Part 1 : Adds RLS and CLS control Policies

polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java

@@ -349,4 +349,24 @@ public static void enforceFeatureEnabledOrThrow(
                   + "it is still possible to enforce the uniqueness of table locations within a catalog.")
           .defaultValue(false)
           .buildFeatureConfiguration();
+
+  public static final FeatureConfiguration<Boolean> FINE_GRAINED_ACCESS_CONTROL_POLICIES =
+      PolarisConfiguration.<Boolean>builder()
+          .key("FINE_GRAINED_ACCESS_CONTROL_POLICIES")
+          .catalogConfig("polaris.config.fine-grained-access-control-policies.enabled")
+          .description(
+              "If set to true, fine grained access control policies can be created, updated, deleted.")
+          .defaultValue(false)
+          .buildFeatureConfiguration();
+
+  public static final FeatureConfiguration<Boolean>
+      ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES =
+          PolarisConfiguration.<Boolean>builder()
+              .key("ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES_ENABLED")
+              .catalogConfig(
+                  "polaris.config.allow-attaching-fine-grained-policies-to-entities.enabled")
+              .description(
+                  "If set to true, fine grained access control policies can be attached to entities.")
+              .defaultValue(false)
+              .buildFeatureConfiguration();
 }

polaris-core/src/main/java/org/apache/polaris/core/policy/AccessControlPolicyUtil.java

