JingsongLi commented on code in PR #8136:
URL: https://github.com/apache/paimon/pull/8136#discussion_r3458088218


##########
paimon-python/pypaimon/read/table_read.py:
##########
@@ -687,6 +720,51 @@ def _widen_to_top_level_for_merge(self) -> List[DataField]:
             widened.append(field)
         return widened
 
+    def _create_reader_for_split(self, split):
+        from pypaimon.read.query_auth_split import QueryAuthSplit
+
+        auth_result = None
+        if isinstance(split, QueryAuthSplit):
+            auth_result = split.auth_result
+            split = split.split
+
+        if auth_result is not None:
+            return self._authed_reader(split, auth_result)
+        else:
+            return self._create_split_read(split).create_reader()
+
+    def _authed_reader(self, split, auth_result):
+        from pypaimon.read.reader.auth_masking_reader import (
+            AuthFilterReader, AuthMaskingReader, ColumnProjectReader)
+
+        table_fields = self.table.fields
+        read_fields = self.read_type
+
+        extra_fields = auth_result.get_extra_fields_for_filter(read_fields, 
table_fields)
+        effective_read_type = read_fields
+        if extra_fields:
+            effective_read_type = read_fields + extra_fields
+
+        reader = self._create_split_read(split, 
read_type=effective_read_type).create_reader()
+
+        if not isinstance(reader, RecordBatchReader):
+            from pypaimon.read.reader.auth_masking_reader import 
RecordReaderToBatchAdapter
+            schema = PyarrowFieldParser.from_paimon_schema(effective_read_type)
+            reader = RecordReaderToBatchAdapter(reader, schema, 
include_row_kind=self.include_row_kind)
+
+        filter_fn = auth_result.extract_row_filter()
+        if filter_fn:
+            reader = AuthFilterReader(reader, filter_fn)
+
+        if auth_result.column_masking:
+            reader = AuthMaskingReader(reader, auth_result.column_masking, 
effective_read_type)

Review Comment:
   `effective_read_type` includes hidden columns added only to evaluate row 
filters. Passing it as `read_fields` makes `AuthMaskingReader` treat those 
hidden columns as projected masking targets. For example, a user projection 
`id` plus an auth filter on `dept` adds `dept` to `effective_read_type`; if the 
server also returns a masking rule for `dept` that references `secret`, this 
constructor validates and fails because `secret` is absent even though `dept` 
will be dropped by `ColumnProjectReader`. Java filters masking rules against 
the final output row type, so this path should use the original projected 
`read_fields` to choose masking targets and validate references against the 
actual batch or effective type separately.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to