Skip to content

Policy Store: Add PolicyEntity and PolicyTypes #1133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 18, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ public enum PolarisEntityType {
// generic table is either a view or a real table
TABLE_LIKE(7, NAMESPACE, false, false),
TASK(8, ROOT, false, false),
FILE(9, TABLE_LIKE, false, false);
FILE(9, TABLE_LIKE, false, false),
POLICY(10, NAMESPACE, false, false);

// to efficiently map a code to its corresponding entity type, use a reverse array which
// is initialized below
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.polaris.core.policy;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.google.common.base.Preconditions;
import org.apache.iceberg.catalog.Namespace;
import org.apache.iceberg.rest.RESTUtil;
import org.apache.polaris.core.entity.NamespaceEntity;
import org.apache.polaris.core.entity.PolarisBaseEntity;
import org.apache.polaris.core.entity.PolarisEntity;
import org.apache.polaris.core.entity.PolarisEntityType;

public class PolicyEntity extends PolarisEntity {

public static final String POLICY_TYPE_CODE_KEY = "policy-type-code";
public static final String POLICY_DESCRIPTION_KEY = "policy-description";
public static final String POLICY_VERSION_KEY = "policy-version";
public static final String POLICY_CONTENT_KEY = "policy-content";

PolicyEntity(PolarisBaseEntity sourceEntity) {
super(sourceEntity);
}

public static PolicyEntity of(PolarisBaseEntity sourceEntity) {
if (sourceEntity != null) {
return new PolicyEntity(sourceEntity);
}

return null;
}

@JsonIgnore
public PolicyType getPolicyType() {
return PolicyType.fromCode(getPolicyTypeCode());
}

@JsonIgnore
public int getPolicyTypeCode() {
Preconditions.checkArgument(
getPropertiesAsMap().containsKey(POLICY_TYPE_CODE_KEY),
"Invalid policy entity: policy type must exist");
String policyTypeCode = getPropertiesAsMap().get(POLICY_TYPE_CODE_KEY);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need policy type to be a top-level field instead of hidden in property map in the future, but it's fine now.

return Integer.parseInt(policyTypeCode);
}

@JsonIgnore
public String getDescription() {
return getPropertiesAsMap().get(POLICY_DESCRIPTION_KEY);
}

@JsonIgnore
public String getContent() {
return getPropertiesAsMap().get(POLICY_CONTENT_KEY);
}

@JsonIgnore
public int getPolicyVersion() {
return Integer.parseInt(getPropertiesAsMap().get(POLICY_VERSION_KEY));
}

public static class Builder extends PolarisEntity.BaseBuilder<PolicyEntity, Builder> {
public Builder(Namespace namespace, String policyName, PolicyType policyType) {
super();
setType(PolarisEntityType.POLICY);
setParentNamespace(namespace);
setName(policyName);
setPolicyType(policyType);
setPolicyVersion(0);
}

public Builder(PolicyEntity original) {
super(original);
}

@Override
public PolicyEntity build() {
Preconditions.checkArgument(
properties.containsKey(POLICY_TYPE_CODE_KEY), "Policy type must be specified");

return new PolicyEntity(buildBase());
}

public Builder setParentNamespace(Namespace namespace) {
if (namespace != null && !namespace.isEmpty()) {
internalProperties.put(
NamespaceEntity.PARENT_NAMESPACE_KEY, RESTUtil.encodeNamespace(namespace));
}
return this;
}

public Builder setPolicyType(PolicyType policyType) {
Preconditions.checkArgument(policyType != null, "Policy type must be specified");
properties.put(POLICY_TYPE_CODE_KEY, Integer.toString(policyType.getCode()));
return this;
}

public Builder setDescription(String description) {
properties.put(POLICY_DESCRIPTION_KEY, description);
return this;
}

public Builder setPolicyVersion(int version) {
properties.put(POLICY_VERSION_KEY, Integer.toString(version));
return this;
}

public Builder setContent(String content) {
properties.put(POLICY_CONTENT_KEY, content);
return this;
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.polaris.core.policy;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonValue;
import jakarta.annotation.Nullable;

/**
* Represents a policy type in Polaris. A policy type defines a category of policies that may be
* either predefined or custom (user-defined).
*
* <p>A policy type can be either inheritable or non-inheritable. Inheritable policies are passed
* down to lower-level entities (e.g., from a namespace to a table).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[doubt] may be a naive question, what stops these policies to inherited from namespace -> view ?
As we don't wanna run stuff for views >

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we don't wanna run stuff for views >

Good question, I think that's a valid concern. Currently, our engine determines how policies are enforced, and the TMS service is focused solely on tables. That said, if we later find it necessary to restrict inheritance, we can extend the PolicyType to provide the functionality to limit the valid target types.

cc @flyrain

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, our engine determines how policies are enforced, and the TMS service is focused solely on tables

Thats true for enforcing part, but polaris here is acting as a policy store, which should make sure if such inheritence if they are un-intentional are blocked. So a call to get a TMS policy on view should return nothing.

That being said it fine if we want address this later, considering presently the caller just wants TMS on tables and never on a view.

