feat(query): row access policy support rbac (#19064)

Author: TCeason

src/meta/app/src/principal/ownership_object.rs

@@ -74,6 +74,10 @@ pub enum OwnershipObject {
     MaskingPolicy {
         policy_id: u64,
     },
+
+    RowAccessPolicy {
+        policy_id: u64,
+    },
 }
 
 impl OwnershipObject {
@@ -109,6 +113,9 @@ impl fmt::Display for OwnershipObject {
             OwnershipObject::MaskingPolicy { policy_id } => {
                 write!(f, "MASKING POLICY {policy_id}")
             }
+            OwnershipObject::RowAccessPolicy { policy_id } => {
+                write!(f, "ROW ACCESS POLICY {policy_id}")
+            }
         }
     }
 }
@@ -157,6 +164,9 @@ impl KeyCodec for OwnershipObject {
             OwnershipObject::MaskingPolicy { policy_id } => {
                 b.push_raw("masking-policy-by-id").push_u64(*policy_id)
             }
+            OwnershipObject::RowAccessPolicy { policy_id } => {
+                b.push_raw("row-access-policy-by-id").push_u64(*policy_id)
+            }
         }
     }
 
@@ -223,9 +233,13 @@ impl KeyCodec for OwnershipObject {
                 let policy_id = p.next_u64()?;
                 Ok(OwnershipObject::MaskingPolicy { policy_id })
             }
+            "row-access-policy-by-id" => {
+                let policy_id = p.next_u64()?;
+                Ok(OwnershipObject::RowAccessPolicy { policy_id })
+            }
             _ => Err(kvapi::KeyError::InvalidSegment {
                 i: p.index(),
-                expect: "database-by-id|database-by-catalog-id|table-by-id|table-by-catalog-id|stage-by-name|udf-by-name|warehouse-by-id|connection-by-name|masking-policy-by-id"
+                expect: "database-by-id|database-by-catalog-id|table-by-id|table-by-catalog-id|stage-by-name|udf-by-name|warehouse-by-id|connection-by-name|masking-policy-by-id|row-access-policy-by-id"
                     .to_string(),
                 got: q.to_string(),
             }),

src/meta/app/src/principal/user_grant.rs

@@ -64,6 +64,7 @@ pub enum GrantObject {
     Sequence(String),
     Procedure(u64),
     MaskingPolicy(u64),
+    RowAccessPolicy(u64),
 }
 
 impl GrantObject {
@@ -101,6 +102,7 @@ impl GrantObject {
             (GrantObject::Sequence(s), GrantObject::Sequence(rs)) => s == rs,
             (GrantObject::Procedure(p), GrantObject::Procedure(rp)) => p == rp,
             (GrantObject::MaskingPolicy(lp), GrantObject::MaskingPolicy(rp)) => lp == rp,
+            (GrantObject::RowAccessPolicy(lp), GrantObject::RowAccessPolicy(rp)) => lp == rp,
             _ => false,
         }
     }
@@ -136,6 +138,9 @@ impl GrantObject {
             GrantObject::MaskingPolicy(_) => {
                 UserPrivilegeSet::available_privileges_on_masking_policy(available_ownership)
             }
+            GrantObject::RowAccessPolicy(_) => {
+                UserPrivilegeSet::available_privileges_on_row_access_policy(available_ownership)
+            }
         }
     }
 
@@ -148,6 +153,7 @@ impl GrantObject {
             | GrantObject::Sequence(_)
             | GrantObject::Procedure(_)
             | GrantObject::MaskingPolicy(_)
+            | GrantObject::RowAccessPolicy(_)
             | GrantObject::Connection(_) => None,
             GrantObject::Database(cat, _) | GrantObject::DatabaseById(cat, _) => Some(cat.clone()),
             GrantObject::Table(cat, _, _) | GrantObject::TableById(cat, _, _) => Some(cat.clone()),
@@ -174,6 +180,9 @@ impl fmt::Display for GrantObject {
             GrantObject::Sequence(s) => write!(f, "SEQUENCE {s}"),
             GrantObject::Procedure(p) => write!(f, "PROCEDURE {p}"),
             GrantObject::MaskingPolicy(policy_id) => write!(f, "MASKING POLICY {policy_id}"),
+            GrantObject::RowAccessPolicy(policy_id) => {
+                write!(f, "ROW ACCESS POLICY {policy_id}")
+            }
         }
     }
 }

