Replace context

Author: singhpk234

polaris-core/src/main/java/org/apache/polaris/core/policy/content/AccessControlPolicyContent.java

@@ -19,7 +19,9 @@
 
 package org.apache.polaris.core.policy.content;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.google.common.base.Strings;
 import java.util.List;
 import java.util.Set;
@@ -37,6 +39,7 @@ public class AccessControlPolicyContent implements PolicyContent {
   // Iceberg expressions without context functions for now.
   // Use a custom deserializer for the list of Iceberg Expressions
   @JsonDeserialize(using = IcebergExpressionListDeserializer.class)
+  @JsonSerialize(using = IcebergExpressionListSerializer.class)
   private List<Expression> rowFilters;
 
   private static final String DEFAULT_POLICY_SCHEMA_VERSION = "2025-02-03";
@@ -64,6 +67,21 @@ public static AccessControlPolicyContent fromString(String content) {
     return policy;
   }
 
+  public static String toString(AccessControlPolicyContent content) {
+    if (content == null) {
+      // Return null or an empty string, or throw an IllegalArgumentException
+      // based on how you want to handle null input.
+      return null;
+    }
+    try {
+      // PolicyContentUtil.MAPPER is assumed to be an ObjectMapper instance
+      // that is properly configured (e.g., with your custom serializers).
+      return PolicyContentUtil.MAPPER.writeValueAsString(content);
+    } catch (JsonProcessingException e) {
+      throw new InvalidPolicyException("Failed to convert policy content to JSON string", e);
+    }
+  }
+
   // Constructors, getters, and setters
   public AccessControlPolicyContent() {}
 

polaris-core/src/main/java/org/apache/polaris/core/policy/content/IcebergExpressionListSerializer.java

@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.polaris.core.policy.content;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import java.io.IOException;
+import java.util.List;
+import org.apache.iceberg.expressions.Expression;
+import org.apache.iceberg.expressions.ExpressionParser;
+
+/**
+ * Custom Jackson JsonSerializer for a List of Iceberg Expression objects. This serializer converts
+ * each Iceberg Expression into its string representation.
+ */
+public class IcebergExpressionListSerializer extends JsonSerializer<List<Expression>> {
+
+  @Override
+  public void serialize(
+      List<Expression> expressions,
+      JsonGenerator jsonGenerator,
+      SerializerProvider serializerProvider)
+      throws IOException {
+    jsonGenerator.writeStartArray();
+    if (expressions != null) {
+      for (Expression expression : expressions) {
+        jsonGenerator.writeString(ExpressionParser.toJson(expression));
+      }
+    }
+    jsonGenerator.writeEndArray();
+  }
+}

polaris-core/src/main/java/org/apache/polaris/core/policy/validator/PolicyValidators.java

@@ -102,6 +102,10 @@ public static boolean canAttach(PolicyEntity policy, PolarisEntity targetEntity)
       case ORPHAN_FILE_REMOVAL:
         return BaseMaintenancePolicyValidator.INSTANCE.canAttach(entityType, entitySubType);
 
+      case ACCESS_CONTROL:
+        // TODO: Add validator for attaching this only to table
+        return true;
+
       default:
         LOGGER.warn("Attachment not supported for policy type: {}", policyType.getName());
         return false;

polaris-core/src/test/java/org/apache/polaris/core/policy/AccessControlPolicyContentTest.java

@@ -25,9 +25,12 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.util.Arrays;
+import java.util.List;
 import org.apache.iceberg.expressions.Expression;
+import org.apache.iceberg.expressions.Expressions;
 import org.apache.polaris.core.policy.content.AccessControlPolicyContent;
 import org.apache.polaris.core.policy.validator.InvalidPolicyException;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 
@@ -69,6 +72,44 @@ void testFromString_fullPolicy() {
     assertEquals("ref(name=\"name\") == \"PK\"", filter2.toString());
   }
 
