[table] Fail closed when reading a query-auth.enabled table#447
Conversation
afb3f6e to
553fe2c
Compare
| // Fail closed: this client can't yet enforce query-auth row filtering / column masking, | ||
| // so refuse to read rather than return unfiltered data. Guarding this single data exit | ||
| // (not the `ReadBuilder`) makes the check non-bypassable. | ||
| if core_options.query_auth_enabled() { |
There was a problem hiding this comment.
This guards row materialization, but scan planning still succeeds for a query-auth.enabled table. TableScan::plan() / plan_with_trace() can still expose splits, file metadata, row counts, and stats before to_arrow() is reached, and DataFusion also plans eagerly. To make this truly fail closed, please add the same Unsupported guard at the scan planning boundary as well.
There was a problem hiding this comment.
@QuakeWang Good catch. Added the same Unsupported guard at scan planning (plan() / plan_with_trace()), gated on !scan_all_files so only reads are blocked (writes/compaction stay allowed).
There was a problem hiding this comment.
Update: dropped the !scan_all_files exemption — it wasn't a clean read/write split (the files system table also uses it to surface metadata). plan() now fails closed unconditionally, so writes/compaction are blocked too until the client can enforce the auth filter.
a9cb2f9 to
3ca48c6
Compare
…earch, system tables)
3ca48c6 to
8bd5ec6
Compare
Purpose
A
query-auth.enabledtable needs a per-user row filter / column masking thatthe Rust client can't yet enforce. Reading it would return unfiltered data, so
this makes reads fail closed.
Brief change log
CoreOptions::query_auth_enabled().TableRead::to_arrow(the single row-data exit) to returnError::Unsupportedwhen enabled — non-bypassable for any construction path.Tests
TableRead::new(..)path both fail closed(
read_builder+table_readunit tests).API and Format
Adds
CoreOptions::query_auth_enabled().