Hi all,

Following up on the “Iceberg REST FGAC proposal” discussion [1], we
are happy to share the more detailed proposal [2] to extend the Apache
Iceberg REST specification to include a new API for retrieving
fine-grained access control (FGAC) "protection instructions"
(row-level filters and column transformations) from an Iceberg REST
Catalog.

The aim is to standardize how query engines obtain these instructions
based on user identity, simplifying data protection enforcement.

The proposal focuses solely on the new Iceberg REST API endpoint to
retrieve protection instructions, intentionally omitting catalog
specific policy management APIs.

Having a truly interoperable way to represent the protection
instructions for both row filters and column transformations is a huge
benefit. This is why the support for Iceberg expressions is marked as
mandatory in the proposal. We think that it is a fair option to allow
people to use SQL expressions, not required by the proposal, to
satisfy their needs, assuming they are okay to accept that not all
catalogs or engines support SQL expressions or not all SQL
conformance/dialects.

Thanks to all of those who have helped review & contribute - JB
Onofre, Prashant Singh, Russell Spitzer, Roy Hansson, & Kevin Liu. We
are excited about the community support!

Cheers,
Robert, Laurent, Alex, Dmitri

[1] https://lists.apache.org/thread/nfw1t0glfdfj1hwmzzzzwwyrfnq44yr5
[2] 
https://docs.google.com/document/d/108Y0E8XsZi91x-UY0_aHLEbmXDNmxmS5BnDjunEKvTM

Reply via email to