singhpk234 commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r2467088766
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3260,6 +3260,71 @@ components:
additionalProperties:
type: string
+ ReadRestrictions:
+ type: object
+ description: >
+ Read restrictions for a table, including projection and row filter
expressions, according to the current schema.
+
+ A client MUST enforce the restrictions defined in this object when
reading data
+ from the table.
+
+ These restrictions apply only to the authenticated principal, user,
or account
Review Comment:
> User/principals are the obvious ones, but the environment (for example the
engine trustworthiness, or if the client is from within vs outside) could be
part of it.
My understanding is trusted engine more about authenticating both user and
the engine (that catalog trusts), but still authorizing on the user grants, do
we wanna be explicit about trust or being implicit is fine ?
Because there are many ways to establish trust such as mTLS / on-behalf etc.
Is the feedback to not go into specifics at all ?
> But ETag is a HTTP concept (not an iceberg one) and the semantic is about
the whole response, not a part of it
I understand, I meant iceberg ETAG handling, my understanding is we should
validate noting changed post doing authorization checks ? authorization check
defines what kind of creds one gets and so will be the same for these read
restriction, infact we do similar handling in Polaris for this
1. do AuthZ checks
[here](https://github.com/apache/polaris/blob/main/runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java#L742)
2. then from tables recent metadata pointer create etag and match etag from
the request if they match nothing changed ?
[here](https://github.com/apache/polaris/blob/main/runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java#L758)
I am not sure if we can do ETAG checks in-general on a protected resource
without authorization checks in place ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
