Enhancement: Support for Row-Level Filtering and Column Masking in Druid OPA Authorizer

[Vinoth721]

Description:

We are currently using the druid-opa-authorizer plugin to integrate Open Policy Agent (OPA) with Apache Druid for fine-grained access control.

At present, the plugin only supports boolean authorization decisions (i.e., true or false) returned from OPA policies.
This works well for basic allow/deny authorization but does not support more granular data security requirements such as row-level filtering and column-level masking.

In enterprise environments, it’s common to need:

• Row-Level Security (RLS): Restricting access to specific rows based on user identity, role, or group (e.g., a user in the APAC region should only see records where region = 'APAC').
• Column Masking: Masking or hiding sensitive columns (e.g., salary, SSN) from certain users while allowing others full access.

Currently, since the OPA policy can only return a boolean value, Druid cannot apply dynamic filtering or masking logic at the query level.

We propose enhancing the plugin to handle structured JSON responses from OPA that include both access decisions and filter/masking metadata.

---

Proposed Enhancement:

Support for JSON-based OPA responses, for example:

{
  "allow": true,
  "row_filter": "region = 'APAC'",
  "column_mask": {
    "ssn": "MASKED",
    "salary": "NULL"
  }
}

[lfrancke]

Hi,

thanks for raising this and the other issue (#136). That sounds like a reasonable proposal.

Unfortunately, Druid is a very low priority for us and I'm afraid we're not planning any improvements to the functionality at this moment. We only do maintenance and security related updates.

That said:

• We are very open to pull requests and would happily review any PRs coming in
• We (as a company) do sponsored work as well. So, if your company is interested in sponsoring this work please reach out to us as well.

I'm sorry I don't have better news for you right now.