Google Git
Sign in
apache / polaris / 07fdee4c479f696e9470163091be0214052ab4c0 / . / spec / polaris-catalog-apis / policy-apis.yaml
blob: 9aa15620cf2e69693b3aebcbd750001f9eefc6fe [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
paths:
/polaris/v1/{prefix}/namespaces/{namespace}/policies:
parameters:
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix'
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/namespace'
post:
tags:
- Policy API
summary: Create a policy in the given namespace
operationId: createPolicy
description: |
Creates a policy within the specified namespace.
A policy defines a set of rules governing actions on specified resources under predefined conditions.
In Apache Polaris, policies are created, stored, and later referenced by external engines to enforce access controls on associated resources.
User provides the following inputs when creating a policy
- `name` (REQUIRED): The name of the policy.
- `type` (REQUIRED): The type of the policy.
- **Predefined Policies:** policies have a `system.*` prefix in their type, such as `system.data_compaction`
- `description` (OPTIONAL): Provides details about the policy's purpose and functionality
- `content` (OPTIONAL): Defines the rules that control actions and access conditions on resources. The format can be JSON, SQL, or any other format.
The content field in the request body is validated using the policy's corresponding validator. The policy is created only if the content passes validation.
Upon successful creation, the new policy's version will be 0.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePolicyRequest'
responses:
200:
$ref: '#/components/responses/CreatePolicyResponse'
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description: Not Found - The namespace specified does not exist
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
NamespaceNotFound:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/examples/NoSuchNamespaceError'
409:
description: Conflict - The policy already exists under the given namespace
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyAlreadyExists:
$ref: '#/components/examples/PolicyAlreadyExistsError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
get:
tags:
- Policy API
summary: List all policy identifiers underneath a given namespace
description: Return all policy identifiers under this namespace. Users can optionally filter the result by policy type
operationId: listPolicies
parameters:
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/page-token'
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/page-size'
- $ref: '#/components/parameters/policy-type'
responses:
200:
$ref: '#/components/responses/ListPoliciesResponse'
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description: Not Found - The namespace specified does not exist
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
NamespaceNotFound:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/examples/NoSuchNamespaceError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{policy-name}:
parameters:
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix'
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/namespace'
- $ref: '#/components/parameters/policy-name'
get:
tags:
- Policy API
summary: Load a policy
operationId: loadPolicy
description: |
Load a policy from the catalog
The response contains the policy's metadata and content. For more details, refer to the definition of the `Policy` model.
responses:
200:
$ref: '#/components/responses/LoadPolicyResponse'
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description:
Not Found - NoSuchPolicyException, policy to get does not exist
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyToGetDoesNotExist:
$ref: '#/components/examples/NoSuchPolicyError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
put:
tags:
- Policy API
summary: Update a policy
operationId: updatePolicy
description: |
Update a policy
A policy's description and content can be updated. The new content is validated against the policy's corresponding validator.
Upon a successful update, the policy's version is incremented by 1.
The update will only succeed if the current version matches the one in the catalog.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdatePolicyRequest'
responses:
200:
$ref: '#/components/responses/UpdatePolicyResponse'
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description:
Not Found - NoSuchPolicyException, policy to get does not exist
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyToUpdateDoesNotExist:
$ref: '#/components/examples/NoSuchPolicyError'
409:
description: "The policy version doesn't match the current-policy-version; retry after fetching latest version"
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyVersionMismatch:
$ref: '#/components/examples/PolicyVersionMismatchError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
delete:
tags:
- Policy API
summary: Drop a policy from the catalog
operationId: dropPolicy
description: |
Remove a policy from the catalog.
