plusplusjiajia opened a new pull request, #513:
URL: https://github.com/apache/paimon-rust/pull/513
> **Stacked on #498 and #500** — the first two commits are those PRs;
please review only the last commit (`[table] Support query-auth row filters and
column masking at read time`). Will rebase once they merge.
### Purpose
Apply the per-user query-auth grant on the read path. Since #447 the
client fails closed on every `query-auth.enabled` table; with this change a
granted read goes through: the row filter and column masking
returned by the REST catalog's `authTableQuery` are enforced exactly, and
reads the grant cannot cover keep failing closed.
### Brief change log
- Plan-time transparent authorization: `TableScan::plan` /
`FormatTableScan::plan` / search `execute_scored` fetch and verify the grant
(where Java applies `CatalogEnvironment.tableQueryAuth()`), scoped to the
planned projection ∪ filter columns; wider reads fail closed until re-plan.
- Exact enforcement in `TableRead::to_arrow`: the physical read is widened
with the grant's filter columns and mask inputs, each batch is filtered on raw
values, masked columns are overwritten, then
re-projected to the caller's columns (mirrors apache/paimon#7034;
cross-column masks per apache/paimon#8570).
- Statistics stay safe: a row filter makes `Plan::row_counts_exact()`
false — count-based limit pushdown is skipped and DataFusion cannot answer
`COUNT(*)` from unfiltered statistics.
- Fail-closed guards kept: unparseable grant, caller predicate on a masked
column (value oracle), unauthorized columns, dynamic-option override.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]