rdblue commented on code in PR #13810:
URL: https://github.com/apache/iceberg/pull/13810#discussion_r2748006111
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -980,6 +980,30 @@ paths:
schema:
type: string
enum: [ all, refs ]
+ - in: query
+ name: referenced-by
+ description:
+ A comma-separated list of fully qualified view names (namespace
and view name) representing the view
+ reference chain when a table is loaded via a view. The list should
be ordered with the outermost view
Review Comment:
> Feels like it would be a security hole?
I'm not sure I follow the case where this could be a security hole. Any time
you get the permissions of a DEFINER, you must have access to the DEFINER view.
Wouldn't it be strange if the catalog's intent was to nest an INVOKER view
inside a DEFINER view in order to protect data referenced by the INVOKER? And I
don't think it's a hole if that's the case because the catalog is what gets to
decide (at least with the referenced-by chain) what the behavior is.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
