Update StatementAnalyzer and extend AccessControl interface and to filter columns from table schema instead of throwing

[youngchen7]

Initial PR for AccessControl interface changes, initial implementations, and StatementAnalyzer integration.

Will update specific AccessControl implementations (possibly FileBased) to support this feature.

Fixes #7461

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Young Chen.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email email@example.com
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Young Chen.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email email@example.com
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[kokosing]

Please add tests.

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Young Chen.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email email@example.com
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[youngchen7]

Cleaned up the git commit history a bit to remove non github emails - just submitted the CLA as well.

[youngchen7]

Please add tests.

Added some unit tests similar to rowFilter and columnMask. However, one concern I have is the interaction with INSERT/UPDATE/DELETE.

We would typically expect the AccessControl implementation to restrict access to INSERT/UPDATE/DELETE if a user doesn't have full access to the schema. However, it's possible for this to not be implemented so we would probably want a defensive check in the StatementAnalyzer.

Perhaps this would be better implemented via getTableSchemaFilteredColumns or getFilteredColumns similar to how getRowFilter and getColumnMask are done. This would let us easily check access via .isEmpty() and add restrictions in the engine itself.

Or could there be a use case for inserting partial data into a table and having the inaccessible columns set to default? It seems like this would be unexpected/error prone behavior for the most part in my opinion.

What are your thoughts?

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[martint]

@cla-bot check

[cla-bot]

The cla-bot has been summoned, and re-checked this pull request!

[martint]

This needs a better explanation. What's the difference between "when querying metadata" vs "when querying the table"?

[youngchen7]

filterColumns hides table metadata when running DESCRIBE or SHOW TABLE, as well as when querying the INFORMATION_SCHEMA tables. However, when actually selecting data from the table it doesn't hide the corresponding columns. I'm not really sure how else to describe this so any suggestions are welcome!

I also can't really think of a practical reason why we would want to control these separately. @kokosing mentioned that it would be beneficial to be able to hide column metadata & throw errors on access denied, vs hiding columns completely so that's why I'm leaving it here.

(Slack link: https://trinodb.slack.com/archives/CP1MUNEUX/p1620418412085600?thread_ts=1618261084.236200&cid=CP1MUNEUX)

[kokosing]

Please squash commits.

This looks good to me. I would like to hear from others if they like it. CC: @martint @findepi

[findepi]

This looks good to me. I would like to hear from others if they like it. CC: @martint @findepi

if you ask about my opinion, I can only repeat that for me this shouldn't be in AccessControl at all.
#7461 (comment)
https://trinodb.slack.com/archives/CP1MUNEUX/p1620422082086900?thread_ts=1618261084.236200&cid=CP1MUNEUX

[youngchen7]

Please squash commits.

This looks good to me. I would like to hear from others if they like it. CC: @martint @findepi

Ah does the merge process squash commits? I can rebase and squash all on my branch but I figured having history here would be useful.

[kokosing]

Ah does the merge process squash commits? I

We usually do Rebase and merge. Sometimes we do Squash and merge in case where external contributors are not well familiar with git, so we could save communication round trips.

I figured having history here would be useful.

That depends on history kind. We care a lot about the history, so this is why how change is structured between commits and what are the commit messages is also a part of code review. However we prefer not merge anything where change goes back and forth between commits in the same PR. This makes entire git history much cleaner. Notice that writing code is creative process and it is natural to got back and forth when writing the code, however when visiting history such small steps are not helpful.

@youngchen7 Would you like to add the above to https://github.com/trinodb/trino/blob/master/DEVELOPMENT.md (in separate PR)? I see it is not clear to the community members sometimes and it is not the first time I explain this. That way it will be easier for others to contribute.

[youngchen7]

Ah does the merge process squash commits? I

We usually do Rebase and merge. Sometimes we do Squash and merge in case where external contributors are not well familiar with git, so we could save communication round trips.

I figured having history here would be useful.

That depends on history kind. We care a lot about the history, so this is why how change is structured between commits and what are the commit messages is also a part of code review. However we prefer not merge anything where change goes back and forth between commits in the same PR. This makes entire git history much cleaner. Notice that writing code is creative process and it is natural to got back and forth when writing the code, however when visiting history such small steps are not helpful.

@youngchen7 Would you like to add the above to https://github.com/trinodb/trino/blob/master/DEVELOPMENT.md (in separate PR)? I see it is not clear to the community members sometimes and it is not the first time I explain this. That way it will be easier for others to contribute.

Sounds good - I'll open a new PR for the DEVELOPMENT.md change. I'll squash the commits in this PR.

[youngchen7]

@youngchen7 Would you like to add the above to https://github.com/trinodb/trino/blob/master/DEVELOPMENT.md (in separate PR)? I see it is not clear to the community members sometimes and it is not the first time I explain this. That way it will be easier for others to contribute.

#8411

[findepi]

how is this method different from filterColumns above?

• Why do we need two methods?
• What's the occasion where SELECT * would want to give you different set of columns than SHOW COLUMNS FROM ...

[kokosing]

I think we should continue with #9991, the simple feature toogle is easier to reason than changing the access control I think.

[findepi]

I think we should continue with #9991, the simple feature toogle is easier to reason than changing the access control I think.

@kokosing to me, it's not about simplicity, but what's the right thing to do.
per #7893 (comment) we shouldn't change AccessControl at all.

[bitsondatadev]

👋 @youngchen7 - this PR is inactive and doesn't seem to be under development, and it might already be implemented in #7461. If you'd like to continue work on this at any point in the future, feel free to re-open.