Make column privileges matchable/callable

[MichaelTiemannOSC]

Rather than forcing users to enumerate every possible column name in the schema, column checks could be checked against a pattern (such as a prefix or regex) or even checked via a (lambda) function.

In this way, a USER1 could create and query all columns that their pattern matches (which might be the prefix '' or the pattern r'*').

USER2 could create and query all columns prefixed with 'quant_' and 'user_', but not '_dev'

USER3 could create and query only columns prefixed with 'user_'

This could extend beyond pattern matching to an arbitrary evaluation function, with all the performance and security problems contained therein.

Thoughts, @erikerlandson ?

[erikerlandson]

just to confirm, what you are asking is something like this:

    "columns": [
      { "name": "dev.*", "allow": false }
    ]

so asking trino to hide all columns whose name starts with "dev" ?

[MichaelTiemannOSC]

Yes, though technically I asked for "dev_*", which "dev.*" would indeed match (because . matches _). Michael

…

________________________________ From: Erik Erlandson ***@***.***> Sent: Saturday, January 15, 2022 1:24 PM To: os-climate/osc-trino-acl-dsl Cc: Michael Tiemann; Author Subject: Re: [os-climate/osc-trino-acl-dsl] Make column privileges matchable/callable (Issue #1) just to confirm, what you are asking is something like this: "columns": [ { "name": "dev.*", "allow": false } ] so asking trino to hide all columns whose name starts with "dev" ? — Reply to this email directly, view it on GitHub<https://url.emailprotection.link/?bJP4OghUr5qE1EUF7EUK3Psp31yXkKxC5FHNAeW0z00BGxYxZl0Up_GOcx_fpb0_TrHjHKm6cqRLmP1ErPD0GPydGsLVIXmwIFb6jZ-9nuOrr0H5mpVleCOnVpPs_v08t>, or unsubscribe<https://url.emailprotection.link/?bG7-fLIOHLF9ekBWh7VJOGAFMjcvvBGhzcwlgUbaswQlAQ3tpb8Ax6dt8yTlD0KTmr8YCRwrB3HNdsjpgSVJ5ozh4rEFxT63sDI-PhB3XSjutBMcEGUyGqPJqelvfxS5ECilW820PTZHqk5-S-ZccKmZdaUDa2zMIITBf7wKmRf8~>. Triage notifications on the go with GitHub Mobile for iOS<https://url.emailprotection.link/?b93vvrxxFMiIL3aaEZeT1FEDo4ff1nIm3S93M74HChe6oMsjvQxYfvy0INjYS7u2FMe9ddTMaKP63-6NfzGjH_fVMKWZ4WGY8V0YwPxZVTfVo1FS4ve04s9qZpZ4awAgjKFcwCo9eE9NJvenJ6TkrGN_4GTeA60Dx2SZ1BScd4_k~> or Android<https://url.emailprotection.link/?bwU-B7o1UGBPzHAoKA5hX-YU6nt6R47hh3_8HMPKW08nZ4tm-rkZdekFih8adSaIlolX1K6F60Z32RgmcvBYWzPaWnxjzogEdPUobJCj1y-4sZyT_B-NChG2 %20_1GZYBDzw8PDJcos3uXLAK_Haiwidbp-UKkyLlCXKM68K2qknmejC6ePwEZUXvno9Z8XOf5JcrvFAo5kMKScW99QAMxuSjg~~>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[erikerlandson]

Have not yet received a response about whether hidden columns can be given as regex yet