Use POJOs for OPA JSON schema construction and publish schema (#3031)

Co-authored-by: Robert Stupp <snazy@snazy.de>

Author: sungwy

extensions/auth/opa/impl/SCHEMA.md

@@ -0,0 +1,125 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+ 
+   http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# OPA Input Schema Management
+
+This document describes how the OPA authorization input schema is managed in Apache Polaris.
+
+## Overview
+
+The OPA input schema follows a **schema-as-code** approach where:
+
+1. **Java model classes** (in `model/` package) are the single source of truth
+2. **JSON Schema** is automatically generated from these classes
+3. **CI validation** ensures the schema stays in sync with the code
+
+## Developer Workflow
+
+### Modifying the Schema
+
+When you need to add/modify fields in the OPA input:
+
+1. **Update the model classes** in `src/main/java/org/apache/polaris/extension/auth/opa/model/`
+   ```java
+   @PolarisImmutable
+   public interface Actor {
+     String principal();
+     List<String> roles();
+     // Add new field here
+   }
+   ```
+
+2. **Regenerate the JSON Schema**
+   ```bash
+   ./gradlew :polaris-extensions-auth-opa:generateOpaSchema
+   ```
+
+3. **Commit both changes**
+   - The updated Java files
+   - The updated `opa-input-schema.json`
+
+4. **CI will validate** that the schema matches the code
+
+### CI Validation
+
+The `validateOpaSchema` task automatically runs during `./gradlew check`:
+
+```bash
+./gradlew :polaris-extensions-auth-opa:check
+```
+
+This task:
+1. Generates schema from current code to a temp file
+2. Compares it with the committed `opa-input-schema.json`
+3. **Fails the build** if they don't match
+
+#### What happens if validation fails?
+
+You'll see an error like:
+
+```
+❌ OPA Schema validation failed!
+
+The committed opa-input-schema.json does not match the generated schema.
+This means the schema is out of sync with the model classes.
+
+To fix this, run:
+  ./gradlew :polaris-extensions-auth-opa:generateOpaSchema
+
+Then commit the updated opa-input-schema.json file.
+```
+
+Simply run the suggested command and commit the regenerated schema.
+
+## Gradle Tasks
+
+### `generateOpaSchema`
+Generates the JSON Schema from model classes.
+
+```bash
+./gradlew :polaris-extensions-auth-opa:generateOpaSchema
+```
+
+**Output**: `extensions/auth/opa/impl/opa-input-schema.json`
+
+### `validateOpaSchema`
+Validates that committed schema matches the code.
+
+```bash
+./gradlew :polaris-extensions-auth-opa:validateOpaSchema
+```
+
+**Runs automatically** as part of `:check` task.
+
+## For OPA Policy Developers
+
+The generated `opa-input-schema.json` documents the structure of authorization requests sent from Polaris to OPA.
+
+## Model Classes Reference
+
+| Class | Purpose | Key Fields |
+|-------|---------|------------|
+| `OpaRequest` | Top-level wrapper | `input` |
+| `OpaAuthorizationInput` | Complete auth context | `actor`, `action`, `resource`, `context` |
+| `Actor` | Principal information | `principal`, `roles` |
+| `Resource` | Resources being accessed | `targets`, `secondaries` |
+| `ResourceEntity` | Individual resource | `type`, `name`, `parents` |
+| `Context` | Request metadata | `request_id` |
+
+See the [model package README](src/main/java/org/apache/polaris/extension/auth/opa/model/README.md) for detailed usage examples.

extensions/auth/opa/impl/build.gradle.kts

@@ -17,11 +17,15 @@
  * under the License.
  */
 
+import java.io.OutputStream
+
 plugins {
   id("polaris-server")
   id("org.kordamp.gradle.jandex")
 }
 
+val jsonSchemaGenerator = sourceSets.create("jsonSchemaGenerator")
+
 dependencies {
   implementation(project(":polaris-core"))
   implementation(libs.apache.httpclient5)
@@ -33,6 +37,13 @@ dependencies {
   implementation(libs.auth0.jwt)
   implementation(project(":polaris-async-api"))
 
