Re: [PR] Catalog Spec: Policy Management Apis [polaris]

[via GitHub]

HonahX commented on code in PR #808:
URL: https://github.com/apache/polaris/pull/808#discussion_r1944307206


##########
spec/generated/bundled-polaris-catalog-service.yaml:
##########
@@ -1359,6 +1359,269 @@ paths:
           $ref: '#/components/responses/ServiceUnavailableResponse'
         5XX:
           $ref: '#/components/responses/ServerErrorResponse'
+  /v1/{prefix}/namespaces/{namespace}/policies:
+    parameters:
+      - $ref: '#/components/parameters/prefix'
+      - $ref: '#/components/parameters/namespace'
+    post:
+      tags:
+        - Catalog API
+      summary: Create a policy in the given namespace
+      operationId: createPolicy
+      description: |
+        Creates a policy within the specified namespace.
+
+        A policy defines a set of rules governing actions on specified 
resources under predefined conditions.
+        In Apache Polaris, policies are created, stored, and later referenced 
by external engines to enforce access controls on associated resources.
+
+        User provides the following inputs when creating a policy
+        - `name`(REQUIRED): The name of the policy. It Must include only 
unreserved URL characters: letters(A-Z, a-z), digits (0-9), hyphens (-), 
periods (.), underscores (_) and tildes (~)
+        - `type` (REQUIRED): The type of the policy. It can be either 
predefined type or custom type.
+          - **Predefined Policies:** system.compaction, 
system.snapshot_retention
+          - **Custom Policies:** custom.<org_name>.data_masking, 
custom.<user_id>.audit_policy
+
+        - `description` (OPTIONAL): Provides details about the policy's 
purpose and functionality
+        - `content` (OPTIONAL): Defines the rules that control actions and 
access conditions on resources. The format can be JSON, SQL, or any other 
format.
+
+        The policy content is validated by the server upon creation or update: 
+        - Predefined policies are validated using built-in server-side 
validators
+        - Custom policies rely on user-provided validators.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/CreatePolicyRequest'
+      responses:
+        '200':
+          $ref: '#/components/responses/CreatePolicyResponse'
+        '400':
+          $ref: '#/components/responses/BadRequestErrorResponse'
+        '401':
+          $ref: '#/components/responses/UnauthorizedResponse'
+        '403':
+          $ref: '#/components/responses/ForbiddenResponse'
+        '419':
+          $ref: '#/components/responses/AuthenticationTimeoutResponse'
+        '503':
+          $ref: '#/components/responses/ServiceUnavailableResponse'
+        5XX:
+          $ref: '#/components/responses/ServerErrorResponse'
+  /v1/{prefix}/namespaces/{namespace}/policies/{policy}:
+    parameters:
+      - $ref: '#/components/parameters/prefix'
+      - $ref: '#/components/parameters/namespace'
+      - $ref: '#/components/parameters/policy'
+    get:
+      tags:
+        - Catalog API
+      summary: Get a policy
+      operationId: getPolicy
+      description: |-
+        Get a policy from the catalog
+
+        The response contains the policy's metadata and content. For more 
details, refer to the definition of the `Policy` model.
+      responses:
+        '200':
+          $ref: '#/components/responses/LoadPolicyResponse'
+        '400':
+          $ref: '#/components/responses/BadRequestErrorResponse'
+        '401':
+          $ref: '#/components/responses/UnauthorizedResponse'
+        '403':
+          $ref: '#/components/responses/ForbiddenResponse'
+        '404':
+          description: Not Found - NoSuchPolicyException, policy to get does 
not exist
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IcebergErrorResponse'
+              examples:
+                PolicyToGetDoesNotExist:
+                  $ref: '#/components/examples/NoSuchPolicyError'
+        '419':
+          $ref: '#/components/responses/AuthenticationTimeoutResponse'
+        '503':
+          $ref: '#/components/responses/ServiceUnavailableResponse'
+        5XX:
+          $ref: '#/components/responses/ServerErrorResponse'
+    put:
+      tags:
+        - Catalog API
+      summary: Update a policy
+      operationId: updatePolicy
+      description: |-
+        Update a policy
+
+        A policy's description and content can be updated. The new content is 
validated against the policy's corresponding validator, which is determined by 
its type—predefined policies use built-in server-side validators, while custom 
policies rely on user-provided validators. Upon a successful update, the 
