MgjLLL opened a new issue, #8135: URL: https://github.com/apache/paimon/issues/8135
### Search before asking - [x] I searched in the [issues](https://github.com/apache/paimon/issues) and found nothing similar. ### Motivation Apache Paimon's Java REST catalog already supports server-side query authorization, where the catalog can return per-query row-level filters and column masking rules so that fine-grained access control is enforced at read time. The Python client (pypaimon) currently has no equivalent: when reading via REST catalog, any filter / columnMasking returned by the server is ignored, so RBAC / column-level security policies are not honored from Python. This issue tracks adding query-auth support to pypaimon so that Python readers behave consistently with the JVM client when the catalog enables query auth. ### Solution Introduce an opt-in query-auth.enabled option (default false). When enabled, before building a plan the client calls a new REST endpoint: - POST /v1/{prefix}/databases/{db}/tables/{tb}/auth - request: { "select": [<projected field names>] } - response: { "filter": [<predicate JSON>...], "columnMasking": { "<col>": <transform JSON>, ... } } Then, on the read path: 1. The returned predicate JSON list is parsed into a PyArrow compute filter and applied via an AuthFilterReader wrapped around the inner record-batch reader. 2. The returned columnMasking map (column → transform JSON) is applied via an AuthMaskingReader, supporting transforms NULL / FIELD_REF / CAST / UPPER / LOWER / CONCAT / CONCAT_WS. 3. A ColumnProjectReader projects the result back to the columns the user originally requested (extra fields pulled in only to satisfy the auth filter are dropped). The contract matches the Java side, so no server-side change is required for catalogs that already implement query auth. ### Anything else? - Wire-format compatibility is the main risk surface. Tests cover the predicate / transform JSON shapes against representative cases. - Backwards compatible by default: with query-auth.enabled=false (the default), behavior is unchanged. ### Are you willing to submit a PR? - [x] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