src/meta/app/src/principal/user_privilege.rs

@@ -92,6 +92,10 @@ pub enum UserPrivilegeType {
     ApplyMaskingPolicy = 1 << 28,
     // Privilege to Create Masking Policy.
     CreateMaskingPolicy = 1 << 29,
+    // Privilege to Apply Row Access Policy.
+    ApplyRowAccessPolicy = 1 << 30,
+    // Privilege to Create Row Access Policy.
+    CreateRowAccessPolicy = 1 << 31,
     // Discard Privilege Type
     Set = 1 << 4,
     CreateDataMask = 1 << 16,
@@ -119,6 +123,8 @@ impl Display for UserPrivilegeType {
             UserPrivilegeType::CreateDataMask => "CREATE DATAMASK",
             UserPrivilegeType::CreateMaskingPolicy => "CREATE MASKING POLICY",
             UserPrivilegeType::ApplyMaskingPolicy => "APPLY MASKING POLICY",
+            UserPrivilegeType::CreateRowAccessPolicy => "CREATE ROW ACCESS POLICY",
+            UserPrivilegeType::ApplyRowAccessPolicy => "APPLY ROW ACCESS POLICY",
             UserPrivilegeType::Ownership => "OWNERSHIP",
             UserPrivilegeType::Read => "Read",
             UserPrivilegeType::Write => "Write",
@@ -164,6 +170,12 @@ impl From<databend_common_ast::ast::UserPrivilegeType> for UserPrivilegeType {
             databend_common_ast::ast::UserPrivilegeType::ApplyMaskingPolicy => {
                 UserPrivilegeType::ApplyMaskingPolicy
             }
+            databend_common_ast::ast::UserPrivilegeType::CreateRowAccessPolicy => {
+                UserPrivilegeType::CreateRowAccessPolicy
+            }
+            databend_common_ast::ast::UserPrivilegeType::ApplyRowAccessPolicy => {
+                UserPrivilegeType::ApplyRowAccessPolicy
+            }
             databend_common_ast::ast::UserPrivilegeType::Ownership => UserPrivilegeType::Ownership,
             databend_common_ast::ast::UserPrivilegeType::Read => UserPrivilegeType::Read,
             databend_common_ast::ast::UserPrivilegeType::Write => UserPrivilegeType::Write,
@@ -228,15 +240,17 @@ impl UserPrivilegeSet {
         let connection_privs_without_ownership = Self::available_privileges_on_connection(false);
         let seq_privs_without_ownership = Self::available_privileges_on_sequence(false);
         let mask_privs = Self::available_privileges_on_masking_policy(false);
-        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateMaskingPolicy | CreateWarehouse | CreateConnection | CreateSequence | CreateProcedure });
+        let row_access_privs = Self::available_privileges_on_row_access_policy(false);
+        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateMaskingPolicy | CreateRowAccessPolicy | CreateWarehouse | CreateConnection | CreateSequence | CreateProcedure });
         (database_privs.privileges
             | privs
             | stage_privs_without_ownership.privileges
             | wh_privs_without_ownership.privileges
             | connection_privs_without_ownership.privileges
             | seq_privs_without_ownership.privileges
             | udf_privs_without_ownership.privileges
-            | mask_privs.privileges)
+            | mask_privs.privileges
+            | row_access_privs.privileges)
             .into()
     }
 
