Implement PolicyCatalogHandler and Add Policy Privileges Stage 1: CRUD + ListPolicies (#1357)

* Add PolicyCatalogHandler and tests

* Fix style

* Address review comments

* Address review comments 2

* fix nit

Author: HonahX

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizableOperation.java

@@ -40,6 +40,11 @@
 import static org.apache.polaris.core.entity.PolarisPrivilege.NAMESPACE_MANAGE_GRANTS_ON_SECURABLE;
 import static org.apache.polaris.core.entity.PolarisPrivilege.NAMESPACE_READ_PROPERTIES;
 import static org.apache.polaris.core.entity.PolarisPrivilege.NAMESPACE_WRITE_PROPERTIES;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_CREATE;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_DROP;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_LIST;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_READ;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_WRITE;
 import static org.apache.polaris.core.entity.PolarisPrivilege.PRINCIPAL_CREATE;
 import static org.apache.polaris.core.entity.PolarisPrivilege.PRINCIPAL_DROP;
 import static org.apache.polaris.core.entity.PolarisPrivilege.PRINCIPAL_LIST;
@@ -182,6 +187,11 @@ public enum PolarisAuthorizableOperation {
   REVOKE_VIEW_GRANT_FROM_CATALOG_ROLE(
       VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_VIEW(VIEW_LIST_GRANTS),
+  CREATE_POLICY(POLICY_CREATE),
+  LOAD_POLICY(POLICY_READ),
+  DROP_POLICY(POLICY_DROP),
+  UPDATE_POLICY(POLICY_WRITE),
+  LIST_POLICY(POLICY_LIST),
   ;
 
   private final EnumSet<PolarisPrivilege> privilegesOnTarget;

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java

@@ -47,6 +47,12 @@
 import static org.apache.polaris.core.entity.PolarisPrivilege.NAMESPACE_MANAGE_GRANTS_ON_SECURABLE;
 import static org.apache.polaris.core.entity.PolarisPrivilege.NAMESPACE_READ_PROPERTIES;
 import static org.apache.polaris.core.entity.PolarisPrivilege.NAMESPACE_WRITE_PROPERTIES;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_CREATE;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_DROP;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_FULL_METADATA;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_LIST;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_READ;
+import static org.apache.polaris.core.entity.PolarisPrivilege.POLICY_WRITE;
 import static org.apache.polaris.core.entity.PolarisPrivilege.PRINCIPAL_CREATE;
 import static org.apache.polaris.core.entity.PolarisPrivilege.PRINCIPAL_DROP;
 import static org.apache.polaris.core.entity.PolarisPrivilege.PRINCIPAL_FULL_METADATA;
@@ -457,6 +463,38 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer {
     SUPER_PRIVILEGES.putAll(
         CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE,
         List.of(CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE, CATALOG_MANAGE_ACCESS));
+
+    // Policy privileges
+    SUPER_PRIVILEGES.putAll(
+        POLICY_CREATE,
+        List.of(
+            POLICY_CREATE, POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
+    SUPER_PRIVILEGES.putAll(
+        POLICY_WRITE,
+        List.of(
+            POLICY_WRITE, POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
+    SUPER_PRIVILEGES.putAll(
+        POLICY_DROP,
+        List.of(
+            POLICY_DROP, POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
+    SUPER_PRIVILEGES.putAll(
+        POLICY_READ,
+        List.of(
+            POLICY_READ,
+            POLICY_WRITE,
+            POLICY_FULL_METADATA,
+            CATALOG_MANAGE_METADATA,
+            CATALOG_MANAGE_CONTENT));
+    SUPER_PRIVILEGES.putAll(
+        POLICY_LIST,
+        List.of(
+            POLICY_LIST,
+            POLICY_CREATE,
+            POLICY_READ,
+            POLICY_WRITE,
+            POLICY_FULL_METADATA,
+            CATALOG_MANAGE_METADATA,
+            CATALOG_MANAGE_CONTENT));
   }
 
   private final PolarisConfigurationStore featureConfig;

polaris-core/src/main/java/org/apache/polaris/core/entity/PolarisPrivilege.java

@@ -136,6 +136,12 @@ public enum PolarisPrivilege {
   CATALOG_ROLE_FULL_METADATA(67, PolarisEntityType.CATALOG_ROLE),
   CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE(68, PolarisEntityType.CATALOG_ROLE),
   CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE(69, PolarisEntityType.CATALOG_ROLE),
+  POLICY_CREATE(70, PolarisEntityType.NAMESPACE),
+  POLICY_READ(71, PolarisEntityType.POLICY),
+  POLICY_DROP(72, PolarisEntityType.POLICY),
+  POLICY_WRITE(73, PolarisEntityType.POLICY),
+  POLICY_LIST(74, PolarisEntityType.NAMESPACE),
+  POLICY_FULL_METADATA(75, PolarisEntityType.POLICY),
   ;
 
   /**

quarkus/service/src/test/java/org/apache/polaris/service/quarkus/admin/PolarisAuthzTestBase.java

@@ -75,19 +75,22 @@
 import org.apache.polaris.core.persistence.dao.entity.EntityResult;
 import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
 import org.apache.polaris.core.persistence.transactional.TransactionalPersistence;
+import org.apache.polaris.core.policy.PredefinedPolicyTypes;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 import org.apache.polaris.core.secrets.UserSecretsManagerFactory;
 import org.apache.polaris.service.admin.PolarisAdminService;
 import org.apache.polaris.service.catalog.PolarisPassthroughResolutionView;
 import org.apache.polaris.service.catalog.generic.GenericTableCatalog;
 import org.apache.polaris.service.catalog.iceberg.IcebergCatalog;
 import org.apache.polaris.service.catalog.io.FileIOFactory;
+import org.apache.polaris.service.catalog.policy.PolicyCatalog;
 import org.apache.polaris.service.config.DefaultConfigurationStore;
 import org.apache.polaris.service.config.RealmEntityManagerFactory;
 import org.apache.polaris.service.context.CallContextCatalogFactory;
 import org.apache.polaris.service.context.PolarisCallContextCatalogFactory;
 import org.apache.polaris.service.storage.PolarisStorageIntegrationProviderImpl;
 import org.apache.polaris.service.task.TaskExecutor;
+import org.apache.polaris.service.types.PolicyIdentifier;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
@@ -139,6 +142,9 @@ public Map<String, String> getConfigOverrides() {
   protected static final TableIdentifier TABLE_NS1_1_GENERIC =
       TableIdentifier.of(NS1, "layer1_table_generic");
 
+  // A policy directly under ns1
+  protected static final PolicyIdentifier POLICY_NS1_1 = new PolicyIdentifier(NS1, "layer1_policy");
+
   // Two tables under ns1a
   protected static final TableIdentifier TABLE_NS1A_1 = TableIdentifier.of(NS1A, "table1");
   protected static final TableIdentifier TABLE_NS1A_2 = TableIdentifier.of(NS1A, "table2");
@@ -185,6 +191,7 @@ public Map<String, String> getConfigOverrides() {
 
   protected IcebergCatalog baseCatalog;
   protected GenericTableCatalog genericTableCatalog;
+  protected PolicyCatalog policyCatalog;
   protected PolarisAdminService adminService;
   protected PolarisEntityManager entityManager;
   protected PolarisMetaStoreManager metaStoreManager;
@@ -321,6 +328,12 @@ public void before(TestInfo testInfo) {
 
     genericTableCatalog.createGenericTable(TABLE_NS1_1_GENERIC, "format", "doc", Map.of());
 
+    policyCatalog.createPolicy(
+        POLICY_NS1_1,
+        PredefinedPolicyTypes.DATA_COMPACTION.getName(),
+        "test_policy",
+        "{\"enable\": false}");
+
     baseCatalog
         .buildView(VIEW_NS1_1)
         .withSchema(SCHEMA)
@@ -463,6 +476,7 @@ private void initBaseCatalog() {
             CatalogProperties.FILE_IO_IMPL, "org.apache.iceberg.inmemory.InMemoryFileIO"));
     this.genericTableCatalog =
         new GenericTableCatalog(metaStoreManager, callContext, passthroughView);
+    this.policyCatalog = new PolicyCatalog(metaStoreManager, callContext, passthroughView);
   }
 
   @Alternative