Hide policy attachment behind a config

Author: singhpk234

polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java

@@ -349,4 +349,15 @@ public static void enforceFeatureEnabledOrThrow(
                   + "it is still possible to enforce the uniqueness of table locations within a catalog.")
           .defaultValue(false)
           .buildFeatureConfiguration();
+
+  public static final FeatureConfiguration<Boolean>
+      ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES =
+          PolarisConfiguration.<Boolean>builder()
+              .key("ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES_ENABLED")
+              .catalogConfig(
+                  "polaris.config.allow-attaching-fine-grained-policies-to-entities.enabled")
+              .description(
+                  "If set to true, fine grained access control policies can be attached to entities.")
+              .defaultValue(false)
+              .buildFeatureConfiguration();
 }

polaris-core/src/main/java/org/apache/polaris/core/policy/validator/PolicyValidators.java

@@ -19,6 +19,8 @@
 package org.apache.polaris.core.policy.validator;
 
 import com.google.common.base.Preconditions;
+import org.apache.polaris.core.config.FeatureConfiguration;
+import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.PolarisEntity;
 import org.apache.polaris.core.policy.PolicyEntity;
 import org.apache.polaris.core.policy.PredefinedPolicyTypes;
@@ -84,7 +86,8 @@ public static void validate(PolicyEntity policy) {
    * @param targetEntity the target Polaris entity to attach the policy to
    * @return {@code true} if the policy is attachable to the target entity; {@code false} otherwise
    */
-  public static boolean canAttach(PolicyEntity policy, PolarisEntity targetEntity) {
+  public static boolean canAttach(
+      CallContext callContext, PolicyEntity policy, PolarisEntity targetEntity) {
     Preconditions.checkNotNull(policy, "Policy must not be null");
     Preconditions.checkNotNull(targetEntity, "Target entity must not be null");
 
@@ -103,17 +106,19 @@ public static boolean canAttach(PolicyEntity policy, PolarisEntity targetEntity)
         return BaseMaintenancePolicyValidator.INSTANCE.canAttach(entityType, entitySubType);
 
       case ACCESS_CONTROL:
-        // TODO: Add validator for attaching this only to table
-        return true;
+        return callContext
+            .getRealmConfig()
+            .getConfig(FeatureConfiguration.ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES);
 
       default:
         LOGGER.warn("Attachment not supported for policy type: {}", policyType.getName());
         return false;
     }
   }
 
-  public static void validateAttach(PolicyEntity policy, PolarisEntity targetEntity) {
-    if (!canAttach(policy, targetEntity)) {
+  public static void validateAttach(
+      CallContext callContext, PolicyEntity policy, PolarisEntity targetEntity) {
+    if (!canAttach(callContext, policy, targetEntity)) {
       throw new PolicyAttachException(
           "Cannot attach policy '%s' to target entity '%s'",
           policy.getName(), targetEntity.getName());

polaris-core/src/test/java/org/apache/polaris/core/policy/PolicyValidatorsTest.java

@@ -23,9 +23,14 @@
 import static org.apache.polaris.core.policy.PredefinedPolicyTypes.DATA_COMPACTION;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.TableIdentifier;
+import org.apache.polaris.core.config.FeatureConfiguration;
+import org.apache.polaris.core.config.RealmConfig;
+import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.CatalogEntity;
 import org.apache.polaris.core.entity.NamespaceEntity;
 import org.apache.polaris.core.entity.PrincipalEntity;
@@ -38,6 +43,7 @@ public class PolicyValidatorsTest {
   Namespace ns = Namespace.of("NS1");
   TableIdentifier tableIdentifier = TableIdentifier.of(ns, "table1");
   PolicyEntity policyEntity = new PolicyEntity.Builder(ns, "pn", DATA_COMPACTION).build();
+  CallContext callContext = mock(CallContext.class);
 
   @Test
   public void testInvalidPolicy() {
@@ -92,22 +98,22 @@ public void testValidPolicy() {
   @Test
   public void testCanAttachReturnsTrueForCatalogType() {
     var targetEntity = new CatalogEntity.Builder().build();
-    var result = PolicyValidators.canAttach(policyEntity, targetEntity);
+    var result = PolicyValidators.canAttach(callContext, policyEntity, targetEntity);
     assertThat(result).isTrue().as("Expected canAttach() to return true for CATALOG type");
   }
 
