eric-maynard commented on code in PR #2048: URL: https://github.com/apache/polaris/pull/2048#discussion_r2261326597
########## polaris-core/src/main/java/org/apache/polaris/core/policy/content/AccessControlPolicyContent.java: ########## @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.core.policy.content; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.google.common.base.Strings; +import java.util.List; +import java.util.Set; +import org.apache.iceberg.expressions.Expression; +import org.apache.polaris.core.policy.validator.InvalidPolicyException; + +public class AccessControlPolicyContent implements PolicyContent { + + // Optional, if there means policies is applicable to the role + private String principalRole; Review Comment: > If we have multiple policies, how do we find the set of applicable policies? (I'm not sure I saw details on the in the doc 😅 ) This is an existing feature of the policy store, you can retrieve all policies applicable to a given entity. Each policy can correspond to one role. ########## polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java: ########## @@ -349,4 +349,15 @@ public static void enforceFeatureEnabledOrThrow( + "it is still possible to enforce the uniqueness of table locations within a catalog.") .defaultValue(false) .buildFeatureConfiguration(); + + public static final FeatureConfiguration<Boolean> + ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES = Review Comment: I think it would make more sense to have a feature flag that also controls other interactions with these policies -- such as creating them or retrieving them. Currently, if you suddenly want to stop using the feature you'd have to go manually detach each policy before setting this flag. ########## polaris-core/src/main/java/org/apache/polaris/core/policy/AccessControlPolicyUtil.java: ########## @@ -0,0 +1,151 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.core.policy; + +import static org.apache.polaris.core.policy.PredefinedPolicyTypes.ACCESS_CONTROL; + +import com.google.common.collect.Lists; +import java.util.List; +import org.apache.iceberg.expressions.Expression; +import org.apache.iceberg.expressions.ExpressionVisitors; +import org.apache.iceberg.expressions.Expressions; +import org.apache.iceberg.expressions.UnboundPredicate; +import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; +import org.apache.polaris.core.policy.content.AccessControlPolicyContent; + +public class AccessControlPolicyUtil { + private AccessControlPolicyUtil() {} + + public static String replaceContextVariable( + String content, PolicyType policyType, AuthenticatedPolarisPrincipal authenticatedPrincipal) { + if (policyType == ACCESS_CONTROL) { + try { + AccessControlPolicyContent policyContent = AccessControlPolicyContent.fromString(content); + List<Expression> evaluatedRowFilterExpressions = Lists.newArrayList(); + + for (Expression rowFilterExpression : policyContent.getRowFilters()) { + Expression evaluatedExpression = + ExpressionVisitors.visit( + rowFilterExpression, + new ContextVariableReplacementVisitor(authenticatedPrincipal)); + evaluatedRowFilterExpressions.add(evaluatedExpression); + } + + // also nullify the principal role. + policyContent.setPrincipalRole(null); + policyContent.setRowFilters(evaluatedRowFilterExpressions); + return AccessControlPolicyContent.toString(policyContent); + } catch (Exception e) { + return content; + } + } + return content; + } + + public static boolean filterApplicablePolicy( + PolicyEntity policyEntity, AuthenticatedPolarisPrincipal authenticatedPrincipal) { + if (policyEntity.getPolicyType().equals(ACCESS_CONTROL)) { + AccessControlPolicyContent content = + AccessControlPolicyContent.fromString(policyEntity.getContent()); + String applicablePrincipal = content.getPrincipalRole(); + return applicablePrincipal == null + || authenticatedPrincipal.getActivatedPrincipalRoleNames().isEmpty() + || authenticatedPrincipal + .getActivatedPrincipalRoleNames() + .contains(content.getPrincipalRole()); + } + + return true; + } + + /** Expression visitor that replaces context variables with evaluated expressions */ + private static class ContextVariableReplacementVisitor + extends ExpressionVisitors.ExpressionVisitor<Expression> { + private final AuthenticatedPolarisPrincipal authenticatedPrincipal; + + public