gianm commented on code in PR #17564:
URL: https://github.com/apache/druid/pull/17564#discussion_r1890985554
##########
processing/src/main/java/org/apache/druid/query/DataSource.java:
##########
@@ -118,6 +123,27 @@ public interface DataSource
*/
DataSource withUpdatedDataSource(DataSource newSource);
+ default DataSource mapWithRestriction(Map<String, Optional<DimFilter>>
rowFilters)
+ {
+ return mapWithRestriction(rowFilters, true);
+ }
+
+ /**
+ * Returns an updated datasource based on the policy restrictions on tables.
If this datasource contains no table, no
+ * changes should occur.
+ *
+ * @param rowFilters a mapping of table names to row filters, every table in
the datasource tree must have an entry
+ * @return the updated datasource, with restrictions applied in the
datasource tree
+ */
+ default DataSource mapWithRestriction(Map<String, Optional<DimFilter>>
rowFilters, boolean enableStrictPolicyCheck)
Review Comment:
Ah, I see. The strict check should be even stricter: there should be a mode
that requires all authorization results to have some non-empty set of policies.
The idea with that check is it's a defense against the authorizer being
mis-configured in such a way that policies aren't being reported properly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
