Skip to content

feat(query):masking policy support rbac #18982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 19, 2025
Merged

feat(query):masking policy support rbac #18982

merged 3 commits into from
Nov 19, 2025

Conversation

@TCeason
Copy link
Collaborator

@TCeason TCeason commented Nov 18, 2025
edited
Loading

I hereby agree to the terms of the CLA available at: https://docs.databend.com/dev/policies/cla/

Summary

  • Added CREATE/APPLY MASKING POLICY privilege; GRANT/REVOKE/SHOW now accept masking policies and resolve them to policy IDs.
    • Enforce APPLY/OWNERSHIP when SET/UNSET column masking policies and when DROP/DESC masking policies.
    • Added ID↔name mapping for masking/row access policies; create/drop masking policy auto grants/revokes ownership to the current role.
    • Visibility/SHOW GRANTS now covers masking policies via APPLY/OWNERSHIP; added proto compatibility case and RBAC E2E for masking policy.

Tests

  • Unit Test
  • Logic Test
  • Benchmark Test
  • No Test - Explain why

Type of change

  • Bug Fix (non-breaking change which fixes an issue)
  • New Feature (non-breaking change which adds functionality)
  • Breaking Change (fix or feature that could cause existing functionality not to work as expected)
  • Documentation Update
  • Refactoring
  • Performance Improvement
  • Other (please describe):

This change is Reviewable

@TCeason TCeason requested a review from drmingdrmer as a code owner November 18, 2025 03:02
@TCeason TCeason marked this pull request as draft November 18, 2025 03:02
@github-actions github-actions bot added the pr-feature this PR introduces a new feature to the codebase label Nov 18, 2025
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Nov 18, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@TCeason TCeason marked this pull request as ready for review November 18, 2025 07:30
@TCeason TCeason force-pushed the policy-privilege branch 2 times, most recently from fd3a0fe to b4b21ad Compare November 18, 2025 08:15
drmingdrmer
drmingdrmer reviewed Nov 18, 2025
View reviewed changes
Copy link
Member

@drmingdrmer drmingdrmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@drmingdrmer reviewed 8 of 43 files at r1, 2 of 3 files at r2, all commit messages.
Reviewable status: 10 of 43 files reviewed, 3 unresolved discussions

src/meta/app/src/data_mask/data_mask_id_to_name_ident.rs line 48 at r2 (raw file):

        const PREFIX: &'static str = "__fd_datamask_id_to_name";
        const TYPE: &'static str = "DataMaskIdToNameIdent";
        const HAS_TENANT: bool = false;

add tenant to the key for all keys if possible in future. For better export/import support

src/meta/api/src/data_mask_api.rs line 54 at r2 (raw file):

        &self,
        name_ident: &DataMaskNameIdent,
    ) -> Result<Option<u64>, MetaError>;

Using SeqV<_> would be better

src/meta/api/src/data_mask_api.rs line 60 at r2 (raw file):

        tenant: &Tenant,
        policy_id: u64,
    ) -> Result<Option<String>, MetaError>;

Use SeqV

@TCeason TCeason force-pushed the policy-privilege branch 2 times, most recently from 1c4f8b9 to 1813f42 Compare November 18, 2025 13:12
@TCeason TCeason requested a review from drmingdrmer November 19, 2025 00:37
drmingdrmer
drmingdrmer approved these changes Nov 19, 2025
View reviewed changes
Copy link
Member

@drmingdrmer drmingdrmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@drmingdrmer reviewed 8 of 43 files at r1, 5 of 11 files at r3, 1 of 2 files at r4, 2 of 2 files at r5, all commit messages.
Reviewable status: 23 of 43 files reviewed, all discussions resolved

@TCeason TCeason merged commit a36804f into databendlabs:main Nov 19, 2025
87 of 88 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@drmingdrmer drmingdrmer drmingdrmer approved these changes

Assignees

No one assigned

Labels

pr-feature this PR introduces a new feature to the codebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TCeason @drmingdrmer