Site: Add a page for policy management #1600
Conversation
flyrain
requested review from
adutra,
ashvina,
dennishuo,
dimas-b,
eric-maynard,
jackye1995,
jbonofre,
vvcephei,
collado-mike,
snazy,
RussellSpitzer,
takidau,
MonkeyCanCode,
ebyhr,
HonahX,
singhpk234 and
pingtimeout
as code owners
|
|
||
| - **Custom policy types**: Can be defined for specific organizational needs (WIP) | ||
|
|
||
| - **FGAC (Fine-Grained Access Control) policies**: Row filtering and column masking (WIP) |
There was a problem hiding this comment.
| - **FGAC (Fine-Grained Access Control) policies**: Row filtering and column masking (WIP) | |
| - **FGAC (Fine-Grained Access Control) policies**: Row filtering, column masking, column hiding (WIP) |
|
|
||
| ### Retrieving Applicable Policies | ||
|
|
||
| Here is an example to find all policies that apply to a specific resource (including inherited policies): |
There was a problem hiding this comment.
should we also mention the RBAC comes into picture ? as not every one can see all the policies applicable to a resource, for ex i think in current implementation we need to require permission on a resource to see the policy applicable ?
|
|
||
| Policies can be inheritable or non-inheritable: | ||
|
|
||
| - **Inheritable policies**: Apply to the target resource and all its child resources |
There was a problem hiding this comment.
[doubt] is it possible to define the child resources type it needs to be applicable to ? for ex what would remove-orphans means for a view or generic tables ?
There was a problem hiding this comment.
That's a good point. Let me clarify a bit.
|
|
||
| ## What is a Policy? | ||
|
|
||
| A policy in Apache Polaris is a structured object that defines rules governing actions on specified resources under |
There was a problem hiding this comment.
[optional]
| A policy in Apache Polaris is a structured object that defines rules governing actions on specified resources under | |
| A policy in Apache Polaris is a structured entity that defines rules governing actions on specified resources under |
| - **Custom policy types**: Can be defined for specific organizational needs (WIP) | ||
|
|
||
| - **FGAC (Fine-Grained Access Control) policies**: Row filtering, column masking, column hiding (WIP) |
There was a problem hiding this comment.
IMHO, the site contains only the features/concepts that has been finalized and implemented, but I also that mentioning these features here can help form a better understanding of the general scope of policy. Should we phrase this more generally, such as: 'Support for additional predefined system policy types and custom policy type definitions is in progress. For more details, please refer to the roadmap.' This way, we avoid over-sharing implementation details while still giving users a clear sense of the feature scope.
There was a problem hiding this comment.
I think calling FGAC out explicitly will provide a clear picture of what we are trying to do, as the questions about FGAC policy will come up naturally from anyone who understand policies. However, I'm OK with either way. Let me know if you strongly feel which way is better. I can make the changes correspondently.
There was a problem hiding this comment.
That makes total sense—thanks for the clear explanation! My main concern was that listing those three specific FGAC policy types might give the impression that the community has already made concrete decisions on the direction. Maybe we could just mark them as tentative examples to make it clearer they're still under discussion (i.e. extends the WIP a little bit)?
| - **`system.data-compaction`**: Defines rules for data compaction operations | ||
| - Schema Definition: @https://polaris.apache.org/schemas/policies/system/data-compaction/2025-02-03.json | ||
| - Controls file compaction to optimize storage and query performance | ||
|
|
There was a problem hiding this comment.
| Applicable resources: Iceberg table, namespace, catalog |
| read permission on that resource. The permission model may be enhanced in the future when Fine-Grained Access Control | ||
| policy is introduced, which will provide more granular control over policy visibility and management. |
There was a problem hiding this comment.
should we skip this part for now ? as its bit too much info.
| read permission on that resource. The permission model may be enhanced in the future when Fine-Grained Access Control | |
| policy is introduced, which will provide more granular control over policy visibility and management. | |
| read permission on that resource. |
| } | ||
| ``` | ||
|
|
||
| The policy content is validated against a schema specific to its type. Here are a few policy content examples |
There was a problem hiding this comment.
| The policy content is validated against a schema specific to its type. Here are a few policy content examples | |
| The policy content is validated against a schema specific to its type. Here are a few policy content examples: |
| } | ||
| ``` | ||
|
|
||
| For inheritable policies, only one policy of a given type can be attached to a resource. For non-inheritable policies, multiple policies of the same type can be attached. |
There was a problem hiding this comment.
[not requesting change]: is there a document about why this is the case?
| Polaris supports several predefined system policy types (prefixed with `system.`): | ||
|
|
||
| - **`system.data-compaction`**: Defines rules for data compaction operations | ||
| - Schema Definition: @https://polaris.apache.org/schemas/policies/system/data-compaction/2025-02-03.json |
There was a problem hiding this comment.
question: what does the "@" do for links in this framework?
No description provided.