@@ -315,6 +329,14 @@ impl UserPrivilegeSet {
         }
     }
 
+    pub fn available_privileges_on_row_access_policy(available_ownership: bool) -> Self {
+        if available_ownership {
+            make_bitflags!(UserPrivilegeType::{ ApplyRowAccessPolicy | Ownership }).into()
+        } else {
+            make_bitflags!(UserPrivilegeType::{ ApplyRowAccessPolicy }).into()
+        }
+    }
+
     pub fn set_privilege(&mut self, privilege: UserPrivilegeType) {
         self.privileges |= privilege;
     }

src/meta/proto-conv/src/ownership_from_to_protobuf_impl.rs

@@ -103,6 +103,9 @@ impl FromToProto for mt::principal::OwnershipObject {
             pb::ownership_object::Object::MaskingPolicy(
                 pb::ownership_object::OwnershipMaskingPolicyObject { policy_id },
             ) => Ok(mt::principal::OwnershipObject::MaskingPolicy { policy_id }),
+            pb::ownership_object::Object::RowAccessPolicy(
+                pb::ownership_object::OwnershipRowAccessPolicyObject { policy_id },
+            ) => Ok(mt::principal::OwnershipObject::RowAccessPolicy { policy_id }),
         }
     }
 
@@ -171,6 +174,13 @@ impl FromToProto for mt::principal::OwnershipObject {
                     },
                 ))
             }
+            mt::principal::OwnershipObject::RowAccessPolicy { policy_id } => {
+                Some(pb::ownership_object::Object::RowAccessPolicy(
+                    pb::ownership_object::OwnershipRowAccessPolicyObject {
+                        policy_id: *policy_id,
+                    },
+                ))
+            }
         };
         Ok(pb::OwnershipObject {
             ver: VER,

src/meta/proto-conv/src/user_from_to_protobuf_impl.rs

@@ -206,6 +206,9 @@ impl FromToProto for mt::principal::GrantObject {
             pb::grant_object::Object::Maskingpolicy(
                 pb::grant_object::GrantMaskingPolicyObject { policy_id },
             ) => Ok(mt::principal::GrantObject::MaskingPolicy(policy_id)),
+            pb::grant_object::Object::RowAccessPolicy(
+                pb::grant_object::GrantRowAccessPolicyObject { policy_id },
+            ) => Ok(mt::principal::GrantObject::RowAccessPolicy(policy_id)),
         }
     }
 
@@ -273,6 +276,13 @@ impl FromToProto for mt::principal::GrantObject {
                     },
                 ))
             }
+            mt::principal::GrantObject::RowAccessPolicy(policy_id) => {
+                Some(pb::grant_object::Object::RowAccessPolicy(
+                    pb::grant_object::GrantRowAccessPolicyObject {
+                        policy_id: *policy_id,
+                    },
+                ))
+            }
         };
         Ok(pb::GrantObject {
             ver: VER,

src/meta/proto-conv/src/util.rs

@@ -190,6 +190,7 @@ const META_CHANGE_LOG: &[(u64, &str)] = &[
     (158, "2025-10-22: Add: Server UDTF"),
     (159, "2025-11-18: Add: Grant/OwnershipMaskingPolicyObject and masking policy privileges"),
     (160, "2025-11-27: Add: udf.proto/UserDefinedFunction add update_on field"),
+    (161, "2025-12-04: Add: Grant/OwnershipRowAccessPolicyObject and row access policy privileges"),
     // Dear developer:
     //      If you're gonna add a new metadata version, you'll have to add a test for it.
     //      You could just copy an existing test file(e.g., `../tests/it/v024_table_meta.rs`)

src/meta/proto-conv/tests/it/main.rs

@@ -152,3 +152,4 @@ mod v157_type_timestamp_tz;
 mod v158_udtf_server;
 mod v159_grant_object_masking_policy;
 mod v160_udf_update_on;
+mod v161_grant_object_row_access_policy;

