[FEATURE REQUEST]Service Connection Per namespace in a catalog

[chetan-habu]

Is your feature request related to a problem? Please describe.

Restrict access to tables in a namespace to a service connection

Describe the solution you'd like

I want to create one catalog and multiple child namespaces under a parent namespace. Each namespace will have their own service connection and individual service connection can only talk to catalog data in the namespace.

Describe alternatives you've considered

I would have to create a catalog ,namespace and service connection inorder to provide limited access to a single service connection

Additional context

No response

[sfc-gh-ygu]

I'm not sure I understand completely, but you can create the catalog roles with specific privileges on a single namespace. The concept catalog role can be a group of privileges on namespace/table/view/catalog. Here is the RBAC example for reference, https://polaris.io/#tag/Access-Control/RBAC-example

For example, you can create catalog roles like ns1_admin, ns1_readonly, ns2_admin, etc.

[chetan-habu]

Thanks . Creating catalog roles per namespace should help take care of our usecases. Are there any limits to the number of principal roles, catalog roles and catalog per polaris instance or per catalog.

[flyrain]

I don't think there will be limitations on these numbers. cc @dennishuo @collado-mike @eric-maynard for more details.

[chetan-habu]

@flyrain I was able to use your suggestion and create catalog role per namespace and then map it later to a principal role and service principal. I am using Snowflake managed polaris to create all the desired configurations. Do you have any idea how I could get the service admin credentials. I want to use APIs to create catalog ,namespace and other polaris related configurations but the only way I am able to do that is get the token from the network tab and use that to invoke APIs.

[eric-maynard]

Hey @chetan-habu, if you have questions about a vendor-managed offering please reach out to that vendor. With Apache Polaris, you can view the root credentials during bootstrapping.

[collado-mike]

Snowflake's Polaris doesn't yet let you do this, but the functionality exists in the OSS project. Unsure when the feature will be released in the managed Polaris offering.

[chetan-habu]

Thanks team. Can you help provide some more insights to the following questions if any.

• limits to the number of catalogs we can create in a polaris instance
• Number of namespaces/sub namespaces a catalog can have
• catalog roles per namespace
• service principals.

We plan to create a catalog and then namespaces are our logical grouping . Each namespace would be associated with a catalog role which allows access to the namespace tables only. the catalog role will have an associated service principal. We would leverage the apis from the documentation to create the whole piece and hence the ask on the limits .