Hi all,
We, the authors of the proposal [1], have been thinking about support
for fine grained access control for quite some time and would like to
propose both row-level access control and column-level transformation
(“masking”) to the Iceberg REST catalog in an interoperable way.
The three main drivers for the proposed approach are
* interoperability between catalogs and query engines
* securely applying the FGAC policies
* ability to integrate any query engines
The proposal describes the general, high-level approach and does
intentionally not go into specific internal & technical details to focus
on the concept as a whole. If there is consensus on the concept
described in the proposal, we can start a follow-up proposal considering
all the feedback - that would include details about the REST
specification and the technical interaction and between catalogs and
query engines, as well as portable representation of the policies and
“protection instructions” (details what the latter is are in the proposal).
We would love to get your feedback and are happy to answer any questions!
Robert
[1] Proposal document
https://docs.google.com/document/d/1A5EHXZoluvW7GtEth3GzQz6n5N-fErYLtUbf6B93Pmw