Versions Compared

Old Version 1

changes.mady.by.user Mingyu Chen

Saved on

compared with

New Version Current

changes.mady.by.user Mingyu Chen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is meant as a template for writing a DSIP.

Status

Current state[One of "Under Discussion", "Accepted", "Rejected"]Released

Discussion thread: https://lists.apache.org/thread/mypkp905nwbfnmb1b55j8wty7vr27xlm

JIRA or Github Issue:  https://github.com/apache/incubator-doris/pull/9271

Released: <Doris Version>1.1

Google Doc: <If the design in question is unclear or needs to be discussed and reviewed, a Google Doc can be used first to facilitate comments from others.>

Motivation

Describe the problems you are trying to solve.

Related Research

some research related to the function, such as the advantages and disadvantages of the design, related considerations, etc.

Detailed Design

the detailed design of the function.

Scheduling

...

Sometimes we need permission control not only at the table level, but also at the row level, column level. At present, many users need to parse SQL and rewrite sql on out of doris or use thirdparty tools do it. which increases the use cost and causes performance loss.

Related Research

  1. clickhouse grammar:https://clickhouse.com/docs/zh/sql-reference/statements/create/row-policy
  2. postgresql grammer:http://www.postgres.cn/docs/9.5/ddl-rowsecurity.html
  3. apche ranger design:https://www.jianshu.com/p/10fb68958a7b

Detailed Design

1. Scheme

Image Added

2. Policy

Code Block
    KW_CREATE ident:type KW_POLICY opt_if_not_exists:ifNotExists ident:policyName KW_ON table_name:tbl KW_AS ident:filterType KW_TO user_identity:user
    KW_USING LPAREN expr:wherePredicate RPAREN
    {:
        RESULT = new CreatePolicyStmt(type, ifNotExists, policyName, tbl, filterType, user, wherePredicate);
    :}

1. Multiple policies on one table wherePredicate will be merged by filterType(RESTRICTIVE | PERMISSIVE)

CREATE ROW POLICY test_row_policy_1 ON test.table1 AS RESTRICTIVE TO root USING (id in (1, 2));

CREATE ROW POLICY test_row_policy_2 ON test.table1 AS PERMISSIVE TO root USING (col1='col1_1');

CREATE ROW POLICY test_row_policy_3 ON test.table1 AS RESTRICTIVE TO root USING (col2='col2_1');

CREATE ROW POLICY test_row_policy_4 ON test.table1 AS RESTRICTIVE TO root USING (col3='col3_1');

→ POLICY.wherePredicate:(id in (1, 2) and col1='col1_1') or col2='col2_1' or col3='col3_1',PERMISSIVE or RESTRICTIVE depends on the last policy

2. PolicyMgr save dbIdToPolicyMap use match sql

3.StmtWrite

1. Match SelectStmt/SetOperationStmt(union)

2. Replace match policy's TableRef in fromClause with InlineViewRef, InlineViewRef.QueryStmt use policy's wherePredicate

Scheduling

  1. support create/drop/show row policy
  2. match table and rewrite sql
  3. support column policy