search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 57 forks source link

AWS::LakeFormation::PrincipalPermissions DataCellsFilterResource missing properties #1300

Closed Sevi7 closed 2 years ago

Sevi7 commented 2 years ago

Name of the resource

Other

Resource Name

AWS::LakeFormation::PrincipalPermissions

Issue Description

DataCellsFilterResource struct in CloudFormation has the following properties:

{
  "DatabaseName" : String,
  "Name" : String,
  "TableCatalogId" : String,
  "TableName" : String
}

The issue is that there is no property to specify a row filter expression. I think there should be a property that recognizes this format: PartiQL support in row filter expressions.

Also ColumnNames and ColumnWildcard properties from TableWithColumnsResource are missing because cell filtering is when you include or exclude specific columns and also provide a row filter expression. Source: Data filters

Expected Behavior

With these three properties we would be able to establish cell-level security (cell filtering).

Useful documentation about Data filters that states the following:

The level of filtering that you get depends on how you populate the data filter.

  • When you specify the "all columns" wildcard and provide a row filter expression, you are establishing row-level security (row filtering) only.
  • When you include or exclude specific columns and specify "all rows" using the all-rows wildcard, you are establishing column-level security (column filtering) only.
  • When you include or exclude specific columns and also provide a row filter expression, you are establishing cell-level security (cell filtering).

According to the above we could also be missing a RowFilterResource in CloudFormation.

Observed Behavior

Missing properties in DataCellsFilterResource struct.

Test Cases

Test row filtering and cell filtering.

Other Details

No response

aws-kaushal-partani commented 2 years ago

Hi @Sevi7,

Depending on the behavior you're expecting, there's 2 paths here:

  1. If you want to create a cell filter, you probably want to use AWS::LakeFormation::DataCellsFilter instead. This will allow you to create a filter within your account and specify a row filter and/or column filter.

  2. If you want to grant permissions on a cell filter, you would use AWS::LakeFormation::PrincipalPermissions. You'd be granting permissions on a cell filter that already exists, so you would only need some identifying data to specify it in the CFN template. For that reason, we don't allow information beyond what's specified in the DataCellsFilterResource as you mentioned above.

Sevi7 commented 2 years ago

Thank you so much for your detailed explanation @aws-kaushal-partani. I misunderstood the documentation, it really makes sense now