feat(meta): prevent dropping in-use security policies

- raise constraint errors when masking/row access policies remain bound to tables
- introduce dedicated masking/row-access policy error types and surface them via APIs
- extend SQL logic tests to cover drop failures for active policies

Author: TCeason

src/meta/api/src/data_mask_api.rs

@@ -21,6 +21,7 @@ use databend_common_meta_app::tenant::Tenant;
 use databend_common_meta_types::MetaError;
 use databend_common_meta_types::SeqV;
 
+use crate::errors::MaskingPolicyError;
 use crate::kv_app_error::KVAppError;
 
 #[async_trait::async_trait]
@@ -35,7 +36,7 @@ pub trait DatamaskApi: Send + Sync {
     async fn drop_data_mask(
         &self,
         name_ident: &DataMaskNameIdent,
-    ) -> Result<Option<(SeqV<DataMaskId>, SeqV<DatamaskMeta>)>, KVAppError>;
+    ) -> Result<Option<(SeqV<DataMaskId>, SeqV<DatamaskMeta>)>, MaskingPolicyError>;
 
     async fn get_data_mask(
         &self,

src/meta/api/src/data_mask_api_impl.rs

@@ -19,20 +19,28 @@ use databend_common_meta_app::data_mask::DataMaskId;
 use databend_common_meta_app::data_mask::DataMaskIdIdent;
 use databend_common_meta_app::data_mask::DataMaskNameIdent;
 use databend_common_meta_app::data_mask::DatamaskMeta;
+use databend_common_meta_app::data_mask::MaskPolicyIdTableId;
+use databend_common_meta_app::data_mask::MaskPolicyTableIdIdent;
 use databend_common_meta_app::data_mask::MaskPolicyTableIdListIdent;
 use databend_common_meta_app::data_mask::MaskpolicyTableIdList;
 use databend_common_meta_app::id_generator::IdGenerator;
 use databend_common_meta_app::schema::CreateOption;
+use databend_common_meta_app::schema::TableId;
+use databend_common_meta_app::schema::TableMeta;
 use databend_common_meta_app::tenant::Tenant;
 use databend_common_meta_app::KeyWithTenant;
 use databend_common_meta_kvapi::kvapi;
+use databend_common_meta_kvapi::kvapi::DirName;
 use databend_common_meta_types::MetaError;
 use databend_common_meta_types::SeqV;
 use databend_common_meta_types::TxnRequest;
 use fastrace::func_name;
 use log::debug;
 
 use crate::data_mask_api::DatamaskApi;
+use crate::errors::MaskingPolicyError;
+use crate::errors::SecurityPolicyError;
+use crate::errors::SecurityPolicyKind;
 use crate::fetch_id;
 use crate::kv_app_error::KVAppError;
 use crate::kv_pb_api::KVPbApi;
@@ -135,12 +143,16 @@ impl<KV: kvapi::KVApi<Error = MetaError>> DatamaskApi for KV {
     async fn drop_data_mask(
         &self,
         name_ident: &DataMaskNameIdent,
-    ) -> Result<Option<(SeqV<DataMaskId>, SeqV<DatamaskMeta>)>, KVAppError> {
+    ) -> Result<Option<(SeqV<DataMaskId>, SeqV<DatamaskMeta>)>, MaskingPolicyError> {
         debug!(name_ident :? =(name_ident); "DatamaskApi: {}", func_name!());
 
         let mut trials = txn_backoff(None, func_name!());
         loop {
-            trials.next().unwrap()?.await;
+            trials
+                .next()
+                .unwrap()
+                .map_err(MaskingPolicyError::from)?
+                .await;
             let mut txn = TxnRequest::default();
 
             let res = self.get_id_and_value(name_ident).await?;
@@ -150,10 +162,33 @@ impl<KV: kvapi::KVApi<Error = MetaError>> DatamaskApi for KV {
                 return Ok(None);
             };
 
+            let policy_id = *seq_id.data;
+            let usage = collect_mask_policy_usage(self, name_ident.tenant(), policy_id).await?;
+            if !usage.active_tables.is_empty() {
+                let tenant = name_ident.tenant().tenant_name().to_string();
+                let policy_name = name_ident.data_mask_name().to_string();
+                let err = SecurityPolicyError::policy_in_use(
+                    tenant,
+                    SecurityPolicyKind::Masking,
+                    policy_name,
+                );
+                return Err(err.into());
+            }
+
             let id_ident = seq_id.data.into_t_ident(name_ident.tenant());
 
