[Bug]: Authorisation rule is throwing error for "Allows reading the entity value where the path starts with example"

[shraddhagrawal]

What happened

I am using Nessie with iceberg REST and I have three authorisation rule as follows -

- nessie.server.authorization.rules.client1=role=='service-account-client1'

- nessie.server.authorization.rules.client2=role=='service-account-client2' && !path.startsWith('sales')

- nessie.server.authorization.rules.allow_reading_entity_value=op in ['VIEW_REFERENCE', 'READ_ENTITY_VALUE'] && role=='service-account-client3' && path.startsWith('foo.') 

If I am trying to query select * from nessie.foo.foo nessie is catalog name I am getting following error - _Server error: AccessCheckException: 'VIEWREFERENCE' is not allowed for role 'service-account-client3' on reference 'main'

If I change third rule to -

nessie.server.authorization.rules.allow_reading_entity_value=op in ['VIEW_REFERENCE', 'READ_ENTITY_VALUE'] && role=='service-account-client3' && path.startsWith('foo.') && ref=='main'

still I am getting same error #https://projectnessie.org/nessie-latest/authorization/#example-authorization-rules

How to reproduce it

1. Enable authorisation and create rules specified in bug
2. Query any table using user3

Nessie server type (docker/uber-jar/built from source) and version

docker

Client type (Ex: UI/Spark/pynessie ...) and version

Spark

Additional information

No response

[snazy]

&& path.startsWith('foo.') is maybe the issue?

[shraddhagrawal]

@snazy May be as !path.startsWith('foo.') is working as expected and same example is mentioned in https://projectnessie.org/nessie-latest/authorization/#example-authorization-rules for path.startsWith

[snazy]

Discussion moved to Zulip