policy's version is incremented by 1.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UpdatePolicyRequest'
+      responses:
+        '200':
+          $ref: '#/components/responses/UpdatePolicyResponse'
+        '400':
+          $ref: '#/components/responses/BadRequestErrorResponse'
+        '401':
+          $ref: '#/components/responses/UnauthorizedResponse'
+        '403':
+          $ref: '#/components/responses/ForbiddenResponse'
+        '404':
+          description: Not Found - NoSuchPolicyException, policy to get does 
not exist
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IcebergErrorResponse'
+              examples:
+                PolicyToUpdateDoesNotExist:
+                  $ref: '#/components/examples/NoSuchPolicyError'
+        '419':
+          $ref: '#/components/responses/AuthenticationTimeoutResponse'
+        '503':
+          $ref: '#/components/responses/ServiceUnavailableResponse'
+        5XX:
+          $ref: '#/components/responses/ServerErrorResponse'
+    delete:
+      tags:
+        - Catalog API
+      summary: Delete a policy from the catalog
+      operationId: deletePolicy
+      description: Remove a policy from the catalog
+      responses:
+        '204':
+          description: Success, no content
+        '400':
+          $ref: '#/components/responses/BadRequestErrorResponse'
+        '401':
+          $ref: '#/components/responses/UnauthorizedResponse'
+        '403':
+          $ref: '#/components/responses/ForbiddenResponse'
+        '404':
+          description: Not Found - NoSuchPolicyException, policy to get does 
not exist
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IcebergErrorResponse'
+              examples:
+                PolicyToDeleteDoesNotExist:
+                  $ref: '#/components/examples/NoSuchPolicyError'
+        '419':
+          $ref: '#/components/responses/AuthenticationTimeoutResponse'
+        '503':
+          $ref: '#/components/responses/ServiceUnavailableResponse'
+        5XX:
+          $ref: '#/components/responses/ServerErrorResponse'
+  /v1/{prefix}/namespaces/{namespace}/policies/{policy}/mappings:
+    parameters:
+      - $ref: '#/components/parameters/prefix'
+      - $ref: '#/components/parameters/namespace'
+      - $ref: '#/components/parameters/policy'
+    post:
+      tags:
+        - Catalog API
+      summary: Create a mapping between a policy and a resource entity
+      operationId: setPolicy
+      description: |
+        Create a mapping between a policy and a resource entity
+
+        Policy can be set at different levels, table, namespace, and catalog, 
and they will be inherited by lower level entities. Different levels are:
+        1. **Table-like level:** Policies specific to individual tables/views.
+        2. **Namespace level:** Policies that apply to all tables within a 
namespace.
+        3. **Catalog level:** Catalog-wide policies that ally across all 
tables within a namespace
+
+        Policy Inheritance Override rules
+        - Table-like-level policies override namespace and catalog policies
+        - Namespace-level policies override upper level namespace or catalog 
policies
+        - Overrides apply only to policies of the same type
+
+        Additional parameters can be provided in `parameters` when creating a 
mapping to define specific behavior or constraints.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SetPolicyRequest'
+      responses:
+        '204':
+          description: Success, no content
+        '400':
+          $ref: '#/components/responses/BadRequestErrorResponse'
+        '401':
+          $ref: '#/components/responses/UnauthorizedResponse'
+        '403':
+          $ref: '#/components/responses/ForbiddenResponse'
+        '404':
+          description: Not Found - NoSuchPolicyException, NoSuchEntityException
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IcebergErrorResponse'
+              examples:
+                PolicyToSetDoesNotExist:
+                  $ref: '#/components/examples/NoSuchPolicyError'
+                EntityToSetDoesNotExist:
+                  $ref: '#/components/examples/NoSuchEntityError'
+        '409':
+          description: Conflict - The mapping already exists

Review Comment:
   Good catch! On second thought, we shouldn't throw an error if the mapping 
already exists. Conceptually, policy assignment should be idempotent, meaning 
subsequent calls should simply succeed. Option 1 makes sense, and we should 
change the method to PUT since it aligns better with this approach. WDYT?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org