ContextVariableReplacementVisitor(AuthenticatedPolarisPrincipal authenticatedPrincipal) { + this.authenticatedPrincipal = authenticatedPrincipal; + } + + @Override + public <T> Expression predicate(UnboundPredicate<T> pred) { + String refName = pred.ref().name(); + + if ("$current_principal_role".equals(refName)) { Review Comment: Let's make these constants ########## polaris-core/src/main/java/org/apache/polaris/core/policy/content/AccessControlPolicyContent.java: ########## @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.core.policy.content; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.google.common.base.Strings; +import java.util.List; +import java.util.Set; +import org.apache.iceberg.expressions.Expression; +import org.apache.polaris.core.policy.validator.InvalidPolicyException; + +public class AccessControlPolicyContent implements PolicyContent { + + // Optional, if there means policies is applicable to the role + private String principalRole; + + // TODO: model them as iceberg transforms + private List<String> columnProjections; + + // Iceberg expressions without context functions for now. + // Use a custom deserializer for the list of Iceberg Expressions + @JsonDeserialize(using = IcebergExpressionListDeserializer.class) + @JsonSerialize(using = IcebergExpressionListSerializer.class) + private List<Expression> rowFilters; + + private static final String DEFAULT_POLICY_SCHEMA_VERSION = "2025-02-03"; Review Comment: Like for other policies, this is a sort of policy "version" ########## polaris-core/src/main/java/org/apache/polaris/core/policy/content/AccessControlPolicyContent.java: ########## @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.core.policy.content; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.google.common.base.Strings; +import java.util.List; +import java.util.Set; +import org.apache.iceberg.expressions.Expression; +import org.apache.polaris.core.policy.validator.InvalidPolicyException; + +public class AccessControlPolicyContent implements PolicyContent { + + // Optional, if there means policies is applicable to the role + private String principalRole; + + // TODO: model them as iceberg transforms + private List<String> columnProjections; + + // Iceberg expressions without context functions for now. + // Use a custom deserializer for the list of Iceberg Expressions + @JsonDeserialize(using = IcebergExpressionListDeserializer.class) + @JsonSerialize(using = IcebergExpressionListSerializer.class) + private List<Expression> rowFilters; Review Comment: They're used to generate a view, right? ########## polaris-core/src/main/java/org/apache/polaris/core/policy/AccessControlPolicyUtil.java: ########## @@ -0,0 +1,151 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.core.policy; + +import static org.apache.polaris.core.policy.PredefinedPolicyTypes.ACCESS_CONTROL; + +import com.google.common.collect.Lists; +import java.util.List; +import org.apache.iceberg.expressions.Expression; +import org.apache.iceberg.expressions.ExpressionVisitors; +import org.apache.iceberg.expressions.Expressions; +import org.apache.iceberg.expressions.UnboundPredicate; +import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; +import org.apache.polaris.core.policy.content.AccessControlPolicyContent; + +public class AccessControlPolicyUtil { + private AccessControlPolicyUtil() {} + + public static String replaceContextVariable( + String content, PolicyType policyType, AuthenticatedPolarisPrincipal authenticatedPrincipal) { + if (policyType == ACCESS_CONTROL) { + try { + AccessControlPolicyContent policyContent = AccessControlPolicyContent.fromString(content); + List<Expression> evaluatedRowFilterExpressions = Lists.newArrayList(); + + for (Expression rowFilterExpression : policyContent.getRowFilters()) { + Expression evaluatedExpression = + ExpressionVisitors.visit( + rowFilterExpression, + new ContextVariableReplacementVisitor(authenticatedPrincipal)); + evaluatedRowFilterExpressions.add(evaluatedExpression); + } + + // also nullify the principal role. + policyContent.setPrincipalRole(null); + policyContent.setRowFilters(evaluatedRowFilterExpressions); + return AccessControlPolicyContent.toString(policyContent); + } catch (Exception e) { Review Comment: This is quite broad a catch, and we may also want some logging here -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
