Found via ClickGap automated review. Please close or comment if this is incorrect or needs adjustment.
Retrospective finding from a historical scan of PR #92402 (merged 2025-12-17). Confirmed on current codebase — close with a note if already fixed.
Describe what's wrong
Running SHOW MASKING POLICIES on an OSS build returns a confusing error about system.masking_policies not existing (UNKNOWN_TABLE, code 60), instead of the intended Cloud-only guard error (SUPPORT_IS_DISABLED, code 344) that SHOW CREATE MASKING POLICY correctly returns.
Root cause: InterpreterShowAccessEntitiesQuery.cpp:117-136 — the MASKING_POLICY case in getRewrittenQuery() generates a query against system.masking_policies which does not exist in OSS builds, instead of throwing SUPPORT_IS_DISABLED like the SHOW CREATE path does.
Affected locations:
src/Interpreters/Access/InterpreterShowAccessEntitiesQuery.cpp:117 — MASKING_POLICY case in getRewrittenQuery() generates SQL against non-existent system.masking_policies
Impact: Users running SHOW MASKING POLICIES on OSS ClickHouse get a confusing 'Unknown table system.masking_policies' error instead of a clear 'Masking Policies are available only in ClickHouse Cloud' message. All variants (SHOW MASKING POLICIES, SHOW MASKING POLICIES ON db.table) are affected.
Does it reproduce on most recent release?
Yes — confirmed on current master (commit ac0ea6720cf7).
How to reproduce
-- Test: SHOW MASKING POLICIES should give SUPPORT_IS_DISABLED (344) not UNKNOWN_TABLE (60)
-- This correctly throws SUPPORT_IS_DISABLED (error code 344)
SHOW CREATE MASKING POLICY mask_email ON mydb.mytable; -- { serverError SUPPORT_IS_DISABLED }
-- This SHOULD throw SUPPORT_IS_DISABLED (344) but instead throws UNKNOWN_TABLE (60)
SHOW MASKING POLICIES; -- { serverError SUPPORT_IS_DISABLED }Expected behavior
Both statements should return error code 344 (SUPPORT_IS_DISABLED) with message 'Masking Policies are available only in ClickHouse Cloud'
Error message and/or stacktrace
Expected server error code: 344 but got: 60. Code: 60. DB::Exception: Unknown table expression identifier 'system.masking_policies' in scope SELECT name FROM system.masking_policies ORDER BY name ASC. (UNKNOWN_TABLE)
Additional context
Open risks:
- Same missing guard may exist in other interpreters that handle MASKING_POLICY, e.g. InterpreterMoveAccessEntityQuery
Suggested fix: Add a guard at the top of the MASKING_POLICY case in InterpreterShowAccessEntitiesQuery::getRewrittenQuery() (or in execute()) that throws Exception(ErrorCodes::SUPPORT_IS_DISABLED, 'Masking Policies are available only in ClickHouse Cloud'), matching the pattern used in InterpreterShowCreateAccessEntityQuery::getEntities() at line 343-346.
Analysis details: Confidence HIGH | Severity P3 | Testability: STATELESS_SQL
Found during automated review of PR #92402.
Found via ClickGap automated review. Please close or comment if this is incorrect or needs adjustment.
Retrospective finding from a historical scan of PR #92402 (merged 2025-12-17). Confirmed on current codebase — close with a note if already fixed.
Describe what's wrong
Running SHOW MASKING POLICIES on an OSS build returns a confusing error about system.masking_policies not existing (UNKNOWN_TABLE, code 60), instead of the intended Cloud-only guard error (SUPPORT_IS_DISABLED, code 344) that SHOW CREATE MASKING POLICY correctly returns.
Root cause: InterpreterShowAccessEntitiesQuery.cpp:117-136 — the MASKING_POLICY case in getRewrittenQuery() generates a query against system.masking_policies which does not exist in OSS builds, instead of throwing SUPPORT_IS_DISABLED like the SHOW CREATE path does.
Affected locations:
src/Interpreters/Access/InterpreterShowAccessEntitiesQuery.cpp:117— MASKING_POLICY case in getRewrittenQuery() generates SQL against non-existent system.masking_policiesImpact: Users running SHOW MASKING POLICIES on OSS ClickHouse get a confusing 'Unknown table system.masking_policies' error instead of a clear 'Masking Policies are available only in ClickHouse Cloud' message. All variants (SHOW MASKING POLICIES, SHOW MASKING POLICIES ON db.table) are affected.
Does it reproduce on most recent release?
Yes — confirmed on current
master(commitac0ea6720cf7).How to reproduce
Expected behavior
Error message and/or stacktrace
Additional context
Open risks:
Suggested fix: Add a guard at the top of the MASKING_POLICY case in InterpreterShowAccessEntitiesQuery::getRewrittenQuery() (or in execute()) that throws Exception(ErrorCodes::SUPPORT_IS_DISABLED, 'Masking Policies are available only in ClickHouse Cloud'), matching the pattern used in InterpreterShowCreateAccessEntityQuery::getEntities() at line 343-346.
Analysis details: Confidence HIGH | Severity P3 | Testability:
STATELESS_SQLFound during automated review of PR #92402.