NihalJain opened a new pull request, #17295:
URL: https://github.com/apache/pinot/pull/17295
This commit extends Row-Level Security (RLS) functionality to
ZooKeeper-based authentication (`ZkBasicAuthAccessControlFactory`), enabling
dynamic user management with table-level filter controls via REST API.
Previously, RLS filters were only supported with file-based `BasicAuth`
configuration. ZK-based authentication passed empty RLS filter maps, preventing
users from applying row-level restrictions when using ZooKeeper for user
management.
Changes:
- Extended UserConfig to store RLS filters per table (`Map<String,
List<String>>`)
- Updated `AccessControlUserConfigUtils` to serialize/deserialize RLS
filters to/from `ZNRecord`
- Modified `BasicAuthUtils` to extract RLS filters from `UserConfig` and
pass to `ZkBasicAuthPrincipal`
- Implemented `getRowColFilters()` in `ZkBasicAuthAccessControlFactory` to
return RLS filters
- Updated `UserConfigBuilder` to support RLS filter configuration
- Added comprehensive unit tests for `UserConfig`, `UserConfigBuilder`, and
`AccessControlUserConfigUtils`
- Added integration tests for ZkAuth RLS scenarios by extracting base class
from existing `BasicAuth` tests
API Example:
```
POST /users
{
"username": "user",
"password": "secret",
"component": "BROKER",
"role": "USER",
"tables": ["table1", "table2"],
"permissions": ["READ"],
"rlsFilters": {
"table1": ["country='US'"],
"table2": ["department='Engineering'", "level='Senior'"]
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