+  add(jsonSchemaGenerator.implementationConfigurationName, project(":polaris-extensions-auth-opa"))
+  add(jsonSchemaGenerator.implementationConfigurationName, platform(libs.jackson.bom))
+  add(
+    jsonSchemaGenerator.implementationConfigurationName,
+    "com.fasterxml.jackson.module:jackson-module-jsonSchema",
+  )
+
   // Iceberg dependency for ForbiddenException
   implementation(platform(libs.iceberg.bom))
   implementation("org.apache.iceberg:iceberg-api")
@@ -58,3 +69,95 @@ dependencies {
   testImplementation(project(":polaris-async-java"))
   testImplementation(project(":polaris-idgen-mocks"))
 }
+
+// Task to generate JSON Schema from model classes
+tasks.register<JavaExec>("generateOpaSchema") {
+  group = "documentation"
+  description = "Generates JSON Schema for OPA authorization input"
+
+  dependsOn(tasks.compileJava, tasks.named("jandex"))
+
+  // Only execute generation if anything changed
+  outputs.cacheIf { true }
+  outputs.file("${projectDir}/opa-input-schema.json")
+  inputs.files(jsonSchemaGenerator.runtimeClasspath)
+
+  classpath = jsonSchemaGenerator.runtimeClasspath
+  mainClass.set("org.apache.polaris.extension.auth.opa.model.OpaSchemaGenerator")
+  args("${projectDir}/opa-input-schema.json")
+}
+
+// Task to validate that the committed schema matches the generated schema
+tasks.register<JavaExec>("validateOpaSchema") {
+  group = "verification"
+  description = "Validates that the committed OPA schema matches the generated schema"
+
+  dependsOn(tasks.compileJava, tasks.named("jandex"))
+
+  val tempSchemaFile = layout.buildDirectory.file("opa-schema/opa-input-schema-generated.json")
+  val committedSchemaFile = file("${projectDir}/opa-input-schema.json")
+  val logFile = layout.buildDirectory.file("opa-schema/generator.log")
+
+  // Only execute validation if anything changed
+  outputs.cacheIf { true }
+  outputs.file(tempSchemaFile)
+  inputs.file(committedSchemaFile)
+  inputs.files(jsonSchemaGenerator.runtimeClasspath)
+
+  classpath = jsonSchemaGenerator.runtimeClasspath
+  mainClass.set("org.apache.polaris.extension.auth.opa.model.OpaSchemaGenerator")
+  args(tempSchemaFile.get().asFile.absolutePath)
+  isIgnoreExitValue = true
+
+  var outStream: OutputStream? = null
+  doFirst {
+    // Ensure temp directory exists
+    tempSchemaFile.get().asFile.parentFile.mkdirs()
+    outStream = logFile.get().asFile.outputStream()
+    standardOutput = outStream
+    errorOutput = outStream
+  }
+
+  doLast {
+    outStream?.close()
+
+    if (executionResult.get().exitValue != 0) {
+      throw GradleException(
+        """
+        |OPA Schema validation failed!
+        |
+        |${logFile.get().asFile.readText()}
+      """
+          .trimMargin()
+      )
+    }
+
+    val generatedContent = tempSchemaFile.get().asFile.readText().trim()
+    val committedContent = committedSchemaFile.readText().trim()
+
+    if (generatedContent != committedContent) {
+      throw GradleException(
+        """
+        |OPA Schema validation failed!
+        |
+        |The committed opa-input-schema.json does not match the generated schema.
+        |This means the schema is out of sync with the model classes.
+        |
+        |To fix this, run:
+        |  ./gradlew :polaris-extensions-auth-opa:generateOpaSchema
+        |
+        |Then commit the updated opa-input-schema.json file.
+        |
+        |Committed file: ${committedSchemaFile.absolutePath}
+        |Generated file: ${tempSchemaFile.get().asFile.absolutePath}
+      """
+          .trimMargin()
+      )
+    }
+
+    logger.info("OPA schema validation passed - schema is up to date")
+  }
+}
+
+// Add schema validation to the check task
+tasks.named("check") { dependsOn("validateOpaSchema") }

extensions/auth/opa/impl/opa-input-schema.json

@@ -0,0 +1,76 @@
+{
+  "type" : "object",
+  "id" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:OpaAuthorizationInput",
+  "properties" : {
+    "actor" : {
+      "type" : "object",
+      "id" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:Actor",
+      "required" : true,
+      "properties" : {
+        "principal" : {
+          "type" : "string",
+          "required" : true
+        },
+        "roles" : {
+          "type" : "array",
+          "items" : {
+            "type" : "string"
+          }
+        }
+      }
+    },
+    "action" : {
+      "type" : "string",
+      "required" : true
+    },
+    "resource" : {
+      "type" : "object",
+      "id" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:Resource",
+      "required" : true,
+      "properties" : {
+        "targets" : {
+          "type" : "array",
+          "items" : {
+            "type" : "object",
+            "id" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:ResourceEntity",
+            "properties" : {
+              "type" : {
+                "type" : "string",
+                "required" : true
+              },
+              "name" : {
+                "type" : "string",
+                "required" : true
+              },
+              "parents" : {
+                "type" : "array",
+                "items" : {
+                  "type" : "object",
+                  "$ref" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:ResourceEntity"
+                }
+              }
+            }
+          }
+        },
+        "secondaries" : {
+          "type" : "array",
+          "items" : {
+            "type" : "object",
+            "$ref" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:ResourceEntity"
+          }
+        }
+      }
+    },
+    "context" : {
+      "type" : "object",
+      "id" : "urn:jsonschema:org:apache:polaris:extension:auth:opa:model:Context",
+      "required" : true,
+      "properties" : {
+        "request_id" : {
+          "type" : "string",
+          "required" : true
+        }
+      }
+    }
+  }
+}