Status

Current stateReleased

Discussion thread: https://lists.apache.org/thread/mypkp905nwbfnmb1b55j8wty7vr27xlm

JIRA or Github Issue: https://github.com/apache/incubator-doris/pull/9271

Released: 1.1

Google Doc: <If the design in question is unclear or needs to be discussed and reviewed, a Google Doc can be used first to facilitate comments from others.>

Motivation

Sometimes we need permission control not only at the table level, but also at the row level, column level. At present, many users need to parse SQL and rewrite sql on out of doris or use thirdparty tools do it. which increases the use cost and causes performance loss.

Related Research

  1. clickhouse grammar:https://clickhouse.com/docs/zh/sql-reference/statements/create/row-policy
  2. postgresql grammer:http://www.postgres.cn/docs/9.5/ddl-rowsecurity.html
  3. apche ranger design:https://www.jianshu.com/p/10fb68958a7b

Detailed Design

1. Scheme

2. Policy

    KW_CREATE ident:type KW_POLICY opt_if_not_exists:ifNotExists ident:policyName KW_ON table_name:tbl KW_AS ident:filterType KW_TO user_identity:user
    KW_USING LPAREN expr:wherePredicate RPAREN
    {:
        RESULT = new CreatePolicyStmt(type, ifNotExists, policyName, tbl, filterType, user, wherePredicate);
    :}

1. Multiple policies on one table wherePredicate will be merged by filterType(RESTRICTIVE | PERMISSIVE)

CREATE ROW POLICY test_row_policy_1 ON test.table1 AS RESTRICTIVE TO root USING (id in (1, 2));

CREATE ROW POLICY test_row_policy_2 ON test.table1 AS PERMISSIVE TO root USING (col1='col1_1');

CREATE ROW POLICY test_row_policy_3 ON test.table1 AS RESTRICTIVE TO root USING (col2='col2_1');

CREATE ROW POLICY test_row_policy_4 ON test.table1 AS RESTRICTIVE TO root USING (col3='col3_1');

→ POLICY.wherePredicate:(id in (1, 2) and col1='col1_1') or col2='col2_1' or col3='col3_1',PERMISSIVE or RESTRICTIVE depends on the last policy

2. PolicyMgr save dbIdToPolicyMap use match sql

3.StmtWrite

1. Match SelectStmt/SetOperationStmt(union)

2. Replace match policy's TableRef in fromClause with InlineViewRef, InlineViewRef.QueryStmt use policy's wherePredicate

Scheduling

  1. support create/drop/show row policy
  2. match table and rewrite sql
  3. support column policy
  • No labels

1 Comment

  1. Rongqian Li

    There are currently issues with serialize and deserialize wherePredicate