flyrain commented on code in PR #808:
URL: https://github.com/apache/polaris/pull/808#discussion_r1945953882
##########
spec/generated/bundled-polaris-catalog-service.yaml:
##########
@@ -1359,6 +1359,257 @@ paths:
$ref: '#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '#/components/responses/ServerErrorResponse'
+ /v1/{prefix}/namespaces/{namespace}/policies:
+ parameters:
+ - $ref: '#/components/parameters/prefix'
+ - $ref: '#/components/parameters/namespace'
+ post:
+ tags:
+ - Catalog API
+ summary: Create a policy in the given namespace
+ operationId: createPolicy
+ description: |
+ Creates a policy within the specified namespace.
+
+ A policy defines a set of rules governing actions on specified
resources under predefined conditions.
+ In Apache Polaris, policies are created, stored, and later referenced
by external engines to enforce access controls on associated resources.
+
+ User provides the following inputs when creating a policy
+ - `name`(REQUIRED): The name of the policy.
+ - `type` (REQUIRED): The type of the policy. It can be either
predefined type or custom type.
+ - **Predefined Policies:** system.compaction,
system.snapshot_retention
+ - **Custom Policies:** custom.<org_name>.data_masking,
custom.<user_id>.audit_policy
+
+ - `description` (OPTIONAL): Provides details about the policy's
purpose and functionality
+ - `content` (OPTIONAL): Defines the rules that control actions and
access conditions on resources. The format can be JSON, SQL, or any other
format.
+
+ The policy content is validated by the server upon creation or update:
+ - Predefined policies are validated using built-in server-side
validators
+ - Custom policies rely on user-provided validators.
Review Comment:
Do we need to mention the validation here? Maybe not.
```suggestion
- Custom policies rely on pluggable customized validators.
```
##########
spec/polaris-catalog-apis/policy-apis.yaml:
##########
@@ -0,0 +1,520 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+---
+paths:
+
+ /v1/{prefix}/namespaces/{namespace}/policies:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+
+ post:
+ tags:
+ - Catalog API
+ summary: 'Create a policy in the given namespace'
+ operationId: createPolicy
+ description: |
+ Creates a policy within the specified namespace.
+
+ A policy defines a set of rules governing actions on specified
resources under predefined conditions.
+ In Apache Polaris, policies are created, stored, and later referenced
by external engines to enforce access controls on associated resources.
+
+ User provides the following inputs when creating a policy
+ - `name`(REQUIRED): The name of the policy.
+ - `type` (REQUIRED): The type of the policy. It can be either
predefined type or custom type.
+ - **Predefined Policies:** system.compaction,
system.snapshot_retention
+ - **Custom Policies:** custom.<org_name>.data_masking,
custom.<user_id>.audit_policy
+
Review Comment:
Nit: remove the empty line?
##########
spec/polaris-catalog-apis/policy-apis.yaml:
##########
@@ -0,0 +1,520 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+---
+paths:
+
+ /v1/{prefix}/namespaces/{namespace}/policies:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+
+ post:
+ tags:
+ - Catalog API
+ summary: 'Create a policy in the given namespace'
+ operationId: createPolicy
+ description: |
+ Creates a policy within the specified namespace.
+
+ A policy defines a set of rules governing actions on specified
resources under predefined conditions.
+ In Apache Polaris, policies are created, stored, and later referenced
by external engines to enforce access controls on associated resources.
+
+ User provides the following inputs when creating a policy
+ - `name`(REQUIRED): The name of the policy.
+ - `type` (REQUIRED): The type of the policy. It can be either
predefined type or custom type.
+ - **Predefined Policies:** system.compaction,
system.snapshot_retention
+ - **Custom Policies:** custom.<org_name>.data_masking,
custom.<user_id>.audit_policy
+
+ - `description` (OPTIONAL): Provides details about the policy's
purpose and functionality
+ - `content` (OPTIONAL): Defines the rules that control actions and
access conditions on resources. The format can be JSON, SQL, or any other
format.
+
+ The policy content is validated by the server upon creation or update:
+ - Predefined policies are validated using built-in server-side
validators
+ - Custom policies rely on user-provided validators.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/CreatePolicyRequest'
+ responses:
+ 200:
+ $ref: '#/components/responses/CreatePolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ /v1/{prefix}/namespaces/{namespace}/policies/{policy}:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+ - $ref: '#/components/parameters/policy'
+
+ get:
+ tags:
+ - Catalog API
+ summary: 'Get a policy'
+ operationId: getPolicy
+ description: |-
+ Get a policy from the catalog
+
+ The response contains the policy's metadata and content. For more
details, refer to the definition of the `Policy` model.
