Use AccessControl functionality to filter columns from SELECT *…

[rodolfototaro]

I Implemented the feature without modify the access control and making it configurable (by default is off).
The implementation allow also to create a rowfilter on a column that is inaccessible. This could be useful when you need to partition data between user but you would not to show the discrimination column.

fixes #7461

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[findepi]

@rtotarocuebiq how does this PR relate to @youngchen7's #7893?

[rodolfototaro]

@findepi It is an alternative implementation that does not need to change the access control signature, so there is not an alternative method to "filterColumns". Moreover it cover the usecase when you need to partition data between user but you would not to show the discrimination column.

[findepi]

Moreover it cover the usecase when you need to partition data between user but you would not to show the discrimination column.

can you elaborate on that use-case, or exemplify?

[rodolfototaro]

Moreover it cover the usecase when you need to partition data between user but you would not to show the discrimination column.

can you elaborate on that use-case, or exemplify?

The need is to have columns that contain technical information related

• to the owner of the data (tenant-id or user-id)
• to the goal for which data can be used (related to data license)

so you want give access to a user just to a subset of data but at the same time you would not to show those columns to users. Will exist also users that have right for accessing to the whole table.
So you need to apply the row filters depending by logged user on inaccessibile columns.

[findepi]

So you need to apply the row filters depending by logged user on inaccessibile columns.

That's a reasonable requirement, and should be possible today, regardless of SELECT * expansion with respect to inaccessible columns.

@rtotarocuebiq do we have existing tests for that?
cc @kokosing

[rodolfototaro]

@findepi yes in core/trino-main/src/test/java/io/trino/sql/query/TestFilterInaccessibleColumns.java method testRowFilterOnNotAccessibleColumn

[kokosing]

I don't think this should be exposed as a session property

[rodolfototaro]

any suggestions about?

[findepi]

@kokosing i understand you're concerned about the case where inaccessible columns are hidden with a config, but session property overrides and makes them visible (although still inaccessible) again. That would be a security problem

OTOH, i am thinking about the case where server uses default configuration, and user or group of users would want to leverage this new functionality. Providing session toggle would be nice.

I propose we do provide session toggle, but with validation preventing query_hide_inaccessible_columns be set to false, when config is true.

[kokosing]

I think it is about the query semantic. I don't think user should be allowed to change what given query means at will. I think it may cause other issues. For example auditors may no longer know what give query means.

[rodolfototaro]

@kokosing I got your point, you prefer to set it at server config level. Can you give me suggestion on where add the property? (i.e. ServerConfig or AccessControlConfig) and which is the better way for accessing to the value from StatementAnalyzer ?

[kokosing]

@ConfigDescription

[kokosing]

@Config("query.filter-restricted-columns")?

[findepi]

i like "hide" more.

also "restricted" could be understood as referring to inaccessible & masked columns, whereas we don't want to hide masked columns

[kokosing]

I think it is about the query semantic. I don't think user should be allowed to change what given query means at will. I think it may cause other issues. For example auditors may no longer know what give query means.

[kokosing]

what about column masking?

[rodolfototaro]

I'm saving columns accessed via row filter for excluding them from the access control if them are not accessed also directly in the statement. I didn't see a similar usecase for masking. Do you have a specific use case in mind so that I can add a test about?

[kokosing]

Yes. Consider a case where not accessible columns are used for column masking for example:

CASE not_accessible_column
    WHEN 'allowed' THEN actual_column
    WHEN 'masked' THEN mask(actual_column)
    ELSE null
END

Please add tests for cases like that.

[rodolfototaro]

Ok, to support it I moved the filtering logic on io.trino.sql.analyzer.StatementAnalyzer.Visitor#analyzeRowFilter and io.trino.sql.analyzer.StatementAnalyzer.Visitor#analyzeColumnMask. Added test cases

[kokosing]

invert condition and remove else block (keyword)

[rodolfototaro]

ok

[rodolfototaro]

I moved the property hide-inaccessible-columns on AccessControlConfig and aligned the pull request with master

[kokosing]

Yes. Consider a case where not accessible columns are used for column masking for example:

CASE not_accessible_column
    WHEN 'allowed' THEN actual_column
    WHEN 'masked' THEN mask(actual_column)
    ELSE null
END

Please add tests for cases like that.