*/
public interface PolicyType {

/**
* Retrieves the unique type code associated with this policy type.
*
* @return the type code of the policy type
*/
@JsonValue
int getCode();

/**
* Retrieves the human-readable name of this policy type.
*
* @return the name of the policy type
*/
String getName();

/**
* Determines whether this policy type is inheritable.
*
* @return {@code true} if the policy type is inheritable, otherwise {@code false}
*/
boolean isInheritable();

/**
* Retrieves a {@link PolicyType} instance corresponding to the given type code.
*
* <p>This method searches for the policy type in predefined policy types. If a custom policy type
* storage mechanism is implemented in the future, it may also check registered custom policy
* types.
*
* @param code the type code of the policy type
* @return the corresponding {@link PolicyType}, or {@code null} if no matching type is found
*/
@JsonCreator
static @Nullable PolicyType fromCode(int code) {
return PredefinedPolicyTypes.fromCode(code);
}

/**
* Retrieves a {@link PolicyType} instance corresponding to the given policy name.
*
* <p>This method searches for the policy type in predefined policy types. If a custom policy type
* storage mechanism is implemented in the future, it may also check registered custom policy
* types.
*
* @param name the name of the policy type
* @return the corresponding {@link PolicyType}, or {@code null} if no matching type is found
*/
static @Nullable PolicyType fromName(String name) {
return PredefinedPolicyTypes.fromName(name);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.polaris.core.policy;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonValue;
import com.google.common.collect.ImmutableMap;
import jakarta.annotation.Nullable;

/* Represents all predefined policy types in Polaris */
public enum PredefinedPolicyTypes implements PolicyType {
DATA_COMPACTION(0, "system.data-compaction", true),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[doubt] I might be late to this, but why system prefix ?

Copy link
Contributor Author

@HonahX HonahX Mar 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prefix is to make it consistent with the path of the content schema of these policies, introduced in #969.

METADATA_COMPACTION(1, "system.metadata-compaction", true),
ORPHAN_FILE_REMOVAL(2, "system.orphan-file-removal", true),
SNAPSHOT_RETENTION(3, "system.snapshot-retention", true);

private final int code;
private final String name;
private final boolean isInheritable;
private static final PredefinedPolicyTypes[] REVERSE_CODE_MAPPING_ARRAY;
private static final ImmutableMap<String, PredefinedPolicyTypes> REVERSE_NAME_MAPPING_ARRAY;

static {
int maxId = 0;
for (PredefinedPolicyTypes policyType : PredefinedPolicyTypes.values()) {
if (maxId < policyType.code) {
maxId = policyType.code;
}
}

REVERSE_CODE_MAPPING_ARRAY = new PredefinedPolicyTypes[maxId + 1];
ImmutableMap.Builder<String, PredefinedPolicyTypes> builder = ImmutableMap.builder();
// populate both
for (PredefinedPolicyTypes policyType : PredefinedPolicyTypes.values()) {
REVERSE_CODE_MAPPING_ARRAY[policyType.code] = policyType;
builder.put(policyType.name, policyType);
}
REVERSE_NAME_MAPPING_ARRAY = builder.build();
}

PredefinedPolicyTypes(int code, String name, boolean isInheritable) {
this.code = code;
this.name = name;
this.isInheritable = isInheritable;
}

/** {@inheritDoc} */
@Override
@JsonValue
public int getCode() {
return code;
}

/** {@inheritDoc} */
@Override
public String getName() {
return name;
}

/** {@inheritDoc} */
@Override
public boolean isInheritable() {
return isInheritable;
}

/**
* Retrieves a {@link PredefinedPolicyTypes} instance corresponding to the given type code.
*
* @param code the type code of the predefined policy type
* @return the corresponding {@link PredefinedPolicyTypes}, or {@code null} if no matching type is
* found
*/
@JsonCreator
public static @Nullable PredefinedPolicyTypes fromCode(int code) {
if (code >= REVERSE_CODE_MAPPING_ARRAY.length) {
return null;
}

return REVERSE_CODE_MAPPING_ARRAY[code];
}

/**
* Retrieves a {@link PredefinedPolicyTypes} instance corresponding to the given policy name.
*
* @param name the name of the predefined policy type
* @return the corresponding {@link PredefinedPolicyTypes}, or {@code null} if no matching type is
* found
*/
public static @Nullable PredefinedPolicyTypes fromName(String name) {
return REVERSE_NAME_MAPPING_ARRAY.get(name);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ public class ResolverTest {
* - (N1/N4)
* - N5/N6/T5
* - N5/N6/T6
* - N7/N8/POL1
* - N7/N8/POL2
* - N7/POL3
* - R1(TABLE_READ on N1/N2, VIEW_CREATE on C, TABLE_LIST on N2, TABLE_DROP on N5/N6/T5)
* - R2(TABLE_WRITE_DATA on N5, VIEW_LIST on C)
* - PR1(R1, R2)
Expand Down Expand Up @@ -230,6 +233,19 @@ void testResolvePath(boolean useCache) {
new ResolverPath(List.of("N5", "N6", "T5"), PolarisEntityType.TABLE_LIKE);
this.resolveDriver(this.cache, "test", N5_N6_T5, null, null);

// N7/N8 which exists
ResolverPath N7_N8 = new ResolverPath(List.of("N7", "N8"), PolarisEntityType.NAMESPACE);
this.resolveDriver(this.cache, "test", N7_N8, null, null);

// N7/N8/POL1 which exists
ResolverPath N7_N8_POL1 =
new ResolverPath(List.of("N7", "N8", "POL1"), PolarisEntityType.POLICY);
this.resolveDriver(this.cache, "test", N7_N8_POL1, null, null);

// N7/POL3 which exists
ResolverPath N7_POL3 = new ResolverPath(List.of("N7", "POL3"), PolarisEntityType.POLICY);
this.resolveDriver(this.cache, "test", N7_POL3, null, null);

// Error scenarios: N5/N6/T8 which does not exists
ResolverPath N5_N6_T8 =
new ResolverPath(List.of("N5", "N6", "T8"), PolarisEntityType.TABLE_LIKE);
Expand Down
Loading