Skip to content

Enable access control row filters and masks for views #25052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Enable access control row filters and masks for views #25052

wants to merge 2 commits into from

Conversation

BryanCutler
Copy link
Contributor

Description

This enables adding row filters and column masks from an access control implementation to view.

Closes #25025

Motivation and Context

The recent addition of access control row filters and column masks from #24278 worked for tables, but not for views. It is import for security that views and materialized views apply row filters and column masks from access control.

Impact

No change in SPI.

Test Plan

Unit tests added to verify filters and masks are correctly applied to views.

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Add support for access control row filters and column masks on views.

@BryanCutler @martint
Apply filters and masks for tables referenced by views
c904d9e 
Cherry-pick of trinodb/trino@84429d8

This implements getRowFilters and getColumnMasks in ViewAccessControl.
Another commit will enalbe filters and masks to be applied on views
during analysis.

Co-authored-by: Martin Traverso <[email protected]>
@BryanCutler BryanCutler requested a review from a team as a code owner May 5, 2025 23:55
@BryanCutler BryanCutler requested a review from jaystarshot May 5, 2025 23:55
@prestodb-ci prestodb-ci added the from:IBM PR from IBM label May 5, 2025
@prestodb-ci prestodb-ci requested review from a team, jp-sivaprasad and auden-woolfson and removed request for a team May 5, 2025 23:55
@BryanCutler @martint
Apply filters and masks for view object
c5337b9 
The planner for Table node was bailing out early if the table reference
corresponded to a view or named query without attaching any masks or
filters that may have been resolved.

Cherry-pick of trinodb/trino@6721cfa

Add filters and masks to processView in StatementAnalyzer,
and move duplicate code to analyze filters and masks into
common analyzeFiltersAndMasks method.

Co-authored-by: Martin Traverso <[email protected]>
@BryanCutler BryanCutler force-pushed the qaag-filter-mask-views-25025 branch from 7db6c6d to c5337b9 Compare May 5, 2025 23:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaystarshot jaystarshot Awaiting requested review from jaystarshot jaystarshot is a code owner automatically assigned from prestodb/committers

@jp-sivaprasad jp-sivaprasad Awaiting requested review from jp-sivaprasad jp-sivaprasad was automatically assigned from prestodb/ibm-reviewers

@auden-woolfson auden-woolfson Awaiting requested review from auden-woolfson auden-woolfson was automatically assigned from prestodb/ibm-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Apply access control row filters and column masks to view objects
2 participants
@BryanCutler @prestodb-ci