             txn_delete_exact(&mut txn, name_ident, seq_id.seq);
             txn_delete_exact(&mut txn, &id_ident, seq_meta.seq);
+            for binding in &usage.stale_bindings {
+                txn_delete_exact(&mut txn, &binding.ident, binding.seq);
+            }
+            for update in &usage.table_updates {
+                txn.condition
+                    .push(txn_cond_eq_seq(&update.table_id, update.seq));
+                let op = txn_op_put_pb(&update.table_id, &update.meta, None)
+                    .map_err(|e| MaskingPolicyError::from(MetaError::from(e)))?;
+                txn.if_then.push(op);
+            }
             // TODO: Tentative retention for compatibility MaskPolicyTableIdListIdent related logic. It can be directly deleted later
             clear_table_column_mask_policy(self, name_ident, &mut txn).await?;
             let (succ, _responses) = send_txn(self, txn).await?;
@@ -195,7 +230,7 @@ async fn clear_table_column_mask_policy(
     kv_api: &(impl kvapi::KVApi<Error = MetaError> + ?Sized),
     name_ident: &DataMaskNameIdent,
     txn: &mut TxnRequest,
-) -> Result<(), MetaError> {
+) -> Result<(), MaskingPolicyError> {
     let id_list_key = MaskPolicyTableIdListIdent::new_from(name_ident.clone());
 
     let seq_id_list = kv_api.get_pb(&id_list_key).await?;
@@ -207,3 +242,95 @@ async fn clear_table_column_mask_policy(
     txn_delete_exact(txn, &id_list_key, seq_id_list.seq);
     Ok(())
 }
+
+#[derive(Default)]
+struct MaskPolicyUsage {
+    active_tables: Vec<u64>,
+    stale_bindings: Vec<BindingEntry>,
+    table_updates: Vec<TableMetaUpdate>,
+}
+
+struct BindingEntry {
+    ident: MaskPolicyTableIdIdent,
+    seq: u64,
+}
+
+struct TableMetaUpdate {
+    table_id: TableId,
+    seq: u64,
+    meta: TableMeta,
+}
+
+fn strip_mask_policy_from_table_meta(table_meta: &mut TableMeta, policy_id: u64) -> bool {
+    let mut removed = false;
+    table_meta
+        .column_mask_policy_columns_ids
+        .retain(|_, policy| {
+            let keep = policy.policy_id != policy_id;
+            if !keep {
+                removed = true;
+            }
+            keep
+        });
+
+    if removed {
+        table_meta.column_mask_policy = None;
+    }
+
+    removed
+}
+
+async fn collect_mask_policy_usage(
+    kv_api: &(impl kvapi::KVApi<Error = MetaError> + ?Sized),
+    tenant: &Tenant,
+    policy_id: u64,
+) -> Result<MaskPolicyUsage, MaskingPolicyError> {
+    let binding_prefix = DirName::new(MaskPolicyTableIdIdent::new_generic(
+        tenant.clone(),
+        MaskPolicyIdTableId {
+            policy_id,
+            table_id: 0,
+        },
+    ));
+    let bindings = kv_api
+        .list_pb_vec(&binding_prefix)
+        .await
+        .map_err(MaskingPolicyError::from)?;
+
+    let mut usage = MaskPolicyUsage::default();
+    for (binding_ident, seqv) in bindings {
+        let table_id = binding_ident.name().table_id;
+        let table_key = TableId::new(table_id);
+        match kv_api
+            .get_pb(&table_key)
+            .await
+            .map_err(MaskingPolicyError::from)?
+        {
+            Some(mut table_meta_seqv) => {
+                if table_meta_seqv.data.drop_on.is_none() {
+                    usage.active_tables.push(table_id);
+                } else {
+                    if strip_mask_policy_from_table_meta(&mut table_meta_seqv.data, policy_id) {
+                        usage.table_updates.push(TableMetaUpdate {
+                            table_id: table_key,
+                            seq: table_meta_seqv.seq,
+                            meta: table_meta_seqv.data.clone(),
+                        });
+                    }
+                    usage.stale_bindings.push(BindingEntry {
+                        ident: binding_ident,
+                        seq: seqv.seq,
+                    });
+                }
+            }
+            None => {
+                usage.stale_bindings.push(BindingEntry {
+                    ident: binding_ident,
+                    seq: seqv.seq,
+                });
+            }
+        }
+    }
+
+    Ok(usage)
+}

src/meta/api/src/errors.rs

@@ -13,7 +13,11 @@
 // limitations under the License.
 
 use databend_common_exception::ErrorCode;
+use databend_common_meta_app::app_error::AppErrorMessage;
+use databend_common_meta_app::app_error::TxnRetryMaxTimes;
 use databend_common_meta_app::principal::AutoIncrementKey;
+use databend_common_meta_types::InvalidArgument;
+use databend_common_meta_types::MetaError;
 
 /// Table logic error, unrelated to the backend service providing Table management, or dependent component.
 #[derive(Clone, Debug, thiserror::Error)]
@@ -39,6 +43,104 @@ impl From<TableError> for ErrorCode {
     }
 }
 
