Hi all,

We, the authors of the proposal [1], have been thinking about support for fine grained access control for quite some time and would like to propose both row-level access control and column-level transformation (“masking”) to the Iceberg REST catalog in an interoperable way.

The three main drivers for the proposed approach are
* interoperability between catalogs and query engines
* securely applying the FGAC policies
* ability to integrate any query engines

The proposal describes the general, high-level approach and does intentionally not go into specific internal & technical details to focus on the concept as a whole. If there is consensus on the concept described in the proposal, we can start a follow-up proposal considering all the feedback - that would include details about the REST specification and the technical interaction and between catalogs and query engines, as well as portable representation of the policies and “protection instructions” (details what the latter is are in the proposal).

We would love to get your feedback and are happy to answer any questions!

Robert

[1] Proposal document https://docs.google.com/document/d/1A5EHXZoluvW7GtEth3GzQz6n5N-fErYLtUbf6B93Pmw


Reply via email to