laurentgo commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r2467831118
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3260,6 +3260,71 @@ components:
additionalProperties:
type: string
+ ReadRestrictions:
+ type: object
+ description: >
+ Read restrictions for a table, including projection and row filter
expressions, according to the current schema.
+
+ A client MUST enforce the restrictions defined in this object when
reading data
+ from the table.
+
+ These restrictions apply only to the authenticated principal, user,
or account
Review Comment:
> Because there are many ways to establish trust such as mTLS / on-behalf
etc. Is the feedback to not go into specifics at all ?
Yes, that's basically the core of it :)
> I am not sure if we can do ETAG checks in-general on a protected resource
without authorization checks in place ?
I'm not sure the Polaris implementation is 100% correct. The issue is not
in the authorization part, but the fact that the etag would only include the
table metadata representation but none of the other data returned in the
response, so a client may have cached the temporary credentials (or possibly
also the read restrictions) and because it got a `304 Not modified` from the
server, assumes it can reuse the representation it stored.
Those extra information could also be included in the etag computation (it
may become to be too expensive though?), and assuming also that the client
keeps a cache per authorization header (+ whatever is returned by the `Vary`
header), it could possibly be cache-compatible
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
