cecemei opened a new pull request, #17564:
URL: https://github.com/apache/druid/pull/17564
This PR adds the ability to attach row filters to a query, thus restrict
row-level data access for given users.
### Description
A query follows these steps: initialize -> authorize -> execute. In the
authorize step, the permissions are checked for all the required resources in
the query. Before this PR, the authorize step only returns allow or deny access
on a table. Granting access to a table means a user can see all data in this
table. After this PR, the authorize step can return allow access along with
restrictions (i.e. a row filter that must be applied to the table ), which
restrict users' data access at row level. For example, customers can only see
rows relevant to their company.
The `authorizeAllResourceActions` now returns a `AuthorizationResult`
instead of `Access`, this class also replaces `DruidPlanner.AuthResult` class.
The main difference between `AuthorizationResult` and `Access` is that the
former contains a map of table with `DimFilter`. It can also have
`ResourceAction` Iterables which DruidPlanner cares about.
In the authorize step of `QueryLifecycle`, it would enforce the filters on
tables in the datasource tree, transform `TableDataSource` to
`RestrictedDataSource`. In the execute step, filters are applied through
`RestrictedSegment` and `RestrictedCursorFactory`.
##### Key changed/added classes in this PR
* a new class `AuthorizationResult`, which contains:
* deny/ allow results for checking permissions on a list of resource
actions.
* failure message if authorization fails, this is null when auth is
allowed, and is the error message of the first resource action authorization
failure (there might be more failures, but we don't try further)
* a map of table name with row-level policy filters.
* a new class `RestrictedDataSource`, which wraps a `TableDataSource` with
a DimFilter. If the filter is null, meaning there's no applied.
* a new class `RestrictedSegment`, which represents a segment with a
filter.
* a new class `RestrictedCursorFactory`, can be created by
`RestrictedSegment.asCursorFactory`, enforces the DimFilter on `Cursor`.
<hr>
This PR has:
- [ ] been self-reviewed.
- [ ] using the [concurrency
checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md)
(Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] a release note entry in the PR description.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked
related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in
[licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths,
ensuring the threshold for [code
coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md)
is met.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
