasicAuthPrincipal` constructor 3. **API Documentation** (`pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotAccessControlUserRestletResource.java`) - Updated REST API documentation with RLS filter format examples ### API Usage Example ```json POST /users { "username": "userRLS", "password": "secret", "component": "BROKER", "role": "USER", "tables": ["table1", "table2"], "permissions": ["READ"], "rlsFilters": { "table1": ["column1='value1'"], "table2": ["column2='value2' AND column3='value3'"] } } ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
