Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
None
-
None
-
ghx-label-3
Description
If a table has column masking policies, we replace its unanalyzed TableRef with an analyzed InlineViewRef (table masking view) in FromClause.analyze(). However, we can't detect which columns are actually used in the original query at this point. In fact, analyze() for SelectList, WhereClause, GroupByClause and other clauses containing SlotRefs happen after FromClause.analyze(). After the whole query block is analyzed, we can get the exact set of required columns. We should do table masking there to avoid introducing unused columns.
To be specifit, if table tbl(id int, name string, address string) has column masking policies for column name and address to mask them, the following query
select name from tbl where id > 10;
will be rewritten to
select name from ( select id, mask(name) as name, mask(address) as address from tbl ) tbl where id > 10;
The rewritten query introduce the requirement for SELECT privilege on the address column which isn't required by the original query. We should either fix this or IMPALA-9223.
Attachments
Issue Links
- causes
-
-
- Resolved
-
- links to