Consolidate file-based authorization docs

docs/src/main/sphinx/admin/graceful-shutdown.rst

@@ -23,9 +23,9 @@ Keep the following aspects in mind:
 * If you have HTTPS/TLS enabled, you have to ensure the worker certificate is
   CA signed, or trusted by the server calling the shut down endpoint.
   Otherwise, you can make the call ``--insecure``, but that isn't recommended.
-* If :ref:`system information rules<system_information_rules>` are configured,
-  then the user in the HTTP request must have read and write permissions in
-  the system information rules.
+* If :ref:`system information rules <system-file-auth-system_information>` are
+  configured, then the user in the HTTP request must have read and write
+  permissions in the system information rules.
 
 Shutdown behavior
 -----------------

docs/src/main/sphinx/connector/hive-security.rst

@@ -23,9 +23,10 @@ Property Value                                     Description
                                                    metadata, such as ``CREATE``, ``INSERT`` or ``DELETE``, are
                                                    allowed.
 
-``file``                                           Authorization checks are enforced using a config file specified
-                                                   by the Hive configuration property ``security.config-file``.
-                                                   See :ref:`hive-file-based-authorization` for details.
+``file``                                           Authorization checks are enforced using a catalog-level access
+                                                   control configuration file whose path is specified
+                                                   in the ``security.config-file`` catalog configuration property.
+                                                   See :ref:`catalog-file-based-access-control` for details.
 
 ``sql-standard``                                   Users are permitted to perform the operations as long as
                                                    they have the required privileges as per the SQL standard.
@@ -470,151 +471,3 @@ node.
 You should ensure that the keytab files have the correct permissions on every
 node after distributing them.
 
-.. _hive-file-based-authorization:
-
-File based authorization
-========================
-
-The config file is specified using JSON and is composed of three sections,
-each of which is a list of rules that are matched in the order specified
-in the config file. The user is granted the privileges from the first
-matching rule. All regexes default to ``.*`` if not specified.
-
-.. note::
-
-    These rules do not apply to system defined table in the ``information_schema`` schema.
-
-Schema rules
-------------
-
-These rules govern who is considered an owner of a schema.
-
-* ``user`` (optional): regex to match against user name.
-
-* ``group`` (optional): regex to match against every user group the user belongs to.
-
-* ``schema`` (optional): regex to match against schema name.
-
-* ``owner`` (required): boolean indicating ownership.
-
-Table rules
------------
-
-These rules govern the privileges granted on specific tables.
-
-* ``user`` (optional): regex to match against user name.
-
-* ``group`` (optional): regex to match against every user group the user belongs to.
-
-* ``schema`` (optional): regex to match against schema name.
-
-* ``table`` (optional): regex to match against table name.
-
-* ``privileges`` (required): zero or more of ``SELECT``, ``INSERT``,
-  ``DELETE``, ``OWNERSHIP``, ``GRANT_SELECT``.
-
-* ``columns`` (optional): list of column constraints.
-
-* ``filter`` (optional): boolean filter expression for the table.
-
-* ``filter_environment`` (optional): environment use during filter evaluation.
-
-Column constraint
-^^^^^^^^^^^^^^^^^
-
-These constraints can be used to restrict access to column data.
-
-* ``name``: name of the column.
-* ``allow`` (optional): if false, column can not be accessed.
-* ``mask`` (optional): mask expression applied to column.
-* ``mask_environment`` (optional): environment use during mask evaluation.
-
-Filter and mask environment
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-* ``user`` (optional): username for checking permission of subqueries in mask.
-
-Session property rules
-----------------------
-
-These rules govern who may set session properties.
-
-* ``user`` (optional): regex to match against user name.
-
-* ``group`` (optional): regex to match against every user group the user belongs to.
-
-* ``property`` (optional): regex to match against session property name.
-
-* ``allow`` (required): boolean indicating whether this session property may be set.
-
-See below for an example.
-
-.. code-block:: json
-
-    {
-      "schemas": [
-        {
-          "user": "admin",
-          "schema": ".*",
-          "owner": true
-        },
-        {
-          "group": "finance|human_resources",
-          "schema": "employees",
-          "owner": true
-        },
-        {
-          "user": "guest",
-          "owner": false
-        },
-        {
-          "schema": "default",
-          "owner": true
-        }
-      ],
-      "tables": [
-        {
-          "user": "admin",
-          "privileges": ["SELECT", "INSERT", "DELETE", "OWNERSHIP"]
-        },
-        {
-          "user": "banned_user",
-          "privileges": []
-        },
-        {
-          "schema": "hr",
-          "table": "employee",
-          "privileges": ["SELECT"],
-          "filter": "user = current_user"
-        }
-        {
-          "schema": "default",
-          "table": ".*",
-          "privileges": ["SELECT"],
-          "columns" : [
-             {
-                "name": "address",
-                "allow": false
-             },
-             {
-                "name": "ssn",
-                "mask": "'XXX-XX-' + substring(credit_card, -4)",
-                "mask_environment": {
-                  "user": "admin"
-                }
-             }
-          ]
-        }
-      ],
-      "session_properties": [
-        {
-          "property": "force_local_scheduling",
-          "allow": true
-        },
-        {
-          "user": "admin",
-          "property": "max_split_size",
-          "allow": true
-        }
-      ]
-    }