[kokosing]

Let's define filterInaccessibleColumns in StatementAnalyzer. It seem that it is more semantic related thing than access.

[rodolfototaro]

ok

[kokosing]

Why do you need above conditions? getVisibleFields already checks if field is hidden. Also I would prefer to avoid other conditions to as they may change semantic of how things work today.

[rodolfototaro]

ok, I removed the condition

[kokosing]

nit. inline authorizedFields

[rodolfototaro]

ok

[kokosing]

Let's move it to FeaturesConfig and add @ConfigDescription

[rodolfototaro]

Ok, I moved it in FeaturesConfig and make accessibile in Metadata

[kokosing]

This query should not fail. If you are able to query table then surely you should be able to to DESCRIBE it. Columns that got hidden should be simply filtered here. Same comment for SHOW COLUMNS FROM nation

[rodolfototaro]

I added specific test for Describe and SHOW COLUMNS, this test check that are not accessible if I deny privilege on Information_schema

[kokosing]

I don't get this test. You are revoking access to a metadata table which should be always accessible. I think it does not make sense. Please have tests where you only manipulate access on test tables like nation.

[kokosing]

I haven't put enough attention to analysis or statement analyzer yet. I would like first to reach a state where tests are expressing the thing we would like to have.

Notice that row filter and column masking is like a view, where the user given with it is like owner. We should still do access control checks for them. Please take a look how view access control works.

[kokosing]

Why do you have experimental. here? I think this features is not going to affect a lot of users as it will be disabled by default so there should be no change for them.

[kokosing]

I think this simply belongs to StatementAnalyzer. It is about the syntax not metadata. Metadata is not changed when the toggle is enabled or not. We just handle it differently.

[rodolfototaro]

ok

[kokosing]

I don't get this test. You are revoking access to a metadata table which should be always accessible. I think it does not make sense. Please have tests where you only manipulate access on test tables like nation.

[rodolfototaro]

I haven't put enough attention to analysis or statement analyzer yet. I would like first to reach a state where tests are expressing the thing we would like to have.

Notice that row filter and column masking is like a view, where the user given with it is like owner. We should still do access control checks for them. Please take a look how view access control works.

Thx for the suggestion I was misunderstanding the Identity meaning in the View Expression so now I simplified my PR a lot.

[kokosing]

It looks much better now. Actually no changes in analyzer.

[kokosing]

Why is this that complex?

As I understand these fields always come from the same relation (maybe you do checkArgument to assert that), so do we need to use multimap here?

[rodolfototaro]

In case of join query like:
SELECT * FROM nation,customer WHERE customer.nationkey = nation.nationkey AND nation.name = 'FRANCE' AND customer.name='Customer#000001477'
I receive here fields from multiple tables

and in case of queries like:
SELECT * FROM (select 'test')
SELECT * FROM (SELECT concat(name,'-test') FROM nation WHERE name = 'FRANCE')

I receive fields without OriginaleTable/OriginaleColumn
so I must manage also those cases.

I'll add tests for that.

[kokosing]

Looks good, few minor comments. Thank you! Please rebase and squash commits. Make sure that commit message is well formatted and explains that change you are posting. Also please add this new property to the docs.

[kokosing]

It is not much user friendly error message, it is very technical. Maybe:

hide_inaccessible_columns cannot be disabled with session property when it was enabled with configuration

Also use HIDE_INACCESSIBLE_COLUMNS constant

Please make sure you have tests for this.

[kokosing]

static import?

[kokosing]

please extract variable for column names, also please use toImmutableSet()

[kokosing]

remove the comment

[kokosing]

Please rebase and squash commits (FYI https://github.com/trinodb/trino/blob/master/.github/DEVELOPMENT.md#git-merge-strategy)

[kokosing]

nit:

tableFields.stream()
     .map(field -> field.getOriginColumnName().get())
     .collect(toImmutableSet()));

[kokosing]

ListMultimap<QualifiedObjectName, Field> tableFieldsMap = ArrayListMultimap.create();

[kokosing]

@mosabua Can you please double check wording in the docs here?

[mosabua]

Only reviewed for docs and suggested changes. Also need confirmation if this is a global property or a catalog property.

[kokosing]

Merged, thank you!