plusplusjiajia opened a new pull request, #8582:
URL: https://github.com/apache/paimon/pull/8582

     Stacked on #8570 — review the top commit only; will be rebased once #8570 
merges.
   
     Purpose
   
     A column mask changes the value domain of its target column. A predicate 
on a masked column therefore evaluates on the masked value (view semantics, as 
in Snowflake/Ranger): matching the raw value would reveal
     it. This makes every optimization that consumes the column's raw values or 
raw statistics unsafe on masked columns — file/split pruning by min-max or 
partition value, TopN selection, limit pushdown, and
     reader-level row filtering would drop or leak rows relative to what the 
query is entitled to see. This is a pre-existing issue of the merged masking 
feature (#8447/#8458), independent of #8570.
   
     The design follows the pattern ReadBuilderImpl already uses for read-level 
TopN on query-auth.enabled tables: never hand unsafe state to the reader, 
rather than pushing it and retracting it later.
   
     - Scan side: the query filter is deferred to plan()/listPartitionEntries 
and pushed once through the two-argument SnapshotReader.withFilter — the full 
filter marks read-time filtering, while only the conjuncts
     free of masked columns feed statistics and partition pruning. Masked 
conjuncts (even partition-only ones) keep limit/TopN split pruning off; TopN 
split pruning also skips masked ordering columns. A mask
     appearing on an already-pushed filter column fails closed, since raw 
statistics were already consumed.
     - Read side: on query-auth.enabled tables the filter is stored (for 
executeFilter) but not forwarded to reader internals; engines re-evaluate data 
filters on the masked output. The conjuncts on masked columns
     are evaluated inside the auth read, post-mask — engines do not re-evaluate 
the partition filters they consumed. A masked filter column the query does not 
project is widened into the read schema (same machinery
     as mask inputs in #8570) and projected back out.
   
     Scoped to query-auth.enabled tables: they conservatively lose reader-level 
filter pushdown even without mask rules, matching the existing read-level TopN 
behavior; scan-level pruning on safe conjuncts is
     retained. Tables without query auth are unaffected.
   
     Tests
   
     - MockRESTCatalogTest: filter on a masked partition column (projected and 
unprojected; engines consume partition filters, so the read must evaluate 
them), raw-value match returns nothing, limit with a masked
     partition-only filter, masked pk filter not applied on raw key ranges, 
mask growth on a pushed filter column fails the scan closed while a fresh scan 
+ existing reader return masked-correct results,
     TopN/limit/stats-pruning disablement.
     - Flink RESTCatalogITCase: partition-column mask + WHERE on it through SQL 
(the consumed-filter path).
     - Spark SparkCatalogWithRestTest: statistics-based aggregate pushdown 
degrades on authed reads (regression anchor).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to