+ responses:
+ 200:
+ $ref: '#/components/responses/LoadPolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToGetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ put:
+ tags:
+ - Catalog API
+ summary: Update a policy
+ operationId: updatePolicy
+ description: |-
+ Update a policy
+
+ A policy's description and content can be updated. The new content is
validated against the policy's corresponding validator,
+ which is determined by its type—predefined policies use built-in
server-side validators, while custom policies rely on user-provided validators.
+ Upon a successful update, the policy's version is incremented by 1.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UpdatePolicyRequest'
+
+ responses:
+ 200:
+ $ref: '#/components/responses/UpdatePolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToUpdateDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ delete:
+ tags:
+ - Catalog API
+ summary: Delete a policy from the catalog
+ operationId: deletePolicy
+ description: Remove a policy from the catalog
+ responses:
+ 204:
+ description: Success, no content
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToDeleteDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ /v1/{prefix}/namespaces/{namespace}/policies/{policy}/mappings:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+ - $ref: '#/components/parameters/policy'
+
+ put:
+ tags:
+ - Catalog API
+ summary: Create a mapping between a policy and a resource entity
+ operationId: setPolicy
+ description: |
+ Create a mapping between a policy and a resource entity
+
+ Policy can be set at different levels:
+ 1. **Table-like level:** Policies specific to individual tables,
views, or other table-like entities.
+ 2. **Namespace level:** Policies applies to a namespace.
+ 3. **Catalog level:** Policies that applies to a catalog
+
+ Additional parameters can be provided in `parameters` when creating a
mapping to define specific behavior or constraints.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SetPolicyRequest'
+
+ responses:
+ 204:
+ description: Success, no content
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, NoSuchEntityException
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToSetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ EntityToSetDoesNotExist:
+ $ref: '#/components/examples/NoSuchEntityError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ delete:
+ tags:
+ - Catalog API
+ summary: Remove a mapping between a policy and a resource entity
+ operationId: unsetPolicy
+ description: |-
+ Remove a mapping between a policy and a resource entity
+
+ A resource entity can be a catalog, namespace, or any table-like entity
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UnsetPolicyRequest'
+
+ responses:
+ 204:
+ description: Success, no content
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, NoSuchEntityException,
NoSuchMappingException
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToUnsetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ EntityToUnsetDoesNotExist:
+ $ref: '#/components/examples/NoSuchEntityError'
+ MappingToUnsetDoesNotExist:
+ $ref: '#/components/examples/NoSuchMappingError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+
+components:
+ parameters:
+ policy:
+ name: policy
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/PolicyName'
+
+ schemas:
+ PolicyName:
+ type: string
+ description:
+ A policy name. A valid policy name should only consist of uppercase
and lowercase letters (A-Z, a-z),
+ digits (0-9), hyphens (-), underscores (_).
+ pattern: '^[A-Za-z0-9\-_]+$'
+ example: 'compaction'
+
+ Policy:
+ type: object
+ description: |
+ A policy in Apache Polaris defines a set of rules for governing
access, data usage, and operational consistency across various catalog
resources.
+ Policies are stored within Polaris and can be applied to catalogs,
namespaces, tables, and views. tables, and views.
+ For example, they can be used for fine-grained control over who can
perform specific actions on certain resources.
+
+ The policy object includes
+ - **owner-entity:** The entity that owns the policy
+ - **policy-type:** The type of the policy, which determines the
expected format and semantics of the policy content.
+ For example, predefined types include `system.compaction` or
`system.snapshot_retention`, while custom policy types
+ follow a namespaced format like `custom.<org_name>.data_masking`.
+
Review Comment:
Nit: remove the empty line?
##########
spec/polaris-catalog-apis/policy-apis.yaml:
##########
@@ -0,0 +1,520 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+---
+paths:
+
+ /v1/{prefix}/namespaces/{namespace}/policies:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+
+ post:
+ tags:
+ - Catalog API
+ summary: 'Create a policy in the given namespace'
+ operationId: createPolicy
+ description: |
+ Creates a policy within the specified namespace.
+
+ A policy defines a set of rules governing actions on specified
resources under predefined conditions.
+ In Apache Polaris, policies are created, stored, and later referenced
by external engines to enforce access controls on associated resources.
+
+ User provides the following inputs when creating a policy
+ - `name`(REQUIRED): The name of the policy.
+ - `type` (REQUIRED): The type of the policy. It can be either
predefined type or custom type.
