Fine grain Branch/Tag creation control

[jpartyka-gemius]

I am looking for a way to allow users creating, writing to branches/tags with a given prefix, but the same time restricting their access other branches like.
For example:

• userA can create/write to branches/tags starting with "userA_"
• userB can create/write to branch "main"
• both userAand userB can read from all branches

In 1.2.0 "Finer Grained Operations and Privileges For Update Table" was added that added some specific permissions (ADD_SNAPSHOT and SET_SNAPSHOT_REF). But these permissions are at the table level, so it is not possible to limit
branch/tag tha are affected.

From what I can tell branch/tag name is not passed when checking permissions, so this is also not possible in External systems like OPA.

Is there a way to achieve this with current polaris implementations? If not, what do you thing about such feature?

[dimas-b]

Hi @jpartyka-gemius ,

The request looks reasonable to me. However, some more investigation is probably needed about the feasibility of implementing it in Polaris.

I'd guess OPA and Apache Ranger should be able to process requests at this level of details, but the internal Polaris RBAC system may need substantial adjustments to support this feature (if that is a requirement).

[jpartyka-gemius]

Thanks for quick answer.
I will create issue/PR with detailed description adding branch/tag when checking permissions, with support in exteranal policies engines (Ranger and OPA), but internal Polaris authorization will just ignore branch/tag name.

[flyrain]

As you may have noticed, access control today is defined at the entity level. Supporting this use case would require us to think through attribute level access control more broadly, rather than treating branch/tag names as a special case.

We would also need to consider how such a model applies consistently across all authorization mechanisms, including the native RBAC system as well as external policy engines like OPA and Ranger. The challenge is likely less about branch/tag permissions specifically, and more about introducing a general framework for attribute based authorization throughout Polaris.