Hi all, Following up on the “Iceberg REST FGAC proposal” discussion [1], we are happy to share the more detailed proposal [2] to extend the Apache Iceberg REST specification to include a new API for retrieving fine-grained access control (FGAC) "protection instructions" (row-level filters and column transformations) from an Iceberg REST Catalog.
The aim is to standardize how query engines obtain these instructions based on user identity, simplifying data protection enforcement. The proposal focuses solely on the new Iceberg REST API endpoint to retrieve protection instructions, intentionally omitting catalog specific policy management APIs. Having a truly interoperable way to represent the protection instructions for both row filters and column transformations is a huge benefit. This is why the support for Iceberg expressions is marked as mandatory in the proposal. We think that it is a fair option to allow people to use SQL expressions, not required by the proposal, to satisfy their needs, assuming they are okay to accept that not all catalogs or engines support SQL expressions or not all SQL conformance/dialects. Thanks to all of those who have helped review & contribute - JB Onofre, Prashant Singh, Russell Spitzer, Roy Hansson, & Kevin Liu. We are excited about the community support! Cheers, Robert, Laurent, Alex, Dmitri [1] https://lists.apache.org/thread/nfw1t0glfdfj1hwmzzzzwwyrfnq44yr5 [2] https://docs.google.com/document/d/108Y0E8XsZi91x-UY0_aHLEbmXDNmxmS5BnDjunEKvTM