Re: [PR] Adding changes for supporting RLS [pinot]

Fri, 20 Jun 2025 11:15:56 -0700 


navina commented on code in PR #16043:
URL: https://github.com/apache/pinot/pull/16043#discussion_r2159472482


##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +122,15 @@ default TableAuthorizationResult 
authorize(RequesterIdentity requesterIdentity,
     return hasAccess(requesterIdentity, tables) ? 
TableAuthorizationResult.success()
         : new TableAuthorizationResult(tables);
   }
+
+
+  /**
+   * Returns RLS/CLS filters for a particular table. By default, there are no 
RLS/CLS filters on any table.
+   * @param requesterIdentity requested identity
+   * @param table Table used in the query. Table name can be with or without 
tableType.
+   * @return {@link TableRowColAuthResult} with the result of the access 
control check
+   */
+  default TableRowColAuthResult getRowColFilters(RequesterIdentity 
requesterIdentity, String table) {

Review Comment:
   I don’t think we need a separate API to fetch row col filters as they are 
typically tied to a specific authZ policy. 
   You can extend the `AuthorizationResult` interface to include the filter 
conditions in the authZ response. For example: 
   ```java
   public interface AuthorizationResult {
   
     /**
      * Indicates whether the access is granted.
      *
      * @return true if access is granted, false otherwise.
      */
     boolean hasAccess();
   
     /**
      * Provides the failure message if access is denied.
      *
      * @return A string containing the failure message if access is denied, 
otherwise an empty string or null.
      */
     String getFailureMessage();
     
     default List<String> rowFilters()
         { return Collections.emptyList(); }
         
     default List<String> colFilters() 
         { return Collections.emptyList(); }
   }
   ```
   
   Do you see a problem with such a change?  The query handlers can check for 
these filters and take action if it is non-empty. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to