singhpk234 commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r2492770752
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3260,6 +3260,71 @@ components:
additionalProperties:
type: string
+ ReadRestrictions:
+ type: object
+ description: >
+ Read restrictions for a table, including projection and row filter
expressions, according to the current schema.
+
+ A client MUST enforce the restrictions defined in this object when
reading data
+ from the table.
+
+ These restrictions apply only to the authenticated principal, user,
or account
+ associated with the client. They MUST NOT be interpreted as global
policy and
+ MUST NOT be applied beyond the entity identified by the
Authentication header
+ (or other applicable authentication mechanism).
+ properties:
+ required-projection:
+ description: >
+ A list of projections that MUST be applied prior to any
query-specified
+ projections.
+ If the required-projection property is absent or empty, no
mandatory projection applies,
+ and a reader MAY project any subset of columns of the table,
including all columns.
+
+ 1. A reader MUST project only columns listed in the
required-projection.
+ - If a listed column has a transform, the reader MUST apply it
and replace
+ all references to the underlying column with the transformed
value
+ (for example, truncate(4, cc) MUST be projected as truncate(4,
cc) AS cc,
+ and all references to cc during query evaluation MUST resolve
to this alias).
+ - If a listed column has no transform, the reader MUST read it
as-is.
+ - Columns not listed in the required-projection MUST NOT be read.
+
+ 2. A column MUST appear at most once in the required-projection.
+
+ 3. A projection entry MUST reference either the column itself or
exactly one
+ transformed version of the column, but not both.
+
+ 4. Multiple transformed versions of the same column (e.g.,
truncate(5, col)
+ and truncate(3, col)) MUST NOT appear in the required-projection.
+
+ 5. If a projection entry includes a transform that the reader
cannot evaluate,
+ the reader MUST fail rather than ignore the transform.
+
+ 6. An identity transform is equivalent to projecting the column
directly.
+ A reader MAY represent it in either form.
+
+ 7. The data type of the projected column MUST match the data type
defined for the transform result.
+
+ type: array
+ items:
+ $ref: '#/components/schemas/Term'
+ required-row-filter:
+ description: >
+ An expression that filters rows in the table.
+
+ 1. A reader MUST discard any row for which the filter evaluates to
false, and
+ no information derived from discarded rows MAY be included in
the query result.
+
+ 2. Row filters MUST be evaluated against the original,
untransformed column values.
+ Required projections MUST be applied only after row filters are
applied.
+
+ 3. If the catalog supports multiple row access filters for the
table, it is
Review Comment:
> The responsability of the catalog is to return the expression to apply
which represent the full extent of the authorization
I agree with in principal, the intention of the statement is if catalog
support more than one RAP attached to the table its the catalog responsibility
to return a single expression that represent the filter client needs to
perform, no partial policy should be sent, It not mandating anything a catalog
can either figure out the least restrictive RAP on its own or just simply
disjunt all the RAP so that least privilege RAP gets applied on its own during
execution. I do agree its not **_absolutely_** necessary to state this, but i
do find value in the statement for vendors supporting attaching more than one
RAP to the table.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