A policy can only be dropped if it is not attached to any resource entity. To remove the policy along with all its attachments, set detach-all to true.
parameters:
- name: detach-all
in: query
required: false
description: |
When set to true, the dropPolicy operation will also delete all mappings between the policy and its attached target entities.
schema:
type: boolean
example: false
responses:
204:
description: Success, no content
400:
description: Bad Request - the policy to be dropped is attached to one or more targets and detach-all is not set to true
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyInUse:
$ref: '#/components/examples/PolicyInUseError'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description:
Not Found - NoSuchPolicyException, policy to get does not exist
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyToDeleteDoesNotExist:
$ref: '#/components/examples/NoSuchPolicyError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{policy-name}/mappings:
parameters:
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix'
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/namespace'
- $ref: '#/components/parameters/policy-name'
put:
tags:
- Policy API
summary: Create a mapping between a policy and a resource entity
operationId: attachPolicy
description: |
Create a mapping between a policy and a resource entity
Policy can be attached to different levels:
1. **Table-like level:** Policies specific to individual tables or views.
2. **Namespace level:** Policies applies to a namespace.
3. **Catalog level:** Policies that applies to a catalog
The ability to attach a policy to a specific entity type is governed by the PolicyValidator. A policy can only be attached if the resource entity is a valid target for the specified policy type.
In addition to the validation rules enforced by the PolicyValidator, there are additional constraints on policy attachment:
1. For inheritable policies, only one policy of the same type can be attached to a given resource entity.
2. For non-inheritable policies, multiple policies of the same type can be attached to the same resource entity without restriction.
For inheritable policies, the inheritance override rule is:
1. Table-like level policies override namespace and catalog policies.
2. Namespace-level policies override upper level namespace or catalog policies.
Additional parameters can be provided in `parameters` when creating a mapping to define specific behavior or constraints.
If the policy is already attached to the target entity, the existing mapping record will be updated with the new set of parameters, replacing the previous ones.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AttachPolicyRequest'
responses:
204:
description: Success, no content
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description:
Not Found - NoSuchPolicyException, NoSuchTargetException
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyToSetDoesNotExist:
$ref: '#/components/examples/NoSuchPolicyError'
TargetToSetDoesNotExist:
$ref: '#/components/examples/NoSuchTargetError'
409:
description: Conflict - The policy type is inheritable and there is already a policy of the same type attached to the target entity
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
AnotherPolicyOfSameInheritableAttached:
$ref: '#/components/examples/ConflictPolicyAttachmentError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
post:
tags:
- Policy API
summary: Remove a mapping between a policy and a target entity
operationId: detachPolicy
description: |
Remove a mapping between a policy and a target entity
A target entity can be a catalog, namespace, table or view.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DetachPolicyRequest'
responses:
204:
description: Success, no content
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description:
Not Found - NoSuchPolicyException, NoSuchTargetException, NoSuchMappingException
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
PolicyToUnsetDoesNotExist:
$ref: '#/components/examples/NoSuchPolicyError'
TargetToUnsetDoesNotExist:
$ref: '#/components/examples/NoSuchTargetError'
MappingToUnsetDoesNotExist:
$ref: '#/components/examples/NoSuchMappingError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
/polaris/v1/{prefix}/applicable-policies:
parameters:
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/prefix'
get:
tags:
- Policy API
summary: Get Applicable policies for catalog, namespace, table, or views
operationId: getApplicablePolicies
description: |
Retrieves all applicable policies for a specified entity, including inherited policies from parent entities. An entity can be a table/view, namespace, or catalog. The required parameters depend on the entity type:
- Table/View:
- The `namespace` parameter is required to specify the entity's namespace.
- The `target-name` parameter is required to specify the entity name.
- Namespace:
- The `namespace` parameter is required to specify the identifier.
- The `target-name` parameter should not be set.
- Catalog:
- Neither `namespace` nor `target-name` should be set.
An optional policyType parameter filters results to return only policies of the specified type.
This API evaluates the entity's hierarchy and applies inheritable policies from parent entities. The inheritance follows the following override rule:
1. Table-like level policies override namespace and catalog policies.
2. Namespace-level policies override upper level namespace or catalog policies.
parameters:
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/page-token'
- $ref: '../iceberg-rest-catalog-open-api.yaml#/components/parameters/page-size'
- name: namespace
in: query
required: false
description:
A namespace identifier as a single string.
