laurentgo commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r2492228244
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3260,6 +3260,71 @@ components:
additionalProperties:
type: string
+ ReadRestrictions:
+ type: object
+ description: >
+ Read restrictions for a table, including projection and row filter
expressions, according to the current schema.
+
+ A client MUST enforce the restrictions defined in this object when
reading data
+ from the table.
+
+ These restrictions apply only to the authenticated principal, user,
or account
+ associated with the client. They MUST NOT be interpreted as global
policy and
+ MUST NOT be applied beyond the entity identified by the
Authentication header
+ (or other applicable authentication mechanism).
+ properties:
+ required-projection:
+ description: >
+ A list of projections that MUST be applied prior to any
query-specified
+ projections.
+ If the required-projection property is absent or empty, no
mandatory projection applies,
+ and a reader MAY project any subset of columns of the table,
including all columns.
+
+ 1. A reader MUST project only columns listed in the
required-projection.
+ - If a listed column has a transform, the reader MUST apply it
and replace
+ all references to the underlying column with the transformed
value
+ (for example, truncate(4, cc) MUST be projected as truncate(4,
cc) AS cc,
+ and all references to cc during query evaluation MUST resolve
to this alias).
+ - If a listed column has no transform, the reader MUST read it
as-is.
+ - Columns not listed in the required-projection MUST NOT be read.
+
+ 2. A column MUST appear at most once in the required-projection.
+
+ 3. A projection entry MUST reference either the column itself or
exactly one
+ transformed version of the column, but not both.
+
+ 4. Multiple transformed versions of the same column (e.g.,
truncate(5, col)
+ and truncate(3, col)) MUST NOT appear in the required-projection.
+
+ 5. If a projection entry includes a transform that the reader
cannot evaluate,
+ the reader MUST fail rather than ignore the transform.
+
+ 6. An identity transform is equivalent to projecting the column
directly.
+ A reader MAY represent it in either form.
+
+ 7. The data type of the projected column MUST match the data type
defined for the transform result.
+
+ type: array
+ items:
+ $ref: '#/components/schemas/Term'
+ required-row-filter:
+ description: >
+ An expression that filters rows in the table.
+
+ 1. A reader MUST discard any row for which the filter evaluates to
false, and
+ no information derived from discarded rows MAY be included in
the query result.
+
+ 2. Row filters MUST be evaluated against the original,
untransformed column values.
+ Required projections MUST be applied only after row filters are
applied.
+
+ 3. If the catalog supports multiple row access filters for the
table, it is
Review Comment:
One could say the same about row masking as well, but that really seems a
design choice at the authorization level if they allow policies to only return
one or multiple results and how they should combine (I saw some system where
multiple policies may be returned based on the principal appartenance to
multiple roles, and the authorizer has some logic to actually return which is
basically the least restrictive of those policies, similar to how permissions
at table level could be combined). The responsability of the catalog is to
return the expression to apply which represent the full extent of the
authorization
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