docs/src/main/sphinx/connector/hive.rst

@@ -322,7 +322,7 @@ Property Name                                      Description
 ``hive.security``                                  See :doc:`hive-security`.
 
 ``security.config-file``                           Path of config file to use when ``hive.security=file``.
-                                                   See :ref:`hive-file-based-authorization` for details.
+                                                   See :ref:`catalog-file-based-access-control` for details.
 
 ``hive.non-managed-table-writes-enabled``          Enable writes to non-managed (external) Hive tables.         ``false``
 

docs/src/main/sphinx/connector/iceberg.rst

@@ -105,10 +105,11 @@ property must be one of the following values:
       :doc:`/sql/create-table`, :doc:`/sql/insert`, or :doc:`/sql/delete` are
       allowed.
   * - ``FILE``
-    - Authorization checks are enforced using a configuration file whose path
-      is specified in the ``security.config-file`` catalog configuration
-      property. See :ref:`hive-file-based-authorization` for information on
-      the authorzation configuration file.
+    - Authorization checks are enforced using a catalog-level access control
+      configuration file whose path is specified in the ``security.config-file``
+      catalog configuration property. See
+      :ref:`catalog-file-based-access-control` for information on the
+      authorzation configuration file.
 
 .. _iceberg-sql-support:
 

docs/src/main/sphinx/release/release-330.rst

@@ -39,11 +39,11 @@ Server
 Security
 --------
 
-* :ref:`principal_rules` are deprecated and will be removed in a future release.
+* :ref:`system-file-auth-principal-rules` are deprecated and will be removed in a future release.
   These rules have been replaced with :doc:`/security/user-mapping`, which
   specifies how a complex authentication user name is mapped to a simple
-  user name for Presto, and :ref:`impersonation_rules` which control the ability
-  of a user to impersonate another user. (:issue:`2215`)
+  user name for Presto, and :ref:`system-file-auth-impersonation-rules` which
+  control the ability of a user to impersonate another user. (:issue:`2215`)
 * A shared secret is now required when using :doc:`/security/internal-communication`. (:issue:`2202`)
 * Kerberos for :doc:`/security/internal-communication` has been replaced with the new shared secret mechanism.
   The ``internal-communication.kerberos.enabled`` and ``internal-communication.kerberos.use-canonical-hostname``

docs/src/main/sphinx/release/release-337.rst

@@ -29,7 +29,9 @@ Security
 * Disable insecure authentication over HTTP by default when HTTPS with authentication is enabled. This
   can be overridden via the ``http-server.authentication.allow-insecure-over-http`` configuration property. (:issue:`4199`)
 * Add support for insecure authentication over HTTPS to the Web UI. (:issue:`4199`)
-* Add :ref:`system_information_rules` which control the ability of a user to access to read and write system management information. (:issue:`4199`)
+* Add :ref:`system-file-auth-system_information` which control the ability of a
+  user to access to read and write system management information.
+  (:issue:`4199`)
 * Disable user impersonation in default system security. (:issue:`4082`)
 
 Elasticsearch connector