rdblue commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r2289491058
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3260,6 +3260,28 @@ components:
additionalProperties:
type: string
+ FineGrainedDataProtectionRules:
+ type: object
+ description: >
+ Fine-grained data protection rules for a table as result of fine
grained policy evaluation at the catalog end based on the clients access rights.
+
+ The client SHOULD use these rules to enforce fine-grained data
protection like column and row level access when reading data from the table.
+ properties:
+ projections:
+ description: >
+ This field contains a list of columns or column transforms to be
projected.
Review Comment:
I think we should phrase this differently as well to state that the only
projections allowed from this table are the ones in this list. That's a bit
difficult to say, though, without being confusing because a mask transform
should actually be substituted for the original column. For instance, if I have
a `mask(str_col, n, m)` function that masks characters n through m of a string
then this would contain a term that is `mask(cc_number, 0, 12)` for a credit
card number column. But that should actually be `mask(cc_number, 0, 12) as
cc_number` in order to replace the column.
How about this?
> A list of projections that must be applied before query projections. If
the term is a transform, it must replace the column referenced by the term.
Readers are not allowed to projection columns that are not listed and must
apply transforms.
The part about replacing a column with the term that transforms it is a bit
weird, still. Maybe this would be better as an object from column name to term,
or as a list of projections that have aliases that match the names.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
