Summary - User should be able to SELECT a view without visibility / access to the underlying tables. However the connection to any databases must still occur using the user's own details.
Detail - views can be created over multiple connectors using the memory connector. A user should be able to SELECT a view even when they do not have access to SELECT the raw table.
The existing DEFINER view type is not sufficient when the underlying connector uses impersonation.
In my use case, it won't work at all because a short-lived JWT is passed through as an extra credential. Additionally, I'd like the underlying database to correctly audit as the user running the query.
Using the INVOKER type means that the raw tables would also be visible in Trino.
Some possible solutions to this might include:
1) Change access control to provide more advanced support for visibility.
1) A global configuration option for how definer views are treated.
1) Add a new type of view security.
This new type would check the access control against the definer but run as the invoker.
huw0
commented
1 month ago
Summary - User should be able to SELECT a view without visibility / access to the underlying tables. However the connection to any databases must still occur using the user's own details.
Detail - views can be created over multiple connectors using the memory connector. A user should be able to SELECT a view even when they do not have access to SELECT the raw table.
The existing
DEFINERview type is not sufficient when the underlying connector uses impersonation.In my use case, it won't work at all because a short-lived JWT is passed through as an extra credential. Additionally, I'd like the underlying database to correctly audit as the user running the query.
Using the
INVOKERtype means that the raw tables would also be visible in Trino.Some possible solutions to this might include:
1) Change access control to provide more advanced support for visibility. 1) A global configuration option for how definer views are treated. 1) Add a new type of view security. This new type would check the access control against the definer but run as the invoker.