trino with ranger acces control does not work with ms sql server connector table functions

Question

i have a trino instance where access control is done via apache ranger. In trino i have configured a sql server connector representing the catalog example which is working fine.

so this works

SELECT * from example.dbo.orders

however, when i try to do the same thing using a table function i get an access denied error

select * from TABLE(
  example.system.query(
  query => 'select * from dbo.orders o'
  )
----
SQL Error [4]: Query failed (#20240223_155821_00318_jutpb): Access Denied: Cannot execute function example.system.query

when i check the logs i see this

2024-02-23T15:58:14.796Z    INFO    org.apache.ranger.audit.queue.AuditBatchQueue0  stdout  INFO  - {"repoType":203,"repo":"uat","reqUser":"[email protected]","evtTime":"2024-02-23 15:58:11.853","resource":"example/dbo/orders/startdate","resType":"column","action":"select","result":1,"agent":"trino","policy":107,"enforcer":"ranger-acl","agentHost":"coord","logType":"RangerAudit","id":"47f90e34-040a-4c05-b665-7a8137195c08-3944","seq_num":7889,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"","policy_version":1}
2024-02-23T15:58:14.796Z    INFO    org.apache.ranger.audit.queue.AuditBatchQueue0  stdout  INFO  - {"repoType":203,"repo":"uat","reqUser":"[email protected]","evtTime":"2024-02-23 15:58:11.853","resource":"example/dbo/orders/productionscheduler","resType":"column","action":"select","result":1,"agent":"trino","policy":107,"enforcer":"ranger-acl","agentHost":"coord","logType":"RangerAudit","id":"47f90e34-040a-4c05-b665-7a8137195c08-3945","seq_num":7891,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"","policy_version":1}
2024-02-23T15:58:14.796Z    INFO    org.apache.ranger.audit.queue.AuditBatchQueue0  stdout  INFO  - {"repoType":203,"repo":"uat","reqUser":"[email protected]","evtTime":"2024-02-23 15:58:11.853","resource":"example/dbo/orders/partno","resType":"column","action":"select","result":1,"agent":"trino","policy":107,"enforcer":"ranger-acl","agentHost":"coord","logType":"RangerAudit","id":"47f90e34-040a-4c05-b665-7a8137195c08-3946","seq_num":7893,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"","policy_version":1}
2024-02-23T15:58:14.796Z    INFO    org.apache.ranger.audit.queue.AuditBatchQueue0  stdout  INFO  - {"repoType":203,"repo":"uat","reqUser":"[email protected]","evtTime":"2024-02-23 15:58:11.853","resource":"example/dbo/orders/partnameshort","resType":"column","action":"select","result":1,"agent":"trino","policy":107,"enforcer":"ranger-acl","agentHost":"coord","logType":"RangerAudit","id":"47f90e34-040a-4c05-b665-7a8137195c08-3947","seq_num":7895,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"","policy_version":1}
2024-02-23T15:58:21.838Z    INFO    dispatcher-query-404    io.trino.event.QueryMonitor TIMELINE: Query 20240223_155821_00318_jutpb :: FAILED (PERMISSION_DENIED) :: elapsed 0ms :: planning 0ms :: waiting 0ms :: scheduling 0ms :: running 0ms :: finishing 0ms :: begin 2024-02-23T15:58:21.837Z :: end 2024-02-23T15:58:21.837Z
2024-02-23T15:58:23.797Z    INFO    org.apache.ranger.audit.queue.AuditBatchQueue0  stdout  INFO  - {"repoType":203,"repo":"uat","reqUser":"[email protected]","evtTime":"2024-02-23 15:58:21.837","resource":"example","resType":"catalog","action":"use","result":1,"agent":"trino","policy":107,"enforcer":"ranger-acl","agentHost":"coord","logType":"RangerAudit","id":"47f90e34-040a-4c05-b665-7a8137195c08-3948","seq_num":7897,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"","policy_version":1}

as you can see all the result keys are 1. when i get a violation of a ranger policy i should get a "result":0. So I do not know which ranger rule i might have to change or set in this case.

To check that it is a problem with the ranger integration, I created the same connector in an environment without ranger. there the table function works as described in the docs