From ccc8311e5de547be98fcb4b5978009681d4cf593 Mon Sep 17 00:00:00 2001
From: Dave Bauman <dbauman@expediagroup.com>
Date: Mon, 11 Mar 2024 14:14:15 -0400
Subject: [PATCH] fix: Metastore ACL support for wildcard prefix match

---
 querybook/server/lib/metastore/utils.py         |  2 ++
 .../components/AppAdmin/AdminMetastore.tsx      | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/querybook/server/lib/metastore/utils.py b/querybook/server/lib/metastore/utils.py
index d4c3fd518..e20b291bb 100644
--- a/querybook/server/lib/metastore/utils.py
+++ b/querybook/server/lib/metastore/utils.py
@@ -29,6 +29,8 @@ def _is_table_in_list(
             for schema_table in self._tables_by_schema[schema]:
                 if schema_table == table or schema_table == "*":
                     return True
+                elif schema_table.endswith("*") and table.startswith(schema_table[:-1]):
+                    return True
         return False
 
     def is_table_valid(
diff --git a/querybook/webapp/components/AppAdmin/AdminMetastore.tsx b/querybook/webapp/components/AppAdmin/AdminMetastore.tsx
index 85da9e17c..479634482 100644
--- a/querybook/webapp/components/AppAdmin/AdminMetastore.tsx
+++ b/querybook/webapp/components/AppAdmin/AdminMetastore.tsx
@@ -11,12 +11,14 @@ import history from 'lib/router-history';
 import { generateFormattedDate } from 'lib/utils/datetime';
 import { AdminMetastoreResource } from 'resource/admin/metastore';
 import { TextButton } from 'ui/Button/Button';
+import { InfoButton } from 'ui/Button/InfoButton';
 import { Card } from 'ui/Card/Card';
 import { SimpleField } from 'ui/FormikField/SimpleField';
 import { GenericCRUD } from 'ui/GenericCRUD/GenericCRUD';
 import { Icon } from 'ui/Icon/Icon';
 import { Level } from 'ui/Level/Level';
 import { Loading } from 'ui/Loading/Loading';
+import { Markdown } from 'ui/Markdown/Markdown';
 import {
     getDefaultFormValue,
     SmartForm,
@@ -302,10 +304,23 @@ export const AdminMetastore: React.FunctionComponent<IProps> = ({
                             </div>
                         )}
                         <div className="AdminForm-section">
-                            <div className="AdminForm-section-top flex-row">
+                            <div className="AdminForm-section-top flex-row horizontal-space-between">
                                 <div className="AdminForm-section-title">
                                     ACL Control
                                 </div>
+                                <InfoButton layout={['bottom', 'right']}>
+                                    <Markdown>{`Access Control Lists (ACL)
+are used to limit access to tables in the metastore. If no ACL rules are specified,
+all schemas/tables are allowed.  Either an allowlist or a denylist can be configured.
+
+Each value in the list should be in one of the following formats:
+
+- \`schema.*\`: Allow or deny all tables in a schema
+- \`schema.table*\`: Allow or deny all tables in a schema matching a prefix
+- \`schema.table\`: Allow or deny a specific table
+
+This feature affects both the metastore sync and the query engine.`}</Markdown>
+                                </InfoButton>
                             </div>
                             <div className="AdminForm-section-content">
                                 {getMetastoreACLControlDOM(