+  @Test
+  @DisplayName(
+      "Should deserialize a full policy with all fields correctly - with context variables")
+  void testFromString_fullPolicy_withContextVariable() {
+    String jsonContent =
+        "{\n"
+            + "  \"principalRole\": \"ANALYST\",\n"
+            + "  \"columnProjections\": [\"name\", \"location\"],\n"
+            + "  \"rowFilters\": [\n"
+            + "    {\n"
+            + "      \"type\": \"eq\",\n"
+            + "      \"term\": \"country\",\n"
+            + "      \"value\": \"USA\"\n"
+            + "    },\n"
+            + "    {\n"
+            + "      \"type\": \"eq\",\n"
+            + "      \"term\": \"$current_principal_role\",\n"
+            + "      \"value\": \"PK\"\n"
+            + "    }\n"
+            + "  ]\n"
+            + "}";
+
+    AccessControlPolicyContent policy = AccessControlPolicyContent.fromString(jsonContent);
+
+    assertNotNull(policy);
+    assertEquals("ANALYST", policy.getPrincipalRole());
+    assertEquals(Arrays.asList("name", "location"), policy.getColumnProjections());
+
+    // Validate rowFilters
+    assertNotNull(policy.getRowFilters());
+    assertEquals(2, policy.getRowFilters().size());
+
+    Expression filter1 = policy.getRowFilters().get(0);
+    Expression filter2 = policy.getRowFilters().get(1);
+    assertEquals("ref(name=\"country\") == \"USA\"", filter1.toString());
+    assertEquals("ref(name=\"$current_principal_role\") == \"PK\"", filter2.toString());
+  }
+
   @Test
   @DisplayName(
       "Should fail deserialize policy with only required fields (principalRole empty, lists empty/null)")
@@ -189,6 +230,64 @@ void testFromString_emptyListsInJson() {
         });
   }
 
+  @Test
+  void testToString_basicPolicy() {
+    AccessControlPolicyContent policy = new AccessControlPolicyContent();
+    policy.setPrincipalRole("analyst");
+    policy.setAllowedColumns(Arrays.asList("col1", "col2"));
+    policy.setRowFilters(null);
+
+    String expectedJson =
+        "{\"principalRole\":\"analyst\",\"columnProjections\":[\"col1\",\"col2\"],\"rowFilters\":null}";
+    String actualJson = AccessControlPolicyContent.toString(policy);
+
+    assertEquals(expectedJson, actualJson);
+  }
+
+  @Test
+  void testToString_policyWithRowFilters() {
+    AccessControlPolicyContent policy = new AccessControlPolicyContent();
+    policy.setPrincipalRole("data_engineer");
+    policy.setAllowedColumns(List.of());
+
+    Expression filter1 = Expressions.equal("name", "Alice");
+    Expression filter2 = Expressions.greaterThan("age", 30);
+    policy.setRowFilters(Arrays.asList(filter1, filter2));
+
+    String expectedJson =
+        "{\"principalRole\":\"data_engineer\",\"columnProjections\":[],\"rowFilters\":[\"{\\\"type\\\":\\\"eq\\\",\\\"term\\\":\\\"name\\\",\\\"value\\\":\\\"Alice\\\"}\",\"{\\\"type\\\":\\\"gt\\\",\\\"term\\\":\\\"age\\\",\\\"value\\\":30}\"]}";
+
+    String actualJson = AccessControlPolicyContent.toString(policy);
+
+    assertEquals(expectedJson, actualJson);
+  }
+
+  @Test
+  void testToString_emptyPolicy() {
+    AccessControlPolicyContent policy = new AccessControlPolicyContent();
+    policy.setPrincipalRole(null);
+    policy.setAllowedColumns(List.of());
+    policy.setRowFilters(List.of());
+
+    String expectedJson = "{\"principalRole\":null,\"columnProjections\":[],\"rowFilters\":[]}";
+    String actualJson = AccessControlPolicyContent.toString(policy);
+
+    assertEquals(expectedJson, actualJson);
+  }
+
+  @Test
+  void testToString_nullInput() {
+    String actualJson = AccessControlPolicyContent.toString(null);
+    Assertions.assertNull(actualJson);
+  }
+
+  @Test
+  void testToString_exceptionHandling() {
+    AccessControlPolicyContent policy = new AccessControlPolicyContent();
+    policy.setAllowedColumns(Arrays.asList("id"));
+    Assertions.assertDoesNotThrow(() -> AccessControlPolicyContent.toString(policy));
+  }
+
   @Test
   @DisplayName(
       "Should handle unmapped properties if FAIL_ON_UNKNOWN_PROPERTIES is false (default for this setup)")

runtime/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogTest.java

@@ -19,6 +19,7 @@
 package org.apache.polaris.service.quarkus.catalog;
 