Multipart namespace parts should be separated by the unit separator (`0x1F`) byte.
schema:
type: string
examples:
singlepart_namespace:
value: "accounting"
multipart_namespace:
value: "accounting%1Ftax"
- name: target-name
in: query
required: false
description: Name of the target table/view
schema:
type: string
example: "test_table"
- $ref: '#/components/parameters/policy-type'
responses:
200:
$ref: '#/components/responses/GetApplicablePoliciesResponse'
400:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/BadRequestErrorResponse'
401:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/UnauthorizedResponse'
403:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ForbiddenResponse'
404:
description:
Not Found
- NoSuchTableException, target table does not exist
- NoSuchViewException, target view does not exist
- NoSuchNamespaceException, target namespace does not exist
content:
application/json:
schema:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/IcebergErrorResponse'
examples:
TargetTableDoesNotExist:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/examples/NoSuchTableError'
TargetViewDoesNotExist:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/examples/NoSuchViewError'
TargetNamespaceDoesNotExist:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/examples/NoSuchNamespaceError'
503:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServiceUnavailableResponse'
5XX:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/responses/ServerErrorResponse'
components:
parameters:
policy-name:
name: policy-name
in: path
required: true
schema:
$ref: '#/components/schemas/PolicyName'
policy-type:
name: policyType
in: query
required: false
allowEmptyValue: true
schema:
$ref: '#/components/schemas/PolicyType'
schemas:
PolicyType:
description: The type of a policy
type: string
nullable: true
example: system.data-compaction
PolicyName:
type: string
description:
A policy name. A valid policy name should only consist of uppercase and lowercase letters (A-Z, a-z),
digits (0-9), hyphens (-), underscores (_).
pattern: '^[A-Za-z0-9\-_]+$'
example: 'compaction'
Policy:
type: object
description: |
A policy in Apache Polaris defines a set of rules for governing access, data usage, and operational consistency across various catalog resources.
Policies are stored within Polaris and can be attached to catalogs, namespaces, tables, or views.
For example, they can be used for fine-grained control over who can perform specific actions on certain resources.
The policy object includes
- **policy-type:** The type of the policy, which determines the expected format and semantics of the policy content.
- **inheritable:** A boolean flag indicating whether the policy is inheritable.
- **name:** A human-readable name for the policy, which must be unique within a given namespace.
- **description:** Detailed description of the purpose and functionalities of the policy.
- **content:** Policy content, which can be validated against predefined schemas of a policy type.
- **version:** Indicates the current version of the policy. Versions increased monotonically, the default value is 0
Policies stored in Polaris serve as the persistent definition for access control and governance rules.
required:
- policy-type
- name
- version
- inheritable
properties:
policy-type:
type: string
inheritable:
type: boolean
name:
$ref: '#/components/schemas/PolicyName'
description:
type: string
content:
type: string
version:
type: integer
ApplicablePolicy:
allOf:
- type: object
description: |
For policies returned by GetApplicablePolicies, there are 2 additional fields
- **inherited:** A boolean flag indicating whether the policy is inherited from target's parents. For non-inheritable policy, it should always be `false`.
- **namespace:** A list representing the hierarchical parent path to the policy, ordered from higher level namespace to lower.
required:
- inherited
- namespace
properties:
inherited:
type: boolean
default: false
namespace:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/Namespace'
- $ref: '#/components/schemas/Policy'
CreatePolicyRequest:
type: object
required:
- name
- type
properties:
name:
$ref: '#/components/schemas/PolicyName'
type:
type: string
description:
type: string
content:
type: string
LoadPolicyResponse:
type: object
properties:
policy:
$ref: '#/components/schemas/Policy'
UpdatePolicyRequest:
type: object
properties:
description:
type: string
content:
type: string
current-policy-version:
type: integer
AttachPolicyRequest:
type: object
required:
- target
properties:
target:
$ref: '#/components/schemas/PolicyAttachmentTarget'
parameters:
type: object
additionalProperties:
type: string
DetachPolicyRequest:
type: object
required:
- target
properties:
target:
$ref: '#/components/schemas/PolicyAttachmentTarget'
PolicyAttachmentTarget:
type: object
required:
- type
properties:
type:
type: string
description: |
Policy can be attached to different levels:
1. table-like: Policies specific to individual tables or views.
