pinot icon indicating copy to clipboard operation
pinot copied to clipboard
verified publisher icon apache

Add Row-Level Security (RLS) Support for ZooKeeper-Based Authentication

Open NihalJain opened this issue 3 months ago • 1 comments

Summary

Currently, Row-Level Security (RLS) filters are not supported when using ZooKeeper-based authentication (ZkBasicAuthAccessControlFactory). While the RLS infrastructure exists and works with file-based authentication, the ZK authentication implementation passes an empty RLS filters.

This PR adds full RLS support to ZK-based authentication by:

  1. Extending UserConfig to store RLS filters per table
  2. Updating BasicAuthUtils to extract and pass RLS filters to ZkBasicAuthPrincipal
  3. Updating the REST API documentation with RLS filter examples

Background

Related commits that introduced initial RLS work:

Problem

When creating users via the ZK-based authentication REST API, there was no way to specify RLS filters. The BasicAuthUtils.extractBasicAuthPrincipals(List<UserConfig>) method was hardcoded to pass Map.of() (empty map) for RLS filters, resulting in:

  • RLS filters being ignored for all ZK-authenticated users

Proposed Solution

Goal is to implement RLS support by:

  1. UserConfig Changes (pinot-spi/src/main/java/org/apache/pinot/spi/config/user/UserConfig.java)

    • Added rlsFilters field of type Map<String, List<String>>
    • Added JSON property key RLS_FILTERS_KEY
    • Added getter method and validation

  2. BasicAuthUtils Changes (pinot-core/src/main/java/org/apache/pinot/core/auth/BasicAuthUtils.java)

    • Modified extractBasicAuthPrincipals(List<UserConfig>) to extract RLS filters from UserConfig
    • Replaced empty Map.of() with actual RLS filter extraction
    • RLS filters now properly passed to ZkBasicAuthPrincipal constructor

  3. API Documentation (pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotAccessControlUserRestletResource.java)

    • Updated REST API documentation with RLS filter format examples

API Usage Example

POST /users
{
  "username": "userRLS",
  "password": "secret",
  "component": "BROKER",
  "role": "USER",
  "tables": ["table1", "table2"],
  "permissions": ["READ"],
  "rlsFilters": {
    "table1": ["column1='value1'"],
   "table2": ["column2='value2' AND column3='value3'"]
  }
}

NihalJain avatar Nov 18 '25 05:11 NihalJain

I am working on fixing this!

NihalJain avatar Nov 18 '25 05:11 NihalJain