   @Test
   public void testCanAttachReturnsTrueForNamespaceType() {
     var targetEntity = new NamespaceEntity.Builder(ns).build();
-    var result = PolicyValidators.canAttach(policyEntity, targetEntity);
+    var result = PolicyValidators.canAttach(callContext, policyEntity, targetEntity);
     assertThat(result).isTrue().as("Expected canAttach() to return true for CATALOG type");
   }
 
   @Test
   public void testCanAttachReturnsTrueForIcebergTableLikeWithTableSubtype() {
     var targetEntity =
         new IcebergTableLikeEntity.Builder(tableIdentifier, "").setSubType(ICEBERG_TABLE).build();
-    var result = PolicyValidators.canAttach(policyEntity, targetEntity);
+    var result = PolicyValidators.canAttach(callContext, policyEntity, targetEntity);
     assertThat(result)
         .isTrue()
         .as("Expected canAttach() to return true for ICEBERG_TABLE_LIKE with TABLE subtype");
@@ -117,7 +123,7 @@ public void testCanAttachReturnsTrueForIcebergTableLikeWithTableSubtype() {
   public void testCanAttachReturnsFalseForIcebergTableLikeWithNonTableSubtype() {
     var targetEntity =
         new IcebergTableLikeEntity.Builder(tableIdentifier, "").setSubType(ICEBERG_VIEW).build();
-    var result = PolicyValidators.canAttach(policyEntity, targetEntity);
+    var result = PolicyValidators.canAttach(callContext, policyEntity, targetEntity);
     assertThat(result)
         .isFalse()
         .as("Expected canAttach() to return false for ICEBERG_TABLE_LIKE with non-TABLE subtype");
@@ -126,7 +132,36 @@ public void testCanAttachReturnsFalseForIcebergTableLikeWithNonTableSubtype() {
   @Test
   public void testCanAttachReturnsFalseForUnattachableType() {
     var targetEntity = new PrincipalEntity.Builder().build();
-    var result = PolicyValidators.canAttach(policyEntity, targetEntity);
+    var result = PolicyValidators.canAttach(callContext, policyEntity, targetEntity);
     assertThat(result).isFalse().as("Expected canAttach() to return false for null");
   }
+
+  @Test
+  public void testCanAttachAccessControlPolicy() {
+    // Arrange
+    Namespace ns = Namespace.of("NS1");
+    TableIdentifier tableId = TableIdentifier.of(ns, "table1");
+    PolicyEntity policy =
+        new PolicyEntity.Builder(ns, "acp", PredefinedPolicyTypes.ACCESS_CONTROL)
+            .setContent("{\"columnProjections\":[\"col1\"],\"rowFilters\":[]}")
+            .build();
+
+    // Mock CallContext and RealmConfiguration
+    var realmConfig = mock(RealmConfig.class);
+    when(callContext.getRealmConfig()).thenReturn(realmConfig);
+    when(realmConfig.getConfig(
+            FeatureConfiguration.ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES))
+        .thenReturn(true);
+
+    // Use a valid table entity
+    var tableEntity =
+        new IcebergTableLikeEntity.Builder(tableId, "")
+            .setSubType(org.apache.polaris.core.entity.PolarisEntitySubType.ICEBERG_TABLE)
+            .build();
+    boolean canAttach =
+        org.apache.polaris.core.policy.validator.PolicyValidators.canAttach(
+            callContext, policy, tableEntity);
+
+    assertThat(canAttach).isTrue();
+  }
 }

runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalog.java

@@ -304,7 +304,7 @@ public boolean attachPolicy(
     var targetCatalogPath = PolarisEntity.toCoreList(resolvedTargetPath.getRawParentPath());
     var targetEntity = resolvedTargetPath.getRawLeafEntity();
 
-    PolicyValidators.validateAttach(policyEntity, targetEntity);
+    PolicyValidators.validateAttach(callContext, policyEntity, targetEntity);
 
     var result =
         metaStoreManager.attachPolicyToEntity(

runtime/service/src/test/java/org/apache/polaris/service/catalog/Profiles.java

@@ -38,6 +38,8 @@ public Map<String, String> getConfigOverrides() {
           "polaris.event-listener.type",
           "test",
           "polaris.readiness.ignore-severe-issues",
+          "true",
+          "polaris.features.\"ALLOW_ATTACHING_FINE_GRAINED_POLICIES_TO_ENTITIES_ENABLED\"",
           "true");
     }
   }