2. namespace: Policies applies to a namespace.
3. catalog: Policies that applies to a catalog
enum:
- catalog
- namespace
- table-like
example: table-like
path:
type: array
items:
type: string
description: |
A list representing the hierarchical path to the target, ordered from the namespace level down to the entity.
If the target is catalog, the path should be either empty or not set.
example: ["NS1", "NS2", "test_table_1"]
PolicyIdentifier:
type: object
required:
- namespace
- name
properties:
namespace:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/Namespace'
name:
type: string
nullable: false
ListPoliciesResponse:
type: object
properties:
next-page-token:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/PageToken'
identifiers:
type: array
uniqueItems: true
items:
$ref: '#/components/schemas/PolicyIdentifier'
GetApplicablePoliciesResponse:
type: object
required:
- applicable-policies
properties:
next-page-token:
$ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/PageToken'
applicable-policies:
type: array
uniqueItems: true
items:
$ref: '#/components/schemas/ApplicablePolicy'
responses:
CreatePolicyResponse:
description: Policy object result after creating a policy
content:
application/json:
schema:
$ref: '#/components/schemas/LoadPolicyResponse'
LoadPolicyResponse:
description: Policy object result when getting a policy
content:
application/json:
schema:
$ref: '#/components/schemas/LoadPolicyResponse'
UpdatePolicyResponse:
description:
Response used when a policy is successfully updated
The updated policy JSON is returned in the policy field
content:
application/json:
schema:
$ref: '#/components/schemas/LoadPolicyResponse'
ListPoliciesResponse:
description: a list of policy identifiers
content:
application/json:
schema:
$ref: '#/components/schemas/ListPoliciesResponse'
examples:
ListPoliciesResponseNonEmpty:
$ref: '#/components/examples/ListPoliciesNonEmptyExample'
ListPoliciesResponseEmpty:
$ref: '#/components/examples/ListPoliciesEmptyExample'
GetApplicablePoliciesResponse:
description: A list of policies applicable to the table
content:
application/json:
schema:
$ref: '#/components/schemas/GetApplicablePoliciesResponse'
examples:
NoSuchPolicyError:
summary: The requested policy does not exist
value: {
"error": {
"message": "The given policy does not exist",
"type": "NoSuchPolicyException",
"code": 404
}
}
PolicyAlreadyExistsError:
summary: The requested policy identifier already exists
value: {
"error": {
"message": "The given policy already exists",
"type": "AlreadyExistsException",
"code": 409
}
}
PolicyVersionMismatchError:
summary: The policy version doesn't match the current-policy-version
value: {
"error": {
"message": "The policy version doesn't match the current-policy-version",
"type": "PolicyVersionMismatchException",
"code": 409
}
}
NoSuchTargetError:
summary: The requested target does not exist
value: {
"error": {
"message": "The given target does not exist",
"type": "NoSuchTargetException",
"code": 404
}
}
NoSuchMappingError:
summary: The requested mapping between policy and target does not exist
value: {
"error": {
"message": "The given mapping between policy and target does not exist",
"type": "NoSuchMappingException",
"code": 404
}
}
PolicyInUseError:
summary: The policy is attached to one or more targets
value: {
"error": {
"message": "The policy is attached to one or more targets",
"type": "PolicyInUseException",
"code": 400
}
}
ConflictPolicyAttachmentError:
summary: The policy type is inheritable and there is already a policy of the same type attached to the target entity
value: {
"error": {
"message": "The policy type is inheritable and there is already a policy of the same type attached to the target entity",
"type": "ConflictPolicyAttachmentException",
"code": 409
}
}
ListPoliciesNonEmptyExample:
summary: A non-empty list of policy identifiers
value:
identifiers:
- namespace:
- accounting
- tax
name: policy1
- namespace:
- accounting
- tax
name: policy2
ListPoliciesEmptyExample:
summary: An empty list for a namespace with no policies
value:
identifiers: [ ]