Document function rules for File-based Access Control

[huberty89]

Description

Update documentation for #13713

[colebow]

I've made an initial pass. Defer to @m57lyra if she suggests anything in the same places, as she's better at this than I am.

[m57lyra]

Some things to take care of.

[m57lyra]

I'm not quote sure what is meant here @huberty89 - Do you mean that only admins should have this privilege? If so:

" The query PTF is recommended for use only by admin or users.

[huberty89]

Do you mean that only admins should have this privilege?

In short yes. query PTF bypass the whole access control and should be used carefully.
To make access more strict, admin should create a SECURITY DEFINER views which execute specific query using query PTF so user can use only those defined by admin.

[huberty89]

@colebow @m57lyra Please take a look, I applied fixed based on all comments

[m57lyra]

Just a couple of minor fixes needed.

[kokosing]

I think this should be part of the release notes. If we add warnings like that we may end up with messy docs.

[m57lyra]

Agreed, and it should be in a breaking change section, as this will break expected security behaviors.

[m57lyra]

I was told though that there are no special sections, and release notes are generated from issues?

[mosabua]

Release notes are not generated. We write them .. but we do not have a dedicated breaking changes section. But this can be added .. probably was already .. @colebow ?

Also the warning is still appropriate .. maybe without the version info and past behavior though

[huberty89]

I remove information about Trino versions

[kokosing]

I think we still need this too in release notes.

[kokosing]

Add "why"

Maybe it would be nice to have some best-practices somewhere. Where you would have config to grant access to PTF to admin, then create a (definer) view on top of it with admin as owner and granting access to view to regular users. Maybe we could explain that only somewhere.

[mosabua]

I would even say .. remove that.. there is no reason for this to be best practice in general. Instead explain what the consequence is of this setup .. and earlier what happens by default

[mosabua]

As in like .. if anyone is allowed to execute table functions.. then what?

[huberty89]

query table function which works as a query pass-though - it's bypass the whole access control so IMO it's quite important to at least mention about it

[mosabua]

Yeah .. mention.. but not recommend as best practice.. its just important to understand that it is kind of a security hole otherwise ;-) .. so we need to explain that and not just have a recommendation without detailing the reasoning

[mosabua]

Some changes like "regex" might have to wait and be done to the whole document later

[mosabua]

Release notes are not generated. We write them .. but we do not have a dedicated breaking changes section. But this can be added .. probably was already .. @colebow ?

Also the warning is still appropriate .. maybe without the version info and past behavior though

[mosabua]

I would even say .. remove that.. there is no reason for this to be best practice in general. Instead explain what the consequence is of this setup .. and earlier what happens by default

[mosabua]

As in like .. if anyone is allowed to execute table functions.. then what?

[huberty89]

@mosabua @kokosing updated, please take a look

[mosabua]

Let's update a bit more.

[mosabua]

Looks good now. @martint could you merge this before the release since the feature already merged with the 401 release.