[feature] support row policy filter (apache#9206)

docs/.vuepress/sidebar/en.js

@@ -633,6 +633,7 @@ module.exports = [
                   "CREATE-FUNCTION",
                   "CREATE-INDEX",
                   "CREATE-MATERIALIZED-VIEW",
+                  "CREATE-POLICY",
                   "CREATE-RESOURCE",
                   "CREATE-SQL-BLOCK-RULE",
                   "CREATE-TABLE-LIKE",

docs/.vuepress/sidebar/zh-CN.js

@@ -633,6 +633,7 @@ module.exports = [
                   "CREATE-FUNCTION",
                   "CREATE-INDEX",
                   "CREATE-MATERIALIZED-VIEW",
+                  "CREATE-POLICY",
                   "CREATE-RESOURCE",
                   "CREATE-SQL-BLOCK-RULE",
                   "CREATE-TABLE-LIKE",

docs/en/sql-manual/sql-reference/Data-Definition-Statements/Create/CREATE-POLICY.md

@@ -0,0 +1,84 @@
+---
+{
+    "title": "CREATE-POLICY",
+    "language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## CREATE-POLICY
+
+### Name
+
+CREATE POLICY
+
+### Description
+
+Create security policies and explain to view the rewritten SQL.
+
+#### 行安全策略
+grammar：
+
+```sql
+CREATE ROW POLICY test_row_policy_1 ON test.table1 
+AS {RESTRICTIVE|PERMISSIVE} TO test USING (id in (1, 2));
+```
+
+illustrate：
+
+- filterType：It is usual to constrict a set of policies through AND. PERMISSIVE to constrict a set of policies through OR
+- Configure multiple policies. First, merge the RESTRICTIVE policy with the PERMISSIVE policy
+- It is connected with AND between RESTRICTIVE AND PERMISSIVE
+- It cannot be created for users root and admin
+
+### Example
+
+1. Create a set of row security policies
+
+   ```sql
+   CREATE ROW POLICY test_row_policy_1 ON test.table1 
+   AS RESTRICTIVE TO test USING (c1 = 'a');
+   ```
+   ```sql
+   CREATE ROW POLICY test_row_policy_2 ON test.table1 
+   AS RESTRICTIVE TO test USING (c2 = 'b');
+   ```
+   ```sql
+   CREATE ROW POLICY test_row_policy_3 ON test.table1 
+   AS PERMISSIVE TO test USING (c3 = 'c');
+   ```
+   ```sql
+   CREATE ROW POLICY test_row_policy_3 ON test.table1 
+   AS PERMISSIVE TO test USING (c4 = 'd');
+   ```
+
+   When we execute the query on Table1, the rewritten SQL is
+
+   ```sql
+   select * from (select * from table1 where c1 = 'a' and c2 = 'b' or c3 = 'c' or c4 = 'd')
+   ```
+
+### Keywords
+
+    CREATE, POLICY
+
+### Best Practice
+

docs/zh-CN/sql-manual/sql-reference/Data-Definition-Statements/Create/CREATE-POLICY.md

@@ -0,0 +1,84 @@
+---
+{
+    "title": "CREATE-POLICY",
+    "language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## CREATE-POLICY
+
+### Name
+
+CREATE POLICY
+
+### Description
+
+创建安全策略，explain 可以查看改写后的 SQL。
+
+#### 行安全策略
+语法：
+
+```sql
+CREATE ROW POLICY test_row_policy_1 ON test.table1 
+AS {RESTRICTIVE|PERMISSIVE} TO test USING (id in (1, 2));
+```
+
+参数说明：
+
+- filterType：RESTRICTIVE 将一组策略通过 AND 连接, PERMISSIVE 将一组策略通过 OR 连接
+- 配置多个策略首先合并 RESTRICTIVE 的策略，再添加 PERMISSIVE 的策略
+- RESTRICTIVE 和 PERMISSIVE 之间通过 AND 连接的
+- 不允许对 root 和 admin 用户创建
+
+### Example
+
+1. 创建一组行安全策略
+
+   ```sql
+   CREATE ROW POLICY test_row_policy_1 ON test.table1 
+   AS RESTRICTIVE TO test USING (c1 = 'a');
+   ```
+   ```sql
+   CREATE ROW POLICY test_row_policy_2 ON test.table1 
+   AS RESTRICTIVE TO test USING (c2 = 'b');
+   ```
+   ```sql
+   CREATE ROW POLICY test_row_policy_3 ON test.table1 
+   AS PERMISSIVE TO test USING (c3 = 'c');
+   ```
+   ```sql
+   CREATE ROW POLICY test_row_policy_3 ON test.table1 
+   AS PERMISSIVE TO test USING (c4 = 'd');
+   ```
+
+   当我们执行对 table1 的查询时被改写后的 sql 为
+
+   ```sql
+   select * from (select * from table1 where c1 = 'a' and c2 = 'b' or c3 = 'c' or c4 = 'd')
+   ```
+
+### Keywords
+
+    CREATE, POLICY
+
+### Best Practice
+

docs/zh-CN/sql-manual/sql-reference/Data-Definition-Statements/Drop/DROP-POLICY.md