@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.polaris.core.policy;
+
+import static org.apache.polaris.core.policy.PredefinedPolicyTypes.ACCESS_CONTROL;
+
+import com.google.common.collect.Lists;
+import java.util.List;
+import org.apache.iceberg.expressions.Expression;
+import org.apache.iceberg.expressions.ExpressionVisitors;
+import org.apache.iceberg.expressions.Expressions;
+import org.apache.iceberg.expressions.UnboundPredicate;
+import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
+import org.apache.polaris.core.policy.content.AccessControlPolicyContent;
+import org.apache.polaris.core.policy.validator.InvalidPolicyException;
+
+public class AccessControlPolicyUtil {
+  private AccessControlPolicyUtil() {}
+
+  // context variables used in access control policies
+  public static final String CURRENT_PRINCIPAL_ROLE = "$current_principal_role";
+  public static final String CURRENT_PRINCIPAL = "$current_principal";
+
+  public static String replaceContextVariable(
+      String content, PolicyType policyType, AuthenticatedPolarisPrincipal authenticatedPrincipal) {
+    if (policyType == ACCESS_CONTROL) {
+      try {
+        AccessControlPolicyContent policyContent = AccessControlPolicyContent.fromString(content);
+        List<Expression> evaluatedRowFilterExpressions = Lists.newArrayList();
+
+        for (Expression rowFilterExpression : policyContent.getRowFilters()) {
+          Expression evaluatedExpression =
+              ExpressionVisitors.visit(
+                  rowFilterExpression,
+                  new ContextVariableReplacementVisitor(authenticatedPrincipal));
+          evaluatedRowFilterExpressions.add(evaluatedExpression);
+        }
+
+        // also nullify the principal role.
+        policyContent.setPrincipalRole(null);
+        policyContent.setRowFilters(evaluatedRowFilterExpressions);
+        return AccessControlPolicyContent.toString(policyContent);
+      } catch (Exception e) {
+        throw new InvalidPolicyException(
+            "Invalid access control policy content: " + e.getMessage(), e);
+      }
+    }
+    return content;
+  }
+
+  public static boolean filterApplicablePolicy(
+      PolicyEntity policyEntity, AuthenticatedPolarisPrincipal authenticatedPrincipal) {
+    if (policyEntity.getPolicyType().equals(ACCESS_CONTROL)) {
+      AccessControlPolicyContent content =
+          AccessControlPolicyContent.fromString(policyEntity.getContent());
+      String applicablePrincipal = content.getPrincipalRole();
+      return applicablePrincipal == null
+          || authenticatedPrincipal.getActivatedPrincipalRoleNames().isEmpty()
+          || authenticatedPrincipal
+              .getActivatedPrincipalRoleNames()
+              .contains(content.getPrincipalRole());
+    }
+
+    return true;
+  }
+
+  /** Expression visitor that replaces context variables with evaluated expressions */
+  private static class ContextVariableReplacementVisitor
+      extends ExpressionVisitors.ExpressionVisitor<Expression> {
+    private final AuthenticatedPolarisPrincipal authenticatedPrincipal;
+
+    public ContextVariableReplacementVisitor(AuthenticatedPolarisPrincipal authenticatedPrincipal) {
+      this.authenticatedPrincipal = authenticatedPrincipal;
+    }
+
+    @Override
+    public <T> Expression predicate(UnboundPredicate<T> pred) {
+      String refName = pred.ref().name();
+
+      if (CURRENT_PRINCIPAL_ROLE.equals(refName)) {
+        return evaluateCurrentPrincipalRole(pred);
+      } else if (CURRENT_PRINCIPAL.equals(refName)) {
+        return evaluateCurrentPrincipal(pred);
+      }
+
+      // Return the original predicate if it doesn't reference context variables
+      return pred;
+    }
+
+    @Override
+    public Expression alwaysTrue() {
+      return Expressions.alwaysTrue();
+    }
+
+    @Override
+    public Expression alwaysFalse() {
+      return Expressions.alwaysFalse();
+    }
+
+    @Override
+    public Expression not(Expression result) {
+      return Expressions.not(result);
+    }
+
+    @Override
+    public Expression and(Expression leftResult, Expression rightResult) {
+      return Expressions.and(leftResult, rightResult);
+    }
+
+    @Override
+    public Expression or(Expression leftResult, Expression rightResult) {
+      return Expressions.or(leftResult, rightResult);
+    }
+
+    private Expression evaluateCurrentPrincipalRole(UnboundPredicate<?> pred) {
+      String val = (String) pred.literal().value();
+      boolean containsRole = authenticatedPrincipal.getActivatedPrincipalRoleNames().contains(val);
+
+      return getExpression(pred, containsRole);
+    }
+
+    private Expression evaluateCurrentPrincipal(UnboundPredicate<?> pred) {
+      String val = (String) pred.literal().value();
+      boolean principalMatches = authenticatedPrincipal.getName().equals(val);
+
+      return getExpression(pred, principalMatches);
+    }
+
+    private Expression getExpression(UnboundPredicate<?> pred, boolean principalMatches) {
+      if (pred.op().equals(Expression.Operation.EQ)) {
+        return principalMatches ? Expressions.alwaysTrue() : Expressions.alwaysFalse();
+      } else if (pred.op().equals(Expression.Operation.NOT_EQ)) {
+        return principalMatches ? Expressions.alwaysFalse() : Expressions.alwaysTrue();
+      } else {
+        // For other operations, return the original predicate
+        return pred;
+      }
+    }
+  }
+}

polaris-core/src/main/java/org/apache/polaris/core/policy/PredefinedPolicyTypes.java

@@ -28,7 +28,8 @@ public enum PredefinedPolicyTypes implements PolicyType {
   DATA_COMPACTION(0, "system.data-compaction", true),
   METADATA_COMPACTION(1, "system.metadata-compaction", true),
   ORPHAN_FILE_REMOVAL(2, "system.orphan-file-removal", true),
-  SNAPSHOT_EXPIRY(3, "system.snapshot-expiry", true);
+  SNAPSHOT_EXPIRY(3, "system.snapshot-expiry", true),
+  ACCESS_CONTROL(4, "system.access-control", false);
 
   private final int code;
   private final String name;

polaris-core/src/main/java/org/apache/polaris/core/policy/content/AccessControlPolicyContent.java

