search

os-climate / osc-trino-acl-dsl

A declarative format for configuring Trino access control
Apache License 2.0
4 stars 3 forks source link

Make column privileges matchable/callable #1

Open MichaelTiemannOSC opened 2 years ago

MichaelTiemannOSC commented 2 years ago

Rather than forcing users to enumerate every possible column name in the schema, column checks could be checked against a pattern (such as a prefix or regex) or even checked via a (lambda) function.

In this way, a USER1 could create and query all columns that their pattern matches (which might be the prefix '' or the pattern r'*').

USER2 could create and query all columns prefixed with 'quant' and 'user', but not '_dev'

USER3 could create and query only columns prefixed with 'user_'

This could extend beyond pattern matching to an arbitrary evaluation function, with all the performance and security problems contained therein.

Thoughts, @erikerlandson ?

erikerlandson commented 2 years ago

just to confirm, what you are asking is something like this:

    "columns": [
      { "name": "dev.*", "allow": false }
    ]

so asking trino to hide all columns whose name starts with "dev" ?

MichaelTiemannOSC commented 2 years ago

Yes, though technically I asked for "dev", which "dev." would indeed match (because . matches ).

Michael

From: Erik Erlandson @.***> Sent: Saturday, January 15, 2022 1:24 PM To: os-climate/osc-trino-acl-dsl Cc: Michael Tiemann; Author Subject: Re: [os-climate/osc-trino-acl-dsl] Make column privileges matchable/callable (Issue #1)

just to confirm, what you are asking is something like this:

"columns": [
  { "name": "dev.*", "allow": false }
]

so asking trino to hide all columns whose name starts with "dev" ?

— Reply to this email directly, view it on GitHubhttps://url.emailprotection.link/?bJP4OghUr5qE1EUF7EUK3Psp31yXkKxC5FHNAeW0z00BGxYxZl0Up_GOcx_fpb0_TrHjHKm6cqRLmP1ErPD0GPydGsLVIXmwIFb6jZ-9nuOrr0H5mpVleCOnVpPs_v08t, or unsubscribehttps://url.emailprotection.link/?bG7-fLIOHLF9ekBWh7VJOGAFMjcvvBGhzcwlgUbaswQlAQ3tpb8Ax6dt8yTlD0KTmr8YCRwrB3HNdsjpgSVJ5ozh4rEFxT63sDI-PhB3XSjutBMcEGUyGqPJqelvfxS5ECilW820PTZHqk5-S-ZccKmZdaUDa2zMIITBf7wKmRf8~. Triage notifications on the go with GitHub Mobile for iOShttps://url.emailprotection.link/?b93vvrxxFMiIL3aaEZeT1FEDo4ff1nIm3S93M74HChe6oMsjvQxYfvy0INjYS7u2FMe9ddTMaKP63-6NfzGjH_fVMKWZ4WGY8V0YwPxZVTfVo1FS4ve04s9qZpZ4awAgjKFcwCo9eE9NJvenJ6TkrGN_4GTeA60Dx2SZ1BScd4_k~ or Androidhttps://url.emailprotection.link/?bwU-B7o1UGBPzHAoKA5hX-YU6nt6R47hh3_8HMPKW08nZ4tm-rkZdekFih8adSaIlolX1K6F60Z32RgmcvBYWzPaWnxjzogEdPUobJCj1y-4sZyT_B-NChG2 %20_1GZYBDzw8PDJcos3uXLAK_Haiwidbp-UKkyLlCXKM68K2qknmejC6ePwEZUXvno9Z8XOf5JcrvFAo5kMKScW99QAMxuSjg~~. You are receiving this because you authored the thread.Message ID: @.***>

erikerlandson commented 2 years ago

Have not yet received a response about whether hidden columns can be given as regex yet