+ - **Predefined Policies:** system.compaction,
system.snapshot_retention
+ - **Custom Policies:** custom.<org_name>.data_masking,
custom.<user_id>.audit_policy
+
+ - `description` (OPTIONAL): Provides details about the policy's
purpose and functionality
+ - `content` (OPTIONAL): Defines the rules that control actions and
access conditions on resources. The format can be JSON, SQL, or any other
format.
+
+ The policy content is validated by the server upon creation or update:
+ - Predefined policies are validated using built-in server-side
validators
+ - Custom policies rely on user-provided validators.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/CreatePolicyRequest'
+ responses:
+ 200:
+ $ref: '#/components/responses/CreatePolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ /v1/{prefix}/namespaces/{namespace}/policies/{policy}:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+ - $ref: '#/components/parameters/policy'
+
+ get:
+ tags:
+ - Catalog API
+ summary: 'Get a policy'
+ operationId: getPolicy
+ description: |-
Review Comment:
Nit: Can we be consistent with `|-` or `|`? Or just remove them.
##########
spec/polaris-catalog-apis/policy-apis.yaml:
##########
@@ -0,0 +1,520 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+---
+paths:
+
+ /v1/{prefix}/namespaces/{namespace}/policies:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+
+ post:
+ tags:
+ - Catalog API
+ summary: 'Create a policy in the given namespace'
+ operationId: createPolicy
+ description: |
+ Creates a policy within the specified namespace.
+
+ A policy defines a set of rules governing actions on specified
resources under predefined conditions.
+ In Apache Polaris, policies are created, stored, and later referenced
by external engines to enforce access controls on associated resources.
+
+ User provides the following inputs when creating a policy
+ - `name`(REQUIRED): The name of the policy.
+ - `type` (REQUIRED): The type of the policy. It can be either
predefined type or custom type.
+ - **Predefined Policies:** system.compaction,
system.snapshot_retention
+ - **Custom Policies:** custom.<org_name>.data_masking,
custom.<user_id>.audit_policy
+
+ - `description` (OPTIONAL): Provides details about the policy's
purpose and functionality
+ - `content` (OPTIONAL): Defines the rules that control actions and
access conditions on resources. The format can be JSON, SQL, or any other
format.
+
+ The policy content is validated by the server upon creation or update:
+ - Predefined policies are validated using built-in server-side
validators
+ - Custom policies rely on user-provided validators.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/CreatePolicyRequest'
+ responses:
+ 200:
+ $ref: '#/components/responses/CreatePolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ /v1/{prefix}/namespaces/{namespace}/policies/{policy}:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+ - $ref: '#/components/parameters/policy'
+
+ get:
+ tags:
+ - Catalog API
+ summary: 'Get a policy'
+ operationId: getPolicy
+ description: |-
+ Get a policy from the catalog
+
+ The response contains the policy's metadata and content. For more
details, refer to the definition of the `Policy` model.
+ responses:
+ 200:
+ $ref: '#/components/responses/LoadPolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToGetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ put:
+ tags:
+ - Catalog API
+ summary: Update a policy
+ operationId: updatePolicy
+ description: |-
+ Update a policy
+
+ A policy's description and content can be updated. The new content is
validated against the policy's corresponding validator,
+ which is determined by its type—predefined policies use built-in
server-side validators, while custom policies rely on user-provided validators.
+ Upon a successful update, the policy's version is incremented by 1.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UpdatePolicyRequest'
+
+ responses:
+ 200:
+ $ref: '#/components/responses/UpdatePolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToUpdateDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ delete:
+ tags:
+ - Catalog API
+ summary: Delete a policy from the catalog
+ operationId: deletePolicy
+ description: Remove a policy from the catalog
+ responses:
+ 204:
+ description: Success, no content
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToDeleteDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ /v1/{prefix}/namespaces/{namespace}/policies/{policy}/mappings:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+ - $ref: '#/components/parameters/policy'
+
+ put:
+ tags:
+ - Catalog API
+ summary: Create a mapping between a policy and a resource entity
+ operationId: setPolicy
+ description: |
+ Create a mapping between a policy and a resource entity
+
+ Policy can be set at different levels:
+ 1. **Table-like level:** Policies specific to individual tables,
views, or other table-like entities.
+ 2. **Namespace level:** Policies applies to a namespace.
+ 3. **Catalog level:** Policies that applies to a catalog
+
+ Additional parameters can be provided in `parameters` when creating a
mapping to define specific behavior or constraints.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SetPolicyRequest'
+
+ responses:
+ 204:
+ description: Success, no content
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, NoSuchEntityException
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToSetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ EntityToSetDoesNotExist:
+ $ref: '#/components/examples/NoSuchEntityError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ delete:
+ tags:
+ - Catalog API
+ summary: Remove a mapping between a policy and a resource entity
+ operationId: unsetPolicy
+ description: |-
+ Remove a mapping between a policy and a resource entity
+
+ A resource entity can be a catalog, namespace, or any table-like entity
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UnsetPolicyRequest'
+
+ responses:
+ 204:
+ description: Success, no content
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, NoSuchEntityException,
NoSuchMappingException
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToUnsetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ EntityToUnsetDoesNotExist:
+ $ref: '#/components/examples/NoSuchEntityError'
+ MappingToUnsetDoesNotExist:
+ $ref: '#/components/examples/NoSuchMappingError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+
+components:
+ parameters:
+ policy:
+ name: policy
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/PolicyName'
+
+ schemas:
+ PolicyName:
+ type: string
+ description:
+ A policy name. A valid policy name should only consist of uppercase
and lowercase letters (A-Z, a-z),
+ digits (0-9), hyphens (-), underscores (_).
+ pattern: '^[A-Za-z0-9\-_]+$'
+ example: 'compaction'
+
+ Policy:
+ type: object
+ description: |
+ A policy in Apache Polaris defines a set of rules for governing
access, data usage, and operational consistency across various catalog
resources.
+ Policies are stored within Polaris and can be applied to catalogs,
namespaces, tables, and views. tables, and views.
Review Comment:
```suggestion
Policies are stored within Polaris and can be applied to catalogs,
namespaces, tables, views and other table-like entities.
```
##########
spec/polaris-catalog-apis/policy-apis.yaml:
##########
@@ -0,0 +1,520 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+---
+paths:
+
+ /v1/{prefix}/namespaces/{namespace}/policies:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+
+ post:
+ tags:
+ - Catalog API
+ summary: 'Create a policy in the given namespace'
+ operationId: createPolicy
+ description: |
+ Creates a policy within the specified namespace.
+
+ A policy defines a set of rules governing actions on specified
resources under predefined conditions.
+ In Apache Polaris, policies are created, stored, and later referenced
by external engines to enforce access controls on associated resources.
+
+ User provides the following inputs when creating a policy
+ - `name`(REQUIRED): The name of the policy.
+ - `type` (REQUIRED): The type of the policy. It can be either
predefined type or custom type.
+ - **Predefined Policies:** system.compaction,
system.snapshot_retention
+ - **Custom Policies:** custom.<org_name>.data_masking,
custom.<user_id>.audit_policy
+
+ - `description` (OPTIONAL): Provides details about the policy's
purpose and functionality
+ - `content` (OPTIONAL): Defines the rules that control actions and
access conditions on resources. The format can be JSON, SQL, or any other
format.
+
+ The policy content is validated by the server upon creation or update:
+ - Predefined policies are validated using built-in server-side
validators
+ - Custom policies rely on user-provided validators.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/CreatePolicyRequest'
+ responses:
+ 200:
+ $ref: '#/components/responses/CreatePolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ /v1/{prefix}/namespaces/{namespace}/policies/{policy}:
+ parameters:
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/prefix'
+ - $ref: '../rest-catalog-open-api.yaml#/components/parameters/namespace'
+ - $ref: '#/components/parameters/policy'
+
+ get:
+ tags:
+ - Catalog API
+ summary: 'Get a policy'
+ operationId: getPolicy
+ description: |-
+ Get a policy from the catalog
+
+ The response contains the policy's metadata and content. For more
details, refer to the definition of the `Policy` model.
+ responses:
+ 200:
+ $ref: '#/components/responses/LoadPolicyResponse'
+ 400:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
+ 401:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
+ 403:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
+ 404:
+ description:
+ Not Found - NoSuchPolicyException, policy to get does not exist
+ content:
+ application/json:
+ schema:
+ $ref:
'../rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
+ examples:
+ PolicyToGetDoesNotExist:
+ $ref: '#/components/examples/NoSuchPolicyError'
+ 419:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/AuthenticationTimeoutResponse'
+ 503:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
+ 5XX:
+ $ref:
'../rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
+
+ put:
+ tags:
+ - Catalog API
+ summary: Update a policy
+ operationId: updatePolicy
+ description: |-
+ Update a policy
+
+ A policy's description and content can be updated. The new content is
validated against the policy's corresponding validator,
+ which is determined by its type—predefined policies use built-in
server-side validators, while custom policies rely on user-provided validators.
Review Comment:
I'm not sure we need to dive into details about validator here. It doesn't
seem necessary. WDYT?
```suggestion
A policy's description and content can be updated. The new content
is validated against the policy's corresponding validator,
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
