Details
Description
This came out during the review for https://gerrit.cloudera.org/#/c/10850/:
supposing the folded fn reveals something interesting, e.g., getSSN("some user name") ... this approach evaluates it and outputs it to the log. while I don't think we output this rewritten query in an error (or possibly elsewhere downstream), have you looked at avoiding the evaluation of fn in the first place if access is not permitted? the approach here seems prone to currently leak and can get worse depending on future changes.
In general, it would be good to handle query analysis in the following sequence:
- Parse
- Check security/access
- Analyze
- Re-write
- Re-analyze
- etc.