Skip to content

[table] Fail closed when reading a query-auth.enabled table#447

Merged
JingsongLi merged 3 commits into
apache:mainfrom
plusplusjiajia:query-auth-fail-closed
Jul 4, 2026
Merged

[table] Fail closed when reading a query-auth.enabled table#447
JingsongLi merged 3 commits into
apache:mainfrom
plusplusjiajia:query-auth-fail-closed

Conversation

@plusplusjiajia

Copy link
Copy Markdown
Member

Purpose

A query-auth.enabled table needs a per-user row filter / column masking that
the Rust client can't yet enforce. Reading it would return unfiltered data, so
this makes reads fail closed.

Brief change log

  • Add CoreOptions::query_auth_enabled().
  • Guard TableRead::to_arrow (the single row-data exit) to return
    Error::Unsupported when enabled — non-bypassable for any construction path.

Tests

  • Builder path and direct TableRead::new(..) path both fail closed
    (read_builder + table_read unit tests).

API and Format

Adds CoreOptions::query_auth_enabled().

@plusplusjiajia plusplusjiajia force-pushed the query-auth-fail-closed branch from afb3f6e to 553fe2c Compare July 3, 2026 17:41
Comment thread crates/paimon/src/table/table_read.rs Outdated
// Fail closed: this client can't yet enforce query-auth row filtering / column masking,
// so refuse to read rather than return unfiltered data. Guarding this single data exit
// (not the `ReadBuilder`) makes the check non-bypassable.
if core_options.query_auth_enabled() {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This guards row materialization, but scan planning still succeeds for a query-auth.enabled table. TableScan::plan() / plan_with_trace() can still expose splits, file metadata, row counts, and stats before to_arrow() is reached, and DataFusion also plans eagerly. To make this truly fail closed, please add the same Unsupported guard at the scan planning boundary as well.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@QuakeWang Good catch. Added the same Unsupported guard at scan planning (plan() / plan_with_trace()), gated on !scan_all_files so only reads are blocked (writes/compaction stay allowed).

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: dropped the !scan_all_files exemption — it wasn't a clean read/write split (the files system table also uses it to surface metadata). plan() now fails closed unconditionally, so writes/compaction are blocked too until the client can enforce the auth filter.

@plusplusjiajia plusplusjiajia force-pushed the query-auth-fail-closed branch from a9cb2f9 to 3ca48c6 Compare July 4, 2026 02:56

@QuakeWang QuakeWang left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@plusplusjiajia plusplusjiajia force-pushed the query-auth-fail-closed branch from 3ca48c6 to 8bd5ec6 Compare July 4, 2026 03:47
@JingsongLi JingsongLi merged commit aba5b5b into apache:main Jul 4, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants