HonahX commented on code in PR #808: URL: https://github.com/apache/polaris/pull/808#discussion_r1992459008
########## spec/polaris-catalog-apis/policy-apis.yaml: ########## @@ -0,0 +1,710 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +--- +paths: + + /polaris/v1/{prefix}/namespaces/{namespace}/policies: + parameters: + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix' + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/namespace' + + post: + tags: + - Policy API + summary: Create a policy in the given namespace + operationId: createPolicy + description: | + Creates a policy within the specified namespace. + + A policy defines a set of rules governing actions on specified resources under predefined conditions. + In Apache Polaris, policies are created, stored, and later referenced by external engines to enforce access controls on associated resources. + + User provides the following inputs when creating a policy + - `name`(REQUIRED): The name of the policy. + - `type` (REQUIRED): The type of the policy. + - **Predefined Policies:** policies have a `system.*` prefix in their type, such as `system.data_compaction` + - `description` (OPTIONAL): Provides details about the policy's purpose and functionality + - `content` (OPTIONAL): Defines the rules that control actions and access conditions on resources. The format can be JSON, SQL, or any other format. + + The content field in the request body is validated using the policy's corresponding validator. The policy is created only if the content passes validation. + + Upon successful creation, the new policy's version will be 0. + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreatePolicyRequest' + responses: + 200: + $ref: '#/components/responses/CreatePolicyResponse' + 400: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse' + 401: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse' + 403: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse' + 503: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse' + 5XX: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse' + get: + tags: + - Policy API + summary: List all policy identifiers underneath a given namespace + description: Return all policy identifiers under this namespace. Users can optionally filter the result by policy type + operationId: listPolicies + parameters: + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/page-token' + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/page-size' + - $ref: '#/components/parameters/policy-type' + + responses: + 200: + $ref: '#/components/responses/ListPoliciesResponse' + 400: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse' + 401: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse' + 403: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse' + 404: + description: Not Found - The namespace specified does not exist + content: + application/json: + schema: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse' + examples: + NamespaceNotFound: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/examples/NoSuchNamespaceError' + 503: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse' + 5XX: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse' + + /polaris/v1/{prefix}/namespaces/{namespace}/policies/{policyName}: + parameters: + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix' + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/namespace' + - $ref: '#/components/parameters/policy-name' + + get: + tags: + - Policy API + summary: Load a policy + operationId: loadPolicy + description: | + Load a policy from the catalog + + The response contains the policy's metadata and content. For more details, refer to the definition of the `Policy` model. + responses: + 200: + $ref: '#/components/responses/LoadPolicyResponse' + 400: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse' + 401: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse' + 403: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse' + 404: + description: + Not Found - NoSuchPolicyException, policy to get does not exist + content: + application/json: + schema: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse' + examples: + PolicyToGetDoesNotExist: + $ref: '#/components/examples/NoSuchPolicyError' + 503: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse' + 5XX: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse' + + put: + tags: + - Policy API + summary: Update a policy + operationId: updatePolicy + description: | + Update a policy + + A policy's description and content can be updated. The new content is validated against the policy's corresponding validator. + Upon a successful update, the policy's version is incremented by 1. + + The update will only succeed if the current version matches the one in the catalog. + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/UpdatePolicyRequest' + + responses: + 200: + $ref: '#/components/responses/UpdatePolicyResponse' + 400: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse' + 401: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse' + 403: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse' + 404: + description: + Not Found - NoSuchPolicyException, policy to get does not exist + content: + application/json: + schema: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse' + examples: + PolicyToUpdateDoesNotExist: + $ref: '#/components/examples/NoSuchPolicyError' + 409: + description: "The policy version doesn't match the current-policy-version; retry after fetching latest version" + content: + application/json: + schema: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse' + examples: + PolicyVersionMismatch: + $ref: '#/components/examples/PolicyVersionMismatchError' + 503: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse' + 5XX: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse' + + delete: + tags: + - Policy API + summary: Drop a policy from the catalog + operationId: dropPolicy + description: | + Remove a policy from the catalog. + + A policy can only be dropped if it is not attached to any resource entity. To remove the policy along with all its attachments, set detach-policy-from-all to true. + + parameters: + - name: detach-policy-from-all + in: query + required: false + description: | + When set to true, the dropPolicy operation will also delete all mappings between the policy and its attached target entities. + schema: + type: boolean + example: false + + responses: + 204: + description: Success, no content + 400: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse' + 401: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse' + 403: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse' + 404: + description: + Not Found - NoSuchPolicyException, policy to get does not exist + content: + application/json: + schema: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse' + examples: + PolicyToDeleteDoesNotExist: + $ref: '#/components/examples/NoSuchPolicyError' + 503: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse' + 5XX: + $ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse' + + /polaris/v1/{prefix}/namespaces/{namespace}/policies/{policyName}/mappings: + parameters: + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix' + - $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/namespace' + - $ref: '#/components/parameters/policy-name' + + put: + tags: + - Policy API + summary: Create a mapping between a policy and a resource entity + operationId: attachPolicy + description: | + Create a mapping between a policy and a resource entity + + Policy can be set at different levels: + 1. **Table-like level:** Policies specific to individual tables, views, or other table-like entities. + 2. **Namespace level:** Policies applies to a namespace. + 3. **Catalog level:** Policies that applies to a catalog + + The ability to attach a policy to a specific entity type is governed by the PolicyValidator. A policy can only be attached if the resource entity is a valid target for the specified policy type. + + In addition to the validation rules enforced by the PolicyValidator, there are additional constraints on policy attachment: + 1. For inheritable policies, only one policy of the same type can be attached to a given resource entity. Review Comment: When resolving which policy should be applied to a target (e.g. table), the policy attached to the table will override the policy of the same inheritable type attached to table's namespace. I think some updates in the design doc incorrectly remove the link to the high level design doc's Policy Inheritance section, I've added that back and also include the link here for reference: https://docs.google.com/document/d/1kIiVkFFg9tPa5SH70b9WwzbmclrzH3qWHKfCKXw5lbs/edit?tab=t.0#heading=h.5ucshn6t7ql7 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