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.polaris.core.policy.content;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.google.common.base.Strings;
+import java.util.List;
+import java.util.Set;
+import org.apache.iceberg.expressions.Expression;
+import org.apache.polaris.core.policy.validator.InvalidPolicyException;
+
+public class AccessControlPolicyContent implements PolicyContent {
+
+  // Optional, if there means policies is applicable to the role
+  private String principalRole;
+
+  // TODO: model them as iceberg transforms
+  private List<String> columnProjections;
+
+  // Iceberg expressions without context functions for now.
+  // Use a custom deserializer for the list of Iceberg Expressions
+  @JsonDeserialize(using = IcebergExpressionListDeserializer.class)
+  @JsonSerialize(using = IcebergExpressionListSerializer.class)
+  private List<Expression> rowFilters;
+
+  private static final String DEFAULT_POLICY_SCHEMA_VERSION = "2025-02-03";
+  private static final Set<String> POLICY_SCHEMA_VERSIONS = Set.of(DEFAULT_POLICY_SCHEMA_VERSION);
+
+  public static AccessControlPolicyContent fromString(String content) {
+    if (Strings.isNullOrEmpty(content)) {
+      throw new InvalidPolicyException("Policy is empty");
+    }
+
+    AccessControlPolicyContent policy;
+    try {
+      policy = PolicyContentUtil.MAPPER.readValue(content, AccessControlPolicyContent.class);
+    } catch (Exception e) {
+      throw new InvalidPolicyException(e);
+    }
+
+    boolean isProjectionsEmpty =
+        policy.getColumnProjections() == null || policy.getColumnProjections().isEmpty();
+    boolean isRowFilterEmpty = policy.getRowFilters() == null || policy.getRowFilters().isEmpty();
+    if (isProjectionsEmpty && isRowFilterEmpty) {
+      throw new InvalidPolicyException("Policy must contain 'columnProjections' or 'rowFilters'.");
+    }
+
+    return policy;
+  }
+
+  public static String toString(AccessControlPolicyContent content) {
+    if (content == null) {
+      return null;
+    }
+    try {
+      return PolicyContentUtil.MAPPER.writeValueAsString(content);
+    } catch (JsonProcessingException e) {
+      throw new InvalidPolicyException("Failed to convert policy content to JSON string", e);
+    }
+  }
+
+  // Constructors, getters, and setters
+  public AccessControlPolicyContent() {}
+
+  public String getPrincipalRole() {
+    return principalRole;
+  }
+
+  public void setPrincipalRole(String principalRole) {
+    this.principalRole = principalRole;
+  }
+
+  public List<String> getColumnProjections() {
+    return columnProjections;
+  }
+
+  public void setAllowedColumns(List<String> columnProjections) {
+    this.columnProjections = columnProjections;
+  }
+
+  public List<Expression> getRowFilters() {
+    return rowFilters;
+  }
+
+  public void setRowFilters(List<Expression> rowFilters) {
+    this.rowFilters = rowFilters;
+  }
+
+  @Override
+  public String toString() {
+    return "AccessControlPolicyContent{"
+        + "principalRole='"
+        + principalRole
+        + '\''
+        + ", columnProjections="
+        + columnProjections
+        + ", rowFilters="
+        + rowFilters
+        + '}';
+  }
+}

polaris-core/src/main/java/org/apache/polaris/core/policy/content/IcebergExpressionListDeserializer.java

@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.polaris.core.policy.content;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.iceberg.expressions.Expression;
+import org.apache.iceberg.expressions.ExpressionParser;
+
+public class IcebergExpressionListDeserializer extends JsonDeserializer<List<Expression>> {
+  @Override
+  public List<Expression> deserialize(JsonParser p, DeserializationContext ctxt)
+      throws IOException {
+    ObjectMapper mapper = (ObjectMapper) p.getCodec();
+    JsonNode node = mapper.readTree(p);
+
+    List<Expression> expressions = new ArrayList<>();
+    if (node.isArray()) {
+      for (JsonNode element : node) {
+        // Convert each JSON element back to a string and pass it to ExpressionParser.fromJson
+        expressions.add(ExpressionParser.fromJson(mapper.writeValueAsString(element)));
+      }
+    }
+    return expressions;
+  }
+}