@@ -0,0 +1,64 @@
+---
+{
+    "title": "DROP-POLICY",
+    "language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## DROP-POLICY
+
+### Name
+
+DROP POLICY
+
+### Description
+
+删除安全策略
+
+#### 行安全策略
+
+语法：
+
+```sql
+DROP ROW POLICY test_row_policy_1 on table1 [FOR user];
+```
+
+### Example
+
+1. 删除 table1 的 test_row_policy_1
+
+   ```sql
+   DROP ROW POLICY test_row_policy_1 on table1
+   ```
+
+2. 删除 table1 作用于 test 的 test_row_policy_1 行安全策略
+
+   ```sql
+   DROP ROW POLICY test_row_policy_1 on table1 for test
+   ```
+
+### Keywords
+
+    DROP, POLICY
+
+### Best Practice
+

docs/zh-CN/sql-manual/sql-reference/Show-Statements/SHOW-POLICY.md

@@ -0,0 +1,79 @@
+---
+{
+    "title": "SHOW-ROW-POLICY",
+    "language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## SHOW-POLICY
+
+### Name
+
+SHOW ROW POLICY
+
+### Description
+
+查看当前 DB 下的行安全策略
+
+语法：
+
+```sql
+SHOW ROW POLICY [FOR user]
+```
+
+### Example
+
+1. 查看所有安全策略。
+
+    ```sql
+    mysql> SHOW ROW POLICY;
+    +-------------------+----------------------+-----------+------+-------------+-------------------+------+-------------------------------------------------------------------------------------------------------------------------------------------+
+    | PolicyName        | DbName               | TableName | Type | FilterType  | WherePredicate    | User | OriginStmt                                                                                                                                |
+    +-------------------+----------------------+-----------+------+-------------+-------------------+------+-------------------------------------------------------------------------------------------------------------------------------------------+
+    | test_row_policy_1 | default_cluster:test | table1    | ROW  | RESTRICTIVE | `id` IN (1, 2)    | root | /* ApplicationName=DataGrip 2021.3.4 */ CREATE ROW POLICY test_row_policy_1 ON test.table1 AS RESTRICTIVE TO root USING (id in (1, 2));
+    |
+    | test_row_policy_2 | default_cluster:test | table1    | ROW  | RESTRICTIVE | `col1` = 'col1_1' | root | /* ApplicationName=DataGrip 2021.3.4 */ CREATE ROW POLICY test_row_policy_2 ON test.table1 AS RESTRICTIVE TO root USING (col1='col1_1');
+    |
+    +-------------------+----------------------+-----------+------+-------------+-------------------+------+-------------------------------------------------------------------------------------------------------------------------------------------+
+    2 rows in set (0.00 sec)
+    ```
+
+2. 指定用户名查询
+
+    ```sql
+    mysql> SHOW ROW POLICY FOR test;
+    +-------------------+----------------------+-----------+------+------------+-------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
+    | PolicyName        | DbName               | TableName | Type | FilterType | WherePredicate    | User                 | OriginStmt                                                                                                                               |
+    +-------------------+----------------------+-----------+------+------------+-------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
+    | test_row_policy_3 | default_cluster:test | table1    | ROW  | PERMISSIVE | `col1` = 'col1_2' | default_cluster:test | /* ApplicationName=DataGrip 2021.3.4 */ CREATE ROW POLICY test_row_policy_3 ON test.table1 AS PERMISSIVE TO test USING (col1='col1_2');
+    |
+    +-------------------+----------------------+-----------+------+------------+-------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
+    1 row in set (0.01 sec)
+    ```
+
+
+### Keywords
+
+    SHOW, POLICY
+
+### Best Practice
+

docs/zh-CN/sql-manual/sql-reference/Show-Statements/SHOW-SQL-BLOCK-RULE.md

@@ -55,7 +55,7 @@ SHOW SQL_BLOCK_RULE [FOR RULE_NAME];
     2 rows in set (0.01 sec)
     ```
 
-2. 制定规则名查询
+2. 指定规则名查询
 
     ```sql
     mysql> SHOW SQL_BLOCK_RULE FOR test_rule2;

fe/fe-common/src/main/java/org/apache/doris/common/FeMetaVersion.java

@@ -36,8 +36,10 @@ public final class FeMetaVersion {
     public static final int VERSION_107 = 107;
     // add storage_cold_medium and remote_storage_resource_name in DataProperty
     public static final int VERSION_108 = 108;
+    // add row policy
+    public static final int VERSION_109 = 109;
     // note: when increment meta version, should assign the latest version to VERSION_CURRENT
-    public static final int VERSION_CURRENT = VERSION_108;
+