pace icon indicating copy to clipboard operation
pace copied to clipboard

Published 20 hours ago verified publisher icon getstrm

[documentation] provide generated view definitions in examples/tutorials

Open w0ut0 opened this issue 1 year ago • 3 comments

Problem description While the provided tutorials show the configuration of policies quite well, it's not super clear to see how the resulting view is implemented (for each processing platform). Eg., does Pace make use of the Databricks UC built-in masking feature, or is it implemented in pure SQL?

Proposed solution For all tutorials, include the generated view definitions (next to the result table, shown per principal - which IS cool).

Additional context Pace looks really promising, looking forward to see it evolve!

w0ut0 avatar Jan 28 '24 11:01 w0ut0

Hey @w0ut0 ! Thanks for your issue. Only logical! We'll get to it. The quick answer is: we leverage as much native functionality as possible (but platforms differ to a great degree). Meanwhile, pending any questions you might have, join us on Slack to discuss directly. Thanks again!

astronomous avatar Jan 29 '24 07:01 astronomous

Great idea! I've taken the opportunity to take this one step further: a dedicated API in PACE that will return the SQL DDL for the respective Data Policy, as the end result is not only dependent on the Data Policy, but also on the configuration of your PACE instance (e.g. for BigQuery there's a toggle in the PACE configuration to either use native IAM checks or use a principals reference table). I'll make sure to include the SQL DDL in the documentation as well :)

trietsch avatar Jan 29 '24 09:01 trietsch

@w0ut0 To give you a preview of the functionality, here's the corresponding CLI command for a Data Policy from our standalone example:

pace transpile data-policy --data-policy-file data-policy.yaml -o plain

create or replace view "public"."demo_view"
as
with
  "user_groups" as (
    select "rolname"
    from "pg_roles"
    where (
      "rolcanlogin" = false
      and pg_has_role(session_user, oid, 'member')
    )
  )
select
  "transactionid",
  case
    when (
      ('fraud_and_risk' IN ( SELECT rolname FROM user_groups ))
      or ('administrator' IN ( SELECT rolname FROM user_groups ))
    ) then "userid"
    else 0
  end as userid,
  case
    when ('administrator' IN ( SELECT rolname FROM user_groups )) then "email"
    when ('marketing' IN ( SELECT rolname FROM user_groups )) then regexp_replace(email, '^.*(@.*)$', '****\1', 'g')
    when ('fraud_and_risk' IN ( SELECT rolname FROM user_groups )) then "email"
    else '****'
  end as email,
  "age",
  case
    when ('administrator' IN ( SELECT rolname FROM user_groups )) then "brand"
    else CASE WHEN brand = 'MacBook' THEN 'Apple' ELSE 'Other' END
  end as brand,
  "transactionamount"
from "public"."demo"
where case
  when (
    ('administrator' IN ( SELECT rolname FROM user_groups ))
    or ('fraud_and_risk' IN ( SELECT rolname FROM user_groups ))
  ) then true
  else age > 8
end;
grant SELECT on public.demo_view to "fraud_and_risk";
grant SELECT on public.demo_view to "administrator";
grant SELECT on public.demo_view to "marketing";

trietsch avatar Jan 29 '24 15:01 trietsch