Tabulator open query docs

[drernie]

Rewriting to use the term 'open query' instead of 'unrestricted access'.
Also rewrote the docs to see if my understanding is correct.

In particular, my naive understanding was that the reason we originally locked down Tabulator is that any user with full Athena + Lambda permissions would otherwise be able to perform any Tabulator query (I.e., they don't need explicit access to the TabulatorDataCatalog and TabulatorBucket). Is that not true?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 38.27%. Comparing base (365d4f3) to head (c3c6820).
Report is 7 commits behind head on tabulator-feature-flag.

Additional details and impacted files

@@                   Coverage Diff                    @@
##           tabulator-feature-flag    #4259    +/-   ##
========================================================
  Coverage                   38.27%   38.27%            
========================================================
  Files                         776      776            
  Lines                       34323    34323            
  Branches                     5424     5219   -205     
========================================================
  Hits                        13137    13137            
- Misses                      20007    20643   +636     
+ Partials                     1179      543   -636     

Flag	Coverage Δ
api-python	91.29% <ø> (ø)
catalog	16.87% <ø> (ø)
lambda	91.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

docs/advanced-features/tabulator.md:198

• The section header should be capitalized as '## Open Query' to maintain consistency with other section headers.

## open query

[nl0]

In particular, my naive understanding was that the reason we originally locked down Tabulator is that any user with full Athena + Lambda permissions would otherwise be able to perform any Tabulator query (I.e., they don't need explicit access to the TabulatorDataCatalog and TabulatorBucket). Is that not true?

no, it's not

anyone with athena and/or lambda permissions can call tabulator -- sure, but the tabulator itself uses two roles for functioning:

1. its "own" (lambda) execution role with access to cache and stuff (with no access to the actual data)

2. the role it gets from the registry and assumes to actually access the data (in unrestricted mode it's the special "unrestricted" role, otherwise it's a catalog user's role)

so even if someone is calling tabulator without the proper setup it will just crash -- return an error, not the data

[drernie]

So... stupid question: why do we even need "restricted" mode?

[nl0]

So... stupid question: why do we even need "restricted" mode?

to enforce this:

if someone is calling tabulator without the proper setup it will just crash -- return an error, not the data

in unrestricted mode anyone with access to tabulator data catalog, lambda, a compatible workgroup and special s3 buckets can access data from any stack bucket (with configured tables)

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

[nl0]

partially merged into #4255