Richer access checks

This change introduces the ability to distinguish individual checks by the (external) API being used (Nessie, Iceberg) and for Nessie Catalog (Iceberg REST) to information about the kind(s) of changes being applied.

The individual changes that can be distinguished are:
* Catalog API operation
* Metadata update actions, with special actions wrt to the `location` property
* Snapshot operation
* Snapshot summary extracts (for example whether a snapshot added or removed data/delete files)

All new attributes can be retrieved from the existing `Check` type via new attributes exposed via `AccessCheckMeta` holding the source API, "for write flag" and per-content-key flags. The flags represent the mentioned "individual changes".

Fixes #9559 (and more)

CHANGELOG.md

@@ -14,6 +14,9 @@ as necessary. Empty sections will not end in the release notes.
 
 ### New Features
 
+- Access check SPI has been enhanced to provide richer information in the `Check` type about the receiving
+  API (Nessie REST or Iceberg REST) and about the individual changes, especially during a commit operation.
+
 ### Changes
 
 ### Deprecations

catalog/format/iceberg/src/main/java/org/projectnessie/catalog/formats/iceberg/nessie/CatalogOps.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2024 Dremio
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.projectnessie.catalog.formats.iceberg.nessie;
+
+/**
+ * Enum serving as a "constants pool" for the string values passed to Nessie access control checks.
+ */
+public enum CatalogOps {
+  // Iceberg metadata updates
+  META_ADD_VIEW_VERSION,
+  META_SET_CURRENT_VIEW_VERSION,
+  META_SET_STATISTICS,
+  META_REMOVE_STATISTICS,
+  META_SET_PARTITION_STATISTICS,
+  META_REMOVE_PARTITION_STATISTICS,
+  META_ASSIGN_UUID,
+  META_ADD_SCHEMA,
+  META_SET_CURRENT_SCHEMA,
+  META_ADD_PARTITION_SPEC,
+  META_SET_DEFAULT_PARTITION_SPEC,
+  META_ADD_SNAPSHOT,
+  META_ADD_SORT_ORDER,
+  META_SET_DEFAULT_SORT_ORDER,
+  META_SET_LOCATION,
+  META_SET_PROPERTIES,
+  META_REMOVE_PROPERTIES,
+  META_REMOVE_LOCATION_PROPERTY,
+  META_SET_SNAPSHOT_REF,
+  META_REMOVE_SNAPSHOT_REF,
+  META_UPGRADE_FORMAT_VERSION,
+
+  // Catalog operations
+  CATALOG_CREATE_ENTITY,
+  CATALOG_UPDATE_ENTITY,
+  CATALOG_DROP_ENTITY,
+  CATALOG_RENAME_ENTITY_FROM,
+  CATALOG_RENAME_ENTITY_TO,
+  CATALOG_REGISTER_ENTITY,
+  CATALOG_UPDATE_MULTIPLE,
+  CATALOG_S3_SIGN,
+
+  // From Iceberg's snapshot summary
+  SNAP_ADD_DATA_FILES,
+  SNAP_DELETE_DATA_FILES,
+  SNAP_ADD_DELETE_FILES,
+  SNAP_ADD_EQUALITY_DELETE_FILES,
+  SNAP_ADD_POSITION_DELETE_FILES,
+  SNAP_REMOVE_DELETE_FILES,
+  SNAP_REMOVE_EQUALITY_DELETE_FILES,
+  SNAP_REMOVE_POSITION_DELETE_FILES,
+  SNAP_ADDED_RECORDS,
+  SNAP_DELETED_RECORDS,
+  SNAP_ADDED_POSITION_DELETES,
+  SNAP_DELETED_POSITION_DELETES,
+  SNAP_ADDED_EQUALITY_DELETES,
+  SNAP_DELETED_EQUALITY_DELETES,
+  SNAP_REPLACE_PARTITIONS,
+  SNAP_OP_APPEND,
+  SNAP_OP_REPLACE,
+  SNAP_OP_OVERWRITE,
+  SNAP_OP_DELETE,
+}

catalog/format/iceberg/src/main/java/org/projectnessie/catalog/formats/iceberg/nessie/IcebergTableMetadataUpdateState.java

@@ -20,6 +20,7 @@
 
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -59,6 +60,7 @@ public class IcebergTableMetadataUpdateState {
   private final Set<Integer> addedSchemaIds = new HashSet<>();
   private final Set<Integer> addedSpecIds = new HashSet<>();
   private final Set<Integer> addedOrderIds = new HashSet<>();
+  private final Set<CatalogOps> catalogOps = EnumSet.noneOf(CatalogOps.class);
 
   public IcebergTableMetadataUpdateState(
       NessieTableSnapshot snapshot, ContentKey key, boolean tableExists) {
@@ -72,6 +74,14 @@ public NessieTableSnapshot.Builder builder() {
     return builder;
   }
 
+  public void addCatalogOp(CatalogOps op) {
+    catalogOps.add(op);
+  }
+
+  public Set<CatalogOps> catalogOps() {
+    return catalogOps;
+  }
+
   public NessieTableSnapshot snapshot() {
     return snapshot;
   }

catalog/format/iceberg/src/main/java/org/projectnessie/catalog/formats/iceberg/nessie/IcebergViewMetadataUpdateState.java

@@ -19,6 +19,7 @@
 
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -50,6 +51,7 @@ public class IcebergViewMetadataUpdateState {
   private final List<IcebergSnapshot> addedSnapshots = new ArrayList<>();
   private final Set<Integer> addedSchemaIds = new HashSet<>();
   private final Set<Long> addedVersionIds = new HashSet<>();
+  private final Set<CatalogOps> catalogOps = EnumSet.noneOf(CatalogOps.class);
 
   public IcebergViewMetadataUpdateState(
       NessieViewSnapshot snapshot, ContentKey key, boolean viewExists) {
@@ -63,6 +65,14 @@ public NessieViewSnapshot.Builder builder() {
     return builder;
   }
 
+  public void addCatalogOp(CatalogOps op) {
+    catalogOps.add(op);
+  }
+
+  public Set<CatalogOps> catalogOps() {
+    return catalogOps;
+  }
+
   public NessieViewSnapshot snapshot() {
     return snapshot;
   }