Ensure first table matched rule in access control

[guyco33]

although it doesn't have masked columns or table filters

Description

Is this change a fix, improvement, new feature, refactoring, or other?

Fix regression for PR #11654

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)

How would you describe this change to a non-technical end user or system administrator?

Related issues, pull requests, and links

Fixes #12203

Documentation

(x) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

( ) No release notes entries required.
( ) Release notes entries required with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

[Praveen2112]

I think we need it to be fixed for FileBasedAccessControl ? Can we have similar tests for them ?

[Praveen2112]

@ksobolew Can you please take a look at this fix ?

[ksobolew]

Sorry, my bad. Streams of Optionals are tricky, and I was not really sure what the expected semantics are (initially I wanted to return all matching rules). The fix looks good, but as @Praveen2112 says, this should also be applied to connector-level FileBasedAccessControl.

[martint]

This is interesting edge case. The user belongs to group1 and group3, but the table only has a filter for group3. I'm not quite sure what the correct semantics should be here.

For instance, the first entry may be about allowing users in group1 (e.g., employees in some department) to access a table, but the second entry might be about limiting what users in group3 can see (e.g., employees in some specific geography). In that case, it should use all filters that are present.

Let me think more about it.

[guyco33]

I think that in all cases we should pick the first matching rule. This way we can control the way we want to limit access.
For example, in cases that we want to implement a more restrictive approach, we will place the table rules with filters and masks before the rules without them.

[ksobolew]

I personally would lean towards returning all matching rules. But I'm not very familiar with file-based AC and its use cases so I'm not sure what's actually expected.

I think that in all cases we should pick the first matching rule. This way we can control the way we want to limit access.

But doesn't it mean that if there is a second matching rule, it will never actually be returned and is entirely redundant?

[guyco33]

Safe logic for returning all matching rules must take into account the rules without filters and maskings.
Rules order is important, so possible solution might be retrieving all matched filters / maskings rules until a rule without filter / masks is matched.
Anyway it's a subject for different PR

[ksobolew]

Approving because it restores the behavior to the state from before #11654, though actual semantics are a matter of discussion.

[Praveen2112]

Merged !! Thanks for fixing this.