New Feature: Data Masking

[tooptoop4]

This feature would allow selected columns in some tables to be masked so that end users cannot see sensitive data that the column contains. This feature would help to bring presto in line with enterprise security requirements.

[findepi]

Do you mean column-level access control? Would you elaborate on your particular enterprise security requirements?

[tooptoop4]

Rather than throw an error if a user selects a columns that includes sensitive values. Would like that column to be returned as a random hash (just like Apache Ranger's Masking feature). This is so the same queries/data can be run in prod/dev envs without requiring SQL re-write and no sensitive values are shown in dev environment.

[RameshByndoor]

It would be better if it can handle Dynamic Column masking offered in ranger+hive.
In simple terms
Re-write column in such a way that it can be any UDF/function. for ex: BASED ON USER/ROLE to be possible to change select ssn, name from tab1 to select encrypt(ssn),name from tab1

[dain]

Is there a Hive standard documented for this kind of behavior somewhere? BTW, we accomplished this at FB using views.

[antonioromero-pm]

@dain could views do this based on user or role?

I will second this idea. Definitely very useful in enterprise use cases.

I see that Starburst Presto, at least, integrates with Ranger but having this native in Presto would certainly be convenient.

[dain]

@aromero-pm we support current_user syntax, so you can filter on user. All of the roll management stuff is still in progress (see #10904).

[tooptoop4]

trinodb/trino#1480