feat(query): prevent masking/row access policy name conflicts

TCeason · TCeason · commit 0e212e117833 · 2025-11-07T10:13:24.000+08:00
diff --git a/src/meta/api/src/data_mask_api_impl.rs b/src/meta/api/src/data_mask_api_impl.rs
@@ -24,6 +24,7 @@ use databend_common_meta_app::data_mask::MaskPolicyTableIdIdent;
 use databend_common_meta_app::data_mask::MaskPolicyTableIdListIdent;
 use databend_common_meta_app::data_mask::MaskpolicyTableIdList;
 use databend_common_meta_app::id_generator::IdGenerator;
+use databend_common_meta_app::row_access_policy::RowAccessPolicyNameIdent;
 use databend_common_meta_app::schema::CreateOption;
 use databend_common_meta_app::tenant::Tenant;
 use databend_common_meta_app::KeyWithTenant;
@@ -92,6 +93,17 @@ impl<KV: kvapi::KVApi<Error = MetaError>> DatamaskApi for KV {
                 };
             }
 
+            let row_access_name_ident = RowAccessPolicyNameIdent::new(
+                name_ident.tenant().clone(),
+                name_ident.data_mask_name().to_string(),
+            );
+            if self.get_pb(&row_access_name_ident).await?.is_some() {
+                return Err(AppError::DatamaskAlreadyExists(
+                    name_ident.exist_error("name conflicts with an existing row access policy"),
+                )
+                .into());
+            }
+
             // Create data mask by inserting these record:
             // name -> id
             // id -> policy
@@ -113,6 +125,8 @@ impl<KV: kvapi::KVApi<Error = MetaError>> DatamaskApi for KV {
                 let meta: DatamaskMeta = req.data_mask_meta.clone();
                 let id_list = MaskpolicyTableIdList::default();
                 txn.condition.push(txn_cond_eq_seq(name_ident, curr_seq));
+                txn.condition
+                    .push(txn_cond_eq_seq(&row_access_name_ident, 0));
                 txn.if_then.extend(vec![
                     txn_op_put_pb(name_ident, &id, None)?,  // name -> db_id
                     txn_op_put_pb(&id_ident, &meta, None)?, // id -> meta
diff --git a/src/meta/api/src/row_access_policy_api_impl.rs b/src/meta/api/src/row_access_policy_api_impl.rs
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use databend_common_meta_app::data_mask::DataMaskNameIdent;
 use databend_common_meta_app::id_generator::IdGenerator;
 use databend_common_meta_app::row_access_policy::row_access_policy_name_ident;
 use databend_common_meta_app::row_access_policy::row_access_policy_table_id_ident::RowAccessPolicyIdTableId;
@@ -86,6 +87,16 @@ impl<KV: kvapi::KVApi<Error = MetaError>> RowAccessPolicyApi for KV {
                 }
             }
 
+            let mask_name_ident = DataMaskNameIdent::new(
+                name_ident.tenant().clone(),
+                name_ident.row_access_name().to_string(),
+            );
+            if self.get_pb(&mask_name_ident).await?.is_some() {
+                return Ok(Err(
+                    name_ident.exist_error("name conflicts with an existing masking policy")
+                ));
+            }
+
             // Create row policy by inserting these record:
             // name -> id
             // id -> policy
@@ -102,6 +113,7 @@ impl<KV: kvapi::KVApi<Error = MetaError>> RowAccessPolicyApi for KV {
             {
                 let meta: RowAccessPolicyMeta = req.row_access_policy_meta.clone();
                 txn.condition.push(txn_cond_eq_seq(name_ident, curr_seq));
+                txn.condition.push(txn_cond_eq_seq(&mask_name_ident, 0));
                 txn.if_then.extend(vec![
                     txn_op_put_pb(name_ident, &id, None)?,  // name -> policy_id
                     txn_op_put_pb(&id_ident, &meta, None)?, // id -> meta
diff --git a/tests/sqllogictests/suites/ee/05_ee_ddl/05_0004_ddl_security_policy.test b/tests/sqllogictests/suites/ee/05_ee_ddl/05_0004_ddl_security_policy.test
@@ -1089,6 +1089,3 @@ DROP MASKING POLICY mask_ssn_conditional;
 
 statement ok
 unset global enable_planner_cache;
-
-statement ok
-unset global enable_experimental_row_access_policy;
diff --git a/tests/sqllogictests/suites/ee/05_ee_ddl/05_0005_ddl_conflicts_policy.test b/tests/sqllogictests/suites/ee/05_ee_ddl/05_0005_ddl_conflicts_policy.test
@@ -0,0 +1,47 @@
+## Copyright 2023 Databend Cloud
+##
+## Licensed under the Elastic License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+##     https://www.elastic.co/licensing/elastic-license
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+
+statement ok
+set global enable_experimental_row_access_policy = 1;
+
+## Cross-type policy name conflicts should be rejected
+statement ok
+drop row access policy if exists shared_policy_name;
+
+statement ok
+drop masking policy if exists shared_policy_name;
+
+statement ok
+CREATE ROW ACCESS POLICY shared_policy_name AS (user_id STRING) RETURNS boolean -> true;
+
+statement error 2321
+CREATE MASKING POLICY shared_policy_name AS (val STRING) RETURNS STRING -> '***';
+
+statement ok
+drop row access policy if exists shared_policy_name;
+
+statement ok
+drop masking policy if exists mask_only_name;
+
+statement ok
+drop row access policy if exists mask_only_name;
+
+statement ok
+CREATE MASKING POLICY mask_only_name AS (val STRING) RETURNS STRING -> '***';
+
+statement error 2324
+CREATE ROW ACCESS POLICY mask_only_name AS (user_id STRING) RETURNS boolean -> true;
+
+statement ok
+drop masking policy if exists mask_only_name;