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub enum SecurityPolicyKind {
+    Masking,
+    RowAccess,
+}
+
+impl std::fmt::Display for SecurityPolicyKind {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            SecurityPolicyKind::Masking => write!(f, "MASKING POLICY"),
+            SecurityPolicyKind::RowAccess => write!(f, "ROW ACCESS POLICY"),
+        }
+    }
+}
+
+/// Security policy related business error.
+#[derive(Clone, Debug, thiserror::Error)]
+pub enum SecurityPolicyError {
+    #[error(
+        "{policy_kind} `{policy_name}` is still in use. Unset it from all tables before dropping."
+    )]
+    PolicyInUse {
+        tenant: String,
+        policy_kind: SecurityPolicyKind,
+        policy_name: String,
+    },
+}
+
+impl SecurityPolicyError {
+    pub fn policy_in_use(
+        tenant: impl Into<String>,
+        policy_kind: SecurityPolicyKind,
+        policy_name: impl Into<String>,
+    ) -> Self {
+        Self::PolicyInUse {
+            tenant: tenant.into(),
+            policy_kind,
+            policy_name: policy_name.into(),
+        }
+    }
+}
+
+impl From<SecurityPolicyError> for ErrorCode {
+    fn from(value: SecurityPolicyError) -> Self {
+        let s = value.to_string();
+        match value {
+            SecurityPolicyError::PolicyInUse { .. } => ErrorCode::ConstraintError(s),
+        }
+    }
+}
+
+impl From<SecurityPolicyError> for InvalidArgument {
+    fn from(value: SecurityPolicyError) -> Self {
+        let msg = value.to_string();
+        InvalidArgument::new(value, msg)
+    }
+}
+
+#[derive(Clone, Debug, thiserror::Error)]
+pub enum MaskingPolicyError {
+    #[error(transparent)]
+    TxnRetry(#[from] TxnRetryMaxTimes),
+    #[error(transparent)]
+    Meta(#[from] MetaError),
+    #[error(transparent)]
+    PolicyInUse(#[from] SecurityPolicyError),
+}
+
+impl From<MaskingPolicyError> for ErrorCode {
+    fn from(value: MaskingPolicyError) -> Self {
+        match value {
+            MaskingPolicyError::TxnRetry(err) => ErrorCode::TxnRetryMaxTimes(err.message()),
+            MaskingPolicyError::Meta(err) => ErrorCode::from(err),
+            MaskingPolicyError::PolicyInUse(err) => err.into(),
+        }
+    }
+}
+
+#[derive(Clone, Debug, thiserror::Error)]
+pub enum RowAccessPolicyError {
+    #[error(transparent)]
+    TxnRetry(#[from] TxnRetryMaxTimes),
+    #[error(transparent)]
+    Meta(#[from] MetaError),
+    #[error(transparent)]
+    PolicyInUse(#[from] SecurityPolicyError),
+}
+
+impl From<RowAccessPolicyError> for ErrorCode {
+    fn from(value: RowAccessPolicyError) -> Self {
+        match value {
+            RowAccessPolicyError::TxnRetry(err) => ErrorCode::TxnRetryMaxTimes(err.message()),
+            RowAccessPolicyError::Meta(err) => ErrorCode::from(err),
+            RowAccessPolicyError::PolicyInUse(err) => err.into(),
+        }
+    }
+}
+
 #[derive(thiserror::Error, Debug, Clone, PartialEq, Eq)]
 pub enum AutoIncrementError {
     #[error("OutOfAutoIncrementRange: `{key}` while `{context}`")]

src/meta/api/src/lib.rs

@@ -78,6 +78,10 @@ pub use error_util::db_has_to_not_exist;
 pub use error_util::db_id_has_to_exist;
 pub use error_util::table_has_to_not_exist;
 pub use error_util::unknown_database_error;
+pub use errors::MaskingPolicyError;
+pub use errors::RowAccessPolicyError;
+pub use errors::SecurityPolicyError;
+pub use errors::SecurityPolicyKind;
 pub use garbage_collection_api::GarbageCollectionApi;
 pub use index_api::IndexApi;
 // Re-export from new kv_fetch_util module for backward compatibility

src/meta/api/src/row_access_policy_api.rs

@@ -23,6 +23,7 @@ use databend_common_meta_app::tenant_key::errors::ExistError;
 use databend_common_meta_types::MetaError;
 use databend_common_meta_types::SeqV;
 
+use crate::errors::RowAccessPolicyError;
 use crate::meta_txn_error::MetaTxnError;
 
 #[async_trait::async_trait]
@@ -40,7 +41,7 @@ pub trait RowAccessPolicyApi: Send + Sync {
     async fn drop_row_access(
         &self,
         name_ident: &RowAccessPolicyNameIdent,
-    ) -> Result<Option<(SeqV<RowAccessPolicyId>, SeqV<RowAccessPolicyMeta>)>, MetaTxnError>;
+    ) -> Result<Option<(SeqV<RowAccessPolicyId>, SeqV<RowAccessPolicyMeta>)>, RowAccessPolicyError>;
 
     async fn get_row_access(
         &self,