refine column masking.

Author: plusplusjiajia

docs/static/rest-catalog-open-api.yaml

@@ -2921,12 +2921,12 @@ components:
       properties:
         filter:
           type: array
-          description: Additional row-level filter as JSON strings. Each element should be a JSON object containing a 'filter' field.
+          description: Additional row-level filter as Predicate entry strings.
           items:
             type: string
         columnMasking:
           type: object
-          description: Column masking rules as a map from column name to predicate entry JSON string (TransformPredicate).
+          description: Column masking rules as a map from column name to Transform entry JSON string.
           additionalProperties:
             type: string
     AlterDatabaseRequest:

paimon-api/src/main/java/org/apache/paimon/rest/RESTApi.java

@@ -672,7 +672,7 @@ public void alterTable(Identifier identifier, List<SchemaChange> changes) {
      *
      * @param identifier database name and table name.
      * @param select select columns, null if select all
-     * @return auth result including additional row-level filter and optional column masking
+     * @return additional row-level filter and column masking
      * @throws NoSuchResourceException Exception thrown on HTTP 404 means the table not exists
      * @throws ForbiddenException Exception thrown on HTTP 403 means don't have the permission for
      *     this table

paimon-api/src/main/java/org/apache/paimon/rest/responses/AuthTableQueryResponse.java

@@ -40,6 +40,10 @@ public class AuthTableQueryResponse implements RESTResponse {
     @JsonProperty(FIELD_FILTER)
     private final List<String> filter;
 
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    @JsonProperty(FIELD_COLUMN_MASKING)
+    private final Map<String, String> columnMasking;
+
     @JsonCreator
     public AuthTableQueryResponse(
             @JsonProperty(FIELD_FILTER) List<String> filter,
@@ -53,10 +57,6 @@ public List<String> filter() {
         return filter;
     }
 
-    @JsonInclude(JsonInclude.Include.NON_NULL)
-    @JsonProperty(FIELD_COLUMN_MASKING)
-    private final Map<String, String> columnMasking;
-
     @JsonGetter(FIELD_COLUMN_MASKING)
     public Map<String, String> columnMasking() {
         return columnMasking;

paimon-core/src/main/java/org/apache/paimon/catalog/Catalog.java

@@ -1032,12 +1032,12 @@ void alterFunction(
     // ==================== Table Auth ==========================
 
     /**
-     * Auth table query select and get the row-level filter and column masking rules.
+     * Auth table query select and get the filter for row level access control and column masking
+     * rules.
      *
      * @param identifier path of the table to alter partitions
      * @param select selected fields, null if select all
-     * @return auth result including additional filter for row level access control and column
-     *     masking
+     * @return additional filter for row level access control and column masking
      * @throws TableNotExistException if the table does not exist
      */
     TableQueryAuthResult authTableQuery(Identifier identifier, @Nullable List<String> select)

paimon-core/src/main/java/org/apache/paimon/catalog/TableQueryAuthResult.java

@@ -19,7 +19,7 @@
 package org.apache.paimon.catalog;
 
 import org.apache.paimon.predicate.Predicate;
-import org.apache.paimon.predicate.TransformPredicate;
+import org.apache.paimon.predicate.Transform;
 
 import javax.annotation.Nullable;
 
@@ -30,10 +30,10 @@
 public class TableQueryAuthResult {
 
     @Nullable private final Predicate rowFilter;
-    private final Map<String, TransformPredicate> columnMasking;
+    private final Map<String, Transform> columnMasking;
 
     public TableQueryAuthResult(
-            @Nullable Predicate rowFilter, Map<String, TransformPredicate> columnMasking) {
+            @Nullable Predicate rowFilter, Map<String, Transform> columnMasking) {
         this.rowFilter = rowFilter;
         this.columnMasking = columnMasking == null ? Collections.emptyMap() : columnMasking;
     }
@@ -47,7 +47,7 @@ public Predicate rowFilter() {
         return rowFilter;
     }
 
-    public Map<String, TransformPredicate> columnMasking() {
+    public Map<String, Transform> columnMasking() {
         return columnMasking;
     }
 }

paimon-core/src/main/java/org/apache/paimon/rest/RESTCatalog.java

@@ -41,7 +41,7 @@
 import org.apache.paimon.predicate.And;
 import org.apache.paimon.predicate.CompoundPredicate;
 import org.apache.paimon.predicate.Predicate;
-import org.apache.paimon.predicate.TransformPredicate;
+import org.apache.paimon.predicate.Transform;
 import org.apache.paimon.rest.exceptions.AlreadyExistsException;
 import org.apache.paimon.rest.exceptions.BadRequestException;
 import org.apache.paimon.rest.exceptions.ForbiddenException;
@@ -66,6 +66,7 @@
 import org.apache.paimon.utils.Pair;
 import org.apache.paimon.utils.PredicateJsonSerde;
 import org.apache.paimon.utils.SnapshotNotExistException;
+import org.apache.paimon.utils.TransformJsonSerde;
 import org.apache.paimon.view.View;
 import org.apache.paimon.view.ViewChange;
 import org.apache.paimon.view.ViewImpl;
@@ -559,7 +560,7 @@ public TableQueryAuthResult authTableQuery(Identifier identifier, @Nullable List
                 }
             }
 
