You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An event listener plugin is installed which implements queryCompleted(QueryCompletedEvent queryCompletedEvent)
A table (my_table) has a "mask" access control rule applied to a column (my_masked_column), where the rule expression references another column (my_rule_input_column) in the table
A SQL statement referencing a third column is executed: SELECT my_selected_column FROM my_table;
Expected behavior
In the event listener plugin, queryCompletedEvent.getMetadata().getTables()[0].getColumns() includes only my_selected_column.
Actual behavior
getColumns() includes two columns: my_selected_column and my_rule_input_column.
2) SELECTing a masked column
Given
An event listener plugin is installed which implements queryCompleted(QueryCompletedEvent queryCompletedEvent)
A table (my_table) has a "mask" access control rule applied to a column (my_selected_column), where the rule expression references another column (my_rule_input_column) in the table
A SQL statement referencing the masked column is executed: SELECT my_selected_column FROM my_table;
Expected behavior
In the event listener plugin, queryCompletedEvent.getMetadata().getTables()[0].getColumns() includes only my_selected_column.
Actual behavior
getColumns() includes two columns: my_selected_column and my_rule_input_column.
3) SELECTing from a filtered table
Given
An event listener plugin is installed which implements queryCompleted(QueryCompletedEvent queryCompletedEvent)
A table (my_table) has a "filter" access control rule applied to it, where the rule expression references a column (my_rule_input_column) in the table
A SQL statement referencing another column in the table is executed: SELECT my_selected_column FROM my_table;
Expected behavior
In the event listener plugin, queryCompletedEvent.getMetadata().getTables()[0].getColumns() includes only my_selected_column.
Actual behavior
getColumns() includes two columns: my_selected_column and my_rule_input_column.
Discussion
To me, scenario (1) definitely looks like a bug. I see no argument for how the current behavior makes sense or is otherwise desirable.
Scenario (2) and (3) are a bit murkier. On the one hand, it's not what I would expect, nor is it what I happen to need to meet the requirements for the plugin I'm building. On the other hand, for these cases, the result of the query is dependent on my_rule_input_column, so I can see an argument for how the current behavior makes sense.
If it is decided that the current behavior is the desired behavior for scenarios (2) and (3), my next question would be: What if an event listener plugin wants to know exactly which columns are referenced explicitly (or via views) by a SQL statement? Can we add another field for that?
Scenarios
1) SELECTing an unmasked column
Given
queryCompleted(QueryCompletedEvent queryCompletedEvent)
my_table
) has a "mask" access control rule applied to a column (my_masked_column
), where the rule expression references another column (my_rule_input_column
) in the tableSELECT my_selected_column FROM my_table;
Expected behavior
In the event listener plugin,
queryCompletedEvent.getMetadata().getTables()[0].getColumns()
includes onlymy_selected_column
.Actual behavior
getColumns()
includes two columns:my_selected_column
andmy_rule_input_column
.2) SELECTing a masked column
Given
queryCompleted(QueryCompletedEvent queryCompletedEvent)
my_table
) has a "mask" access control rule applied to a column (my_selected_column
), where the rule expression references another column (my_rule_input_column
) in the tableSELECT my_selected_column FROM my_table;
Expected behavior
In the event listener plugin,
queryCompletedEvent.getMetadata().getTables()[0].getColumns()
includes onlymy_selected_column
.Actual behavior
getColumns()
includes two columns:my_selected_column
andmy_rule_input_column
.3) SELECTing from a filtered table
Given
queryCompleted(QueryCompletedEvent queryCompletedEvent)
my_table
) has a "filter" access control rule applied to it, where the rule expression references a column (my_rule_input_column
) in the tableSELECT my_selected_column FROM my_table;
Expected behavior
In the event listener plugin,
queryCompletedEvent.getMetadata().getTables()[0].getColumns()
includes onlymy_selected_column
.Actual behavior
getColumns()
includes two columns:my_selected_column
andmy_rule_input_column
.Discussion
To me, scenario (1) definitely looks like a bug. I see no argument for how the current behavior makes sense or is otherwise desirable.
Scenario (2) and (3) are a bit murkier. On the one hand, it's not what I would expect, nor is it what I happen to need to meet the requirements for the plugin I'm building. On the other hand, for these cases, the result of the query is dependent on
my_rule_input_column
, so I can see an argument for how the current behavior makes sense.If it is decided that the current behavior is the desired behavior for scenarios (2) and (3), my next question would be: What if an event listener plugin wants to know exactly which columns are referenced explicitly (or via views) by a SQL statement? Can we add another field for that?
Full reproducible example
This example demonstrates scenarios (1) and (3).
With this
rules.json
:Then, for this query:
I see this in the web UI at
/ui/api/query/{queryId}?pretty
:Whereas I would expect to see only
name
in thecolumns
array.The text was updated successfully, but these errors were encountered: