[PR] [PROPOSAL] Add Context-Aware Functions for Apache Polaris [polaris]

Mon, 19 May 2025 10:59:23 -0700 


singhpk234 opened a new pull request, #1620:
URL: https://github.com/apache/polaris/pull/1620

   ### About the change 
   
   I’d like to propose adding context-aware functions to Apache Polaris so that 
view definitions can resolve security context on the Polaris side (aka catalog 
end without depending on engines).
   
   Proposed functions
   
   ```
   is_principal('<principal_name>') – returns TRUE if the authenticated 
principal matches <principal_name>, otherwise FALSE.
   
   is_principal_role('<principal_role_name>') – returns TRUE when 
<principal_role_name> appears in the principal’s role set.
   
   is_catalog_role('<catalog_role_name>') – analogous check at the catalog-role 
level.
   ```
   
   Why it matters
   
   These predicates make views dynamic. Example:
   
   ```sql
   CREATE VIEW dynamic_vw AS
   SELECT *
   FROM ns1.layer1_table
   WHERE is_principal_role('ANALYST');
   ```
   
   When a user whose one of principal roles include ANALYST calls LOAD VIEW, 
Polaris rewrites the view to
   ```
   SELECT * FROM ns1.layer1_table WHERE TRUE;
   ```
   For everyone else the view becomes
   ```
   SELECT * FROM ns1.layer1_table WHERE FALSE;
   ```
   The result is better and consistent control of the identity resolution 
without relying on the engine side changes and giving Polaris more authority in 
enforcing things like FGAC (WIP by me).
   Note the same can be extrapolated to any Polaris stored entity.
   
   Proof of concept
   
   I’ve put together a quick POC branch:
   here ^^^
   
   Prior art
   
   Snowflake context functions :[ 
https://docs.snowflake.com/en/sql-reference/functions-context](https://docs.snowflake.com/en/sql-reference/functions-context)
   Databricks Unity Catalog offers a similar mechanism called dynamic views:
   https://docs.databricks.com/aws/en/views/dynamic
   
   Next steps
   
   If the community is interested, we can discuss API surface, engine 
implications, and a roadmap for merging.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to