Skip to content

[rest] Add view penetration endpoint for table access via view#8112

Open
JingsongLi wants to merge 9 commits into
masterfrom
rest-add-table-via-view-endpoint
Open

[rest] Add view penetration endpoint for table access via view#8112
JingsongLi wants to merge 9 commits into
masterfrom
rest-add-table-via-view-endpoint

Conversation

@JingsongLi
Copy link
Copy Markdown
Contributor

@JingsongLi JingsongLi commented Jun 4, 2026
edited
Loading

Summary

  • Add POST /v1/{prefix}/databases/{db}/tables/{table}/via/{via_db}/{via_object} REST endpoint for view penetration
  • If the caller has permission on a view, they can access the underlying table referenced by that view
  • Add getTableVia(Identifier table, Identifier via) default method to Catalog interface (defaults to getTable(table))
  • Override in RESTCatalog to call the new REST endpoint, and delegate in DelegateCatalog
  • Mirror the same implementation in Python (Catalog, RESTCatalog, RESTApi, ResourcePaths)
  • This API can only be called by trusted engines; the server must authenticate whether the caller is a trusted engine

Test plan

  • Java: testGetTableVia, testGetTableViaWhenTableNotExist, testGetTableViaWhenTableNoPermission
  • Python: test_get_table_via, test_get_table_via_with_string_identifier, test_get_table_via_not_exist
  • CI tests pass

🤖 Generated with Claude Code

JingsongLi and others added 8 commits June 4, 2026 11:57
@JingsongLi @claude
[rest] Add view penetration endpoint for table access via view
db862cc 
Add POST /v1/{prefix}/databases/{db}/tables/{table}/via/{via_db}/{via_object}
endpoint that enables view penetration: if the caller has permission on a view,
they can access the underlying table referenced by that view.

This API can only be called by trusted engines. The server must authenticate
whether the caller is a trusted engine.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[rest] Rename Catalog interface method to getTableVia
2427cbb 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[python] Add getTableVia endpoint for view penetration
bbafa7e 
Mirror the Java implementation in Python:
- ResourcePaths: add table_via() path method
- RESTApi: add get_table_via() client method
- Catalog: add get_table_via() with default fallback to get_table()
- RESTCatalog: override to call the new REST endpoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[rest] Add Java tests for getTableVia endpoint
d35a91c 
Test cases:
- testGetTableVia: verifies table can be retrieved via view
- testGetTableViaWhenTableNotExist: verifies TableNotExistException
- testGetTableViaWhenTableNoPermission: verifies TableNoPermissionException

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[python] Add tests for get_table_via endpoint
1564be8 
Test cases:
- test_get_table_via: verifies table can be retrieved via view
- test_get_table_via_with_string_identifier: verifies string identifiers work
- test_get_table_via_not_exist: verifies TableNotExistException

Also adds _table_via_handle to test REST server mock.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[rest] Fix tableVia dispatch: resources.length should be 6
50e603e 
The via path /databases/{db}/tables/{table}/via/{via_db}/{via_object}
splits into 6 segments, not 5.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[python] Fix tableVia dispatch length and flake8 lint
5f6b755 
- path_parts length should be 6, not 5
- Remove extra blank line (E303)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JingsongLi @claude
[python] Fix test assertions and import path
b94950b 
- Remove table.name() calls (FileStoreTable has no name method)
- Fix TableNotExistException import from catalog_exception module

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@leaves12138
Copy link
Copy Markdown
Contributor

leaves12138 commented Jun 4, 2026

Thanks for adding this endpoint. Two things should be addressed before merge:

  1. DelegateCatalog#getTableVia delegates directly to wrapped.getTableVia(...). For wrappers like PrivilegedCatalog, this may bypass the getTable wrapping that returns PrivilegedFileStoreTable. Please override getTableVia there, or make the default path preserve the same privilege wrapping.
  2. Please update docs/static/rest-catalog-open-api.yaml for the new /via/{viaDatabase}/{viaView} endpoint.

@JingsongLi @claude
[rest] Address review: PrivilegedCatalog override and OpenAPI spec
d42e893 
- Override getTableVia in PrivilegedCatalog to wrap FileStoreTable
  in PrivilegedFileStoreTable, matching the getTable pattern
- Add /via/{viaDatabase}/{viaObject} endpoint to OpenAPI spec

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JingsongLi @leaves12138