 import static org.apache.iceberg.types.Types.NestedField.required;
+import static org.apache.polaris.core.policy.PredefinedPolicyTypes.ACCESS_CONTROL;
 import static org.apache.polaris.core.policy.PredefinedPolicyTypes.DATA_COMPACTION;
 import static org.apache.polaris.core.policy.PredefinedPolicyTypes.METADATA_COMPACTION;
 import static org.apache.polaris.core.policy.PredefinedPolicyTypes.ORPHAN_FILE_REMOVAL;
@@ -137,6 +138,24 @@ public Map<String, String> getConfigOverrides() {
           required(3, "id", Types.IntegerType.get(), "unique ID"),
           required(4, "data", Types.StringType.get()));
 
+  private static final String EXAMPLE_ACCESS_CONTROL_POLICY_CONTENT =
+      "{\n"
+          + "  \"principalRole\": \"ANALYST\",\n"
+          + "  \"columnProjections\": [\"name\", \"location\"],\n"
+          + "  \"rowFilters\": [\n"
+          + "    {\n"
+          + "      \"type\": \"eq\",\n"
+          + "      \"term\": \"country\",\n"
+          + "      \"value\": \"USA\"\n"
+          + "    },\n"
+          + "    {\n"
+          + "      \"type\": \"eq\",\n"
+          + "      \"term\": \"$current_principal\",\n"
+          + "      \"value\": \"PK\"\n"
+          + "    }\n"
+          + "  ]\n"
+          + "}";
+
   private static final PolicyIdentifier POLICY1 = new PolicyIdentifier(NS, "p1");
   private static final PolicyIdentifier POLICY2 = new PolicyIdentifier(NS, "p2");
   private static final PolicyIdentifier POLICY3 = new PolicyIdentifier(NS, "p3");
@@ -630,16 +649,47 @@ public void testGetApplicablePoliciesFilterOnType() {
     assertThat(applicablePolicies.contains(policyToApplicablePolicy(p2, false, NS))).isTrue();
   }
 
+  @Test
+  public void testAttachAccessControlPolicyToTableAndCheckApplicablePolicy() {
+    icebergCatalog.createNamespace(NS);
+    icebergCatalog.createTable(TABLE, SCHEMA);
+    policyCatalog.createPolicy(
+        POLICY1, METADATA_COMPACTION.getName(), "test", "{\"enable\": false}");
+    var p2 =
+        policyCatalog.createPolicy(
+            POLICY2, ACCESS_CONTROL.getName(), "FGAC", EXAMPLE_ACCESS_CONTROL_POLICY_CONTENT);
+
+    // attach a policy to table
+    var target =
+        new PolicyAttachmentTarget(
+            PolicyAttachmentTarget.TypeEnum.TABLE_LIKE, List.of(NS.toString(), TABLE.name()));
+    policyCatalog.attachPolicy(POLICY2, target, null);
+
+    // attach a different type of policy to namespace
+    policyCatalog.attachPolicy(POLICY1, POLICY_ATTACH_TARGET_NS, null);
+    var applicablePolicies = policyCatalog.getApplicablePolicies(NS, TABLE.name(), ACCESS_CONTROL);
+    System.out.println(applicablePolicies);
+    // only p2 is with the type fetched
+    assertThat(applicablePolicies.contains(policyToApplicablePolicy(p2, false, NS))).isTrue();
+  }
+
   private static ApplicablePolicy policyToApplicablePolicy(
       Policy policy, boolean inherited, Namespace parent) {
     return new ApplicablePolicy(
         policy.getPolicyType(),
         policy.getInheritable(),
         policy.getName(),
         policy.getDescription(),
-        policy.getContent(),
+        replaceContextVariable(policy.getContent(), policy.getPolicyType()),
         policy.getVersion(),
         inherited,
         Arrays.asList(parent.levels()));
   }
+
+  private static String replaceContextVariable(String content, String policyType) {
+    if (policyType.equals(ACCESS_CONTROL.getName())) {
+      return "{\"principalRole\":\"ANALYST\",\"columnProjections\":[\"name\",\"location\"],\"rowFilters\":[\"{\\\"type\\\":\\\"eq\\\",\\\"term\\\":\\\"country\\\",\\\"value\\\":\\\"USA\\\"}\",\"false\"]}";
+    }
+    return content;
+  }
 }