-            Map<String, TransformPredicate> columnMasking = new TreeMap<>();
+            Map<String, Transform> columnMasking = new TreeMap<>();
             Map<String, String> maskingJsons = response == null ? null : response.columnMasking();
             if (maskingJsons != null && !maskingJsons.isEmpty()) {
                 for (Map.Entry<String, String> e : maskingJsons.entrySet()) {
@@ -571,18 +572,10 @@ public TableQueryAuthResult authTableQuery(Identifier identifier, @Nullable List
                             || json.trim().isEmpty()) {
                         continue;
                     }
-                    Predicate predicate = PredicateJsonSerde.parse(json);
-                    if (predicate == null) {
-                        continue;
-                    }
-                    if (!(predicate instanceof TransformPredicate)) {
-                        throw new IllegalArgumentException(
-                                "Column masking must be a TransformPredicate, but got "
-                                        + predicate.getClass().getName()
-                                        + " for column "
-                                        + column);
+                    Transform transform = TransformJsonSerde.parse(json);
+                    if (transform != null) {
+                        columnMasking.put(column, transform);
                     }
-                    columnMasking.put(column, (TransformPredicate) predicate);
                 }
             }
 

paimon-core/src/main/java/org/apache/paimon/table/source/MaskingTableRead.java

@@ -23,7 +23,7 @@
 import org.apache.paimon.disk.IOManager;
 import org.apache.paimon.metrics.MetricRegistry;
 import org.apache.paimon.predicate.FieldRef;
-import org.apache.paimon.predicate.TransformPredicate;
+import org.apache.paimon.predicate.Transform;
 import org.apache.paimon.reader.RecordReader;
 import org.apache.paimon.types.DataType;
 import org.apache.paimon.types.RowType;
@@ -45,11 +45,11 @@ public class MaskingTableRead implements TableRead {
 
     private final TableRead wrapped;
     private final RowType outputRowType;
-    private final Map<String, TransformPredicate> masking;
+    private final Map<String, Transform> masking;
     private final MaskingApplier applier;
 
     public MaskingTableRead(
-            TableRead wrapped, RowType outputRowType, Map<String, TransformPredicate> masking) {
+            TableRead wrapped, RowType outputRowType, Map<String, Transform> masking) {
         this.wrapped = wrapped;
         this.outputRowType = outputRowType;
         this.masking = masking;
@@ -105,9 +105,9 @@ public void close() throws IOException {
     private static class MaskingApplier {
 
         private final RowType outputRowType;
-        private final Map<Integer, TransformPredicate> remapped;
+        private final Map<Integer, Transform> remapped;
 
-        private MaskingApplier(RowType outputRowType, Map<String, TransformPredicate> masking) {
+        private MaskingApplier(RowType outputRowType, Map<String, Transform> masking) {
             this.outputRowType = outputRowType;
             this.remapped = remapToOutputRow(outputRowType, masking);
         }
@@ -122,26 +122,26 @@ private InternalRow apply(InternalRow row) {
                 DataType type = outputRowType.getTypeAt(i);
                 out.setField(i, get(row, i, type));
             }
-            for (Map.Entry<Integer, TransformPredicate> e : remapped.entrySet()) {
+            for (Map.Entry<Integer, Transform> e : remapped.entrySet()) {
                 int targetIndex = e.getKey();
-                TransformPredicate predicate = e.getValue();
-                Object masked = predicate.transform().transform(row);
+                Transform transform = e.getValue();
+                Object masked = transform.transform(row);
                 out.setField(targetIndex, masked);
             }
             return out;
         }
 
-        private static Map<Integer, TransformPredicate> remapToOutputRow(
-                RowType outputRowType, Map<String, TransformPredicate> masking) {
-            Map<Integer, TransformPredicate> out = new HashMap<>();
+        private static Map<Integer, Transform> remapToOutputRow(
+                RowType outputRowType, Map<String, Transform> masking) {
+            Map<Integer, Transform> out = new HashMap<>();
             if (masking == null || masking.isEmpty()) {
                 return out;
             }
 
-            for (Map.Entry<String, TransformPredicate> e : masking.entrySet()) {
+            for (Map.Entry<String, Transform> e : masking.entrySet()) {
                 String targetColumn = e.getKey();
-                TransformPredicate predicate = e.getValue();
-                if (targetColumn == null || predicate == null) {
+                Transform transform = e.getValue();
+                if (targetColumn == null || transform == null) {
                     continue;
                 }
 
@@ -151,7 +151,7 @@ private static Map<Integer, TransformPredicate> remapToOutputRow(
                 }
 
                 List<Object> newInputs = new ArrayList<>();
-                for (Object input : predicate.transform().inputs()) {
+                for (Object input : transform.inputs()) {
                     if (input instanceof FieldRef) {
                         FieldRef ref = (FieldRef) input;
                         int newIndex = outputRowType.getFieldIndex(ref.name());
@@ -168,7 +168,7 @@ private static Map<Integer, TransformPredicate> remapToOutputRow(
                         newInputs.add(input);
                     }
                 }
-                out.put(targetIndex, predicate.copyWithNewInputs(newInputs));
+                out.put(targetIndex, transform.copyWithNewInputs(newInputs));
             }
             return out;
         }