Re: [PR] [SPEC] Add finer grained read restrictions as part of loadTable [iceberg]

Thu, 14 May 2026 16:12:46 -0700 


talatuyarer commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r3244827427


##########
open-api/rest-catalog-open-api.py:
##########
@@ -1444,6 +1579,53 @@ class AddSchemaUpdate(BaseUpdate):
     )
 
 
+class ReadRestrictions(BaseModel):
+    """
+    Read restrictions for a table, including column projections and row filter 
expressions.
+    A client MUST enforce the restrictions defined in this object when reading 
data from the table.
+    These restrictions apply only to the authenticated principal, user, or 
account associated with the request. They MUST NOT be interpreted as global 
policy and MUST NOT be applied beyond the entity identified by the 
Authentication header (or other applicable authentication mechanism).
+    If both properties are absent or empty, the ReadRestrictions object 
imposes no restrictions and is equivalent to the field being absent from the 
response. A server MUST NOT return an action for a column whose type is not 
listed in that action's "Applicable to" set. For all actions, if the input 
column value is NULL, the output MUST be NULL.
+    If a column projection targets a struct-typed field, other column 
projections in the same ReadRestrictions MUST NOT target any of that struct's 
subfields (at any depth). This avoids ambiguity about which action governs a 
given leaf value.
+
+    """
+
+    required_column_projections: (
+        list[
+            MaskAlphanum
+            | MaskToFixedValue
+            | ReplaceWithNull
+            | ShowFirst4
+            | ShowLast4
+            | TruncateToYear
+            | TruncateToMonth
+            | Sha256Global
+            | Sha256QueryLocal
+            | ApplyExpression
+        ]
+        | None
+    ) = Field(
+        None,
+        alias='required-column-projections',

Review Comment:
   Are there any mechanisms within the schema to hide columns, implementing 
basic column-level security so that if a user attempts to access a restricted 
column, they receive a permission denied error?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to