src/meta/proto-conv/tests/it/v161_grant_object_row_access_policy.rs

@@ -0,0 +1,82 @@
+// Copyright 2023 Datafuse Labs.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::collections::HashSet;
+
+use chrono::DateTime;
+use chrono::Utc;
+use databend_common_meta_app as mt;
+use databend_common_meta_app::principal::OwnershipInfo;
+use databend_common_meta_app::principal::OwnershipObject;
+use databend_common_meta_app::principal::UserGrantSet;
+use databend_common_meta_app::principal::UserPrivilegeType;
+use enumflags2::make_bitflags;
+use fastrace::func_name;
+
+use crate::common;
+
+#[test]
+fn test_decode_v161_grant_object() -> anyhow::Result<()> {
+    let role_info_v161 = vec![
+        10, 8, 114, 97, 112, 95, 114, 111, 108, 101, 18, 61, 10, 24, 10, 9, 10, 0, 160, 6, 161, 1,
+        168, 6, 24, 16, 128, 128, 128, 128, 8, 160, 6, 161, 1, 168, 6, 24, 10, 26, 10, 11, 106, 2,
+        8, 7, 160, 6, 161, 1, 168, 6, 24, 16, 128, 128, 128, 128, 4, 160, 6, 161, 1, 168, 6, 24,
+        160, 6, 161, 1, 168, 6, 24, 26, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58,
+        48, 48, 58, 48, 48, 32, 85, 84, 67, 34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48,
+        48, 58, 48, 48, 58, 48, 48, 32, 85, 84, 67, 160, 6, 161, 1, 168, 6, 24,
+    ];
+
+    let want = || mt::principal::RoleInfo {
+        name: "rap_role".to_string(),
+        comment: None,
+        grants: UserGrantSet::new(
+            vec![
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Global,
+                    make_bitflags!(UserPrivilegeType::{CreateRowAccessPolicy}),
+                ),
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::RowAccessPolicy(7),
+                    make_bitflags!(UserPrivilegeType::{ApplyRowAccessPolicy}),
+                ),
+            ],
+            HashSet::new(),
+        ),
+        created_on: DateTime::<Utc>::default(),
+        update_on: DateTime::<Utc>::default(),
+    };
+
+    common::test_pb_from_to(func_name!(), want())?;
+    common::test_load_old(func_name!(), role_info_v161.as_slice(), 161, want())?;
+
+    Ok(())
+}
+
+#[test]
+fn test_decode_v161_row_access_policy_ownership() -> anyhow::Result<()> {
+    let ownership_info_v161 = vec![
+        10, 10, 111, 119, 110, 101, 114, 95, 114, 111, 108, 101, 18, 11, 82, 2, 8, 42, 160, 6, 161,
+        1, 168, 6, 24, 160, 6, 161, 1, 168, 6, 24,
+    ];
+
+    let want = || OwnershipInfo {
+        role: "owner_role".to_string(),
+        object: OwnershipObject::RowAccessPolicy { policy_id: 42 },
+    };
+
+    common::test_pb_from_to(func_name!(), want())?;
+    common::test_load_old(func_name!(), ownership_info_v161.as_slice(), 161, want())?;
+
+    Ok(())
+}

src/meta/protos/proto/ownership.proto

@@ -66,6 +66,10 @@ message OwnershipObject {
     uint64 policy_id = 1;
   }
 
+  message OwnershipRowAccessPolicyObject {
+    uint64 policy_id = 1;
+  }
+
   oneof object {
     OwnershipDatabaseObject database = 1;
     OwnershipTableObject table = 2;
@@ -76,5 +80,6 @@ message OwnershipObject {
     OwnershipSequenceObject sequence = 7;
     OwnershipProcedureObject procedure = 8;
     OwnershipMaskingPolicyObject masking_policy = 9;
+    OwnershipRowAccessPolicyObject row_access_policy = 10;
   }
 }

src/meta/protos/proto/user.proto

@@ -97,6 +97,10 @@ message GrantObject {
     uint64 policy_id = 1;
   }
 
+  message GrantRowAccessPolicyObject {
+    uint64 policy_id = 1;
+  }
+
   oneof object {
     GrantGlobalObject global = 1;
     GrantDatabaseObject database = 2;
@@ -110,6 +114,7 @@ message GrantObject {
     GrantSequenceObject sequence = 10;
     GrantProcedureObject procedure = 11;
     GrantMaskingPolicyObject maskingpolicy = 12;
+    GrantRowAccessPolicyObject row_access_policy = 13;
   }
 }