stevenzwu commented on code in PR #13879:
URL: https://github.com/apache/iceberg/pull/13879#discussion_r2628974515
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3344,6 +3344,104 @@ components:
additionalProperties:
type: string
+ ReadRestrictions:
+ type: object
+ description: >
+ Read restrictions for a table, including column projections and row
filter expressions.
+
+ A client MUST enforce the restrictions defined in this object when
reading data
+ from the table.
+
+ These restrictions apply only to the authenticated principal, user,
or account
+ associated with the request. They MUST NOT be interpreted as global
policy and
+ MUST NOT be applied beyond the entity identified by the
Authentication header
+ (or other applicable authentication mechanism).
+ properties:
+ required-column-projections:
+ description: >
+ A list of projections that MUST be applied prior to any
query-specified
+ projections.
+ If this property is absent, no mandatory projection applies,
+ and a reader MAY project any subset of columns of the table,
including all columns.
+
+ 1. A reader MUST project only columns listed in the
required-column-projections.
+ - If a listed column has a transform, the reader MUST apply it
and replace
+ all references to the underlying column with the transformed
value
+ (for example, truncate[4](cc) MUST be projected as
truncate[4](cc) AS cc,
+ and all references to cc during query evaluation post applying
required-row-filter MUST resolve to this alias).
+ - Columns not listed in the required-column-projections MUST NOT
be read.
+
+ 2. A column MUST appear at most once in the
required-column-projections.
+
+ 3. If a projected column's corresponding entry includes an action
that the reader cannot evaluate,
+ the reader MUST fail rather than ignore the transform.
+
+ 4. An identity transform is equivalent to projecting the column
directly.
+
+ 5. The data type of the projected column MUST match the data type
defined for the transform result.
+
+ type: array
+ items:
+ $ref: '#/components/schemas/Projection'
+ required-row-filter:
+ description: >
+ An expression that filters rows in the table that the
authenticated principal does not have access to.
+
+ 1. A reader MUST discard any row for which the filter evaluates to
false or null, and
+ no information derived from discarded rows MAY be included in
the query result.
+
+ 2. Row filters MUST be evaluated against the original,
untransformed column values.
+ Required projections MUST be applied only after row filters are
applied.
+
+ 3. If a client cannot interpret or evaluate a provided filter
expression, it MUST fail.
+
+ 4. If this property is absent, null, or always true then no
mandatory filtering is required.
+ $ref: '#/components/schemas/Expression'
+
+ Projection:
+ type: object
+ description: Defines a projection for a column.
+ properties:
+ field-id:
+ type: integer
+ description: field id of the column being projected.
+ action:
+ $ref: '#/components/schemas/Action'
+ required:
+ - field-id
+ - action
+
+ Action:
Review Comment:
Action is too generic in this context. maybe name it like `Masking`?
also action could be optional, right? If only projection is needed (without
any masking)
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3344,6 +3344,104 @@ components:
additionalProperties:
type: string
+ ReadRestrictions:
+ type: object
+ description: >
+ Read restrictions for a table, including column projections and row
filter expressions.
+
+ A client MUST enforce the restrictions defined in this object when
reading data
+ from the table.
+
+ These restrictions apply only to the authenticated principal, user,
or account
+ associated with the request. They MUST NOT be interpreted as global
policy and
+ MUST NOT be applied beyond the entity identified by the
Authentication header
+ (or other applicable authentication mechanism).
+ properties:
+ required-column-projections:
+ description: >
+ A list of projections that MUST be applied prior to any
query-specified
+ projections.
+ If this property is absent, no mandatory projection applies,
+ and a reader MAY project any subset of columns of the table,
including all columns.
+
+ 1. A reader MUST project only columns listed in the
required-column-projections.
+ - If a listed column has a transform, the reader MUST apply it
and replace
+ all references to the underlying column with the transformed
value
+ (for example, truncate[4](cc) MUST be projected as
truncate[4](cc) AS cc,
+ and all references to cc during query evaluation post applying
required-row-filter MUST resolve to this alias).
+ - Columns not listed in the required-column-projections MUST NOT
be read.
+
+ 2. A column MUST appear at most once in the
required-column-projections.
+
+ 3. If a projected column's corresponding entry includes an action
that the reader cannot evaluate,
+ the reader MUST fail rather than ignore the transform.
+
+ 4. An identity transform is equivalent to projecting the column
directly.
+
+ 5. The data type of the projected column MUST match the data type
defined for the transform result.
+
+ type: array
+ items:
+ $ref: '#/components/schemas/Projection'
+ required-row-filter:
+ description: >
+ An expression that filters rows in the table that the
authenticated principal does not have access to.
+
+ 1. A reader MUST discard any row for which the filter evaluates to
false or null, and
+ no information derived from discarded rows MAY be included in
the query result.
+
+ 2. Row filters MUST be evaluated against the original,
untransformed column values.
+ Required projections MUST be applied only after row filters are
applied.
+
+ 3. If a client cannot interpret or evaluate a provided filter
expression, it MUST fail.
+
+ 4. If this property is absent, null, or always true then no
mandatory filtering is required.
+ $ref: '#/components/schemas/Expression'
+
+ Projection:
+ type: object
+ description: Defines a projection for a column.
+ properties:
+ field-id:
+ type: integer
+ description: field id of the column being projected.
+ action:
+ $ref: '#/components/schemas/Action'
+ required:
+ - field-id
+ - action
+
+ Action:
+ description: Defines the specific action to be executed for computing
the projection.
+ oneOf:
+ - $ref: '#/components/schemas/MaskHashSha256'
+ - $ref: '#/components/schemas/ReplaceWithNull'
+ - $ref: '#/components/schemas/MaskAlphanumeric'
+ - $ref: '#/components/schemas/ApplyTransform'
+
+ MaskHashSha256:
+ description: |
+ Mask the data of the column by applying SHA-256.
+ The input must be UTF-8 encoded bytes of the column value.
Review Comment:
wondering if we need to say `UTF-8 encoded bytes`. is it applicable to
binary or number types?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
