From 60ae1265eac4f546d93b9dd10d3527d07d04f6ce Mon Sep 17 00:00:00 2001
From: Joe Lodin <joe.lodin@starburstdata.com>
Date: Tue, 18 Jan 2022 16:41:17 -0500
Subject: [PATCH] Add authorization check options to iceberg doc

---
 docs/src/main/sphinx/connector/iceberg.rst | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/docs/src/main/sphinx/connector/iceberg.rst b/docs/src/main/sphinx/connector/iceberg.rst
index c78a0fd7940a..4a259828a88d 100644
--- a/docs/src/main/sphinx/connector/iceberg.rst
+++ b/docs/src/main/sphinx/connector/iceberg.rst
@@ -80,6 +80,36 @@ At a minimum, ``hive.metastore.uri`` must be configured:
     - Maximum number of partitions handled per writer.
     - 100
 
+.. _iceberg-authorization:
+
+Authorization checks
+^^^^^^^^^^^^^^^^^^^^
+
+You can enable authorization checks for the connector by setting
+the ``iceberg.security`` property in the catalog properties file. This
+property must be one of the following values:
+
+.. list-table:: Iceberg security values
+  :widths: 30, 60
+  :header-rows: 1
+
+  * - Property value
+    - Description
+  * - ``ALLOW_ALL``
+    - No authorization checks are enforced.
+  * - ``SYSTEM``
+    - The connector relies on system-level access control.
+  * - ``READ_ONLY``
+    - Operations that read data or metadata, such as :doc:`/sql/select` are
+      permitted. No operations that write data or metadata, such as
+      :doc:`/sql/create-table`, :doc:`/sql/insert`, or :doc:`/sql/delete` are
+      allowed.
+  * - ``FILE``
+    - Authorization checks are enforced using a configuration file whose path
+      is specified in the ``security.config-file`` catalog configuration
+      property. See :ref:`hive-file-based-authorization` for information on
+      the authorzation configuration file.
+
 .. _iceberg-sql-support:
 
 SQL support