plusplusjiajia opened a new pull request, #513:
URL: https://github.com/apache/paimon-rust/pull/513

     > **Stacked on #498 and #500** — the first two commits are those PRs; 
please review only the last commit (`[table] Support query-auth row filters and 
column masking at read time`). Will rebase once they merge.
   
     ### Purpose
   
     Apply the per-user query-auth grant on the read path. Since #447 the 
client fails closed on every `query-auth.enabled` table; with this change a 
granted read goes through: the row filter and column masking
     returned by the REST catalog's `authTableQuery` are enforced exactly, and 
reads the grant cannot cover keep failing closed.
   
     ### Brief change log
   
     - Plan-time transparent authorization: `TableScan::plan` / 
`FormatTableScan::plan` / search `execute_scored` fetch and verify the grant 
(where Java applies `CatalogEnvironment.tableQueryAuth()`), scoped to the
     planned projection ∪ filter columns; wider reads fail closed until re-plan.
     - Exact enforcement in `TableRead::to_arrow`: the physical read is widened 
with the grant's filter columns and mask inputs, each batch is filtered on raw 
values, masked columns are overwritten, then
     re-projected to the caller's columns (mirrors apache/paimon#7034; 
cross-column masks per apache/paimon#8570).
     - Statistics stay safe: a row filter makes `Plan::row_counts_exact()` 
false — count-based limit pushdown is skipped and DataFusion cannot answer 
`COUNT(*)` from unfiltered statistics.
     - Fail-closed guards kept: unparseable grant, caller predicate on a masked 
column (value oracle), unauthorized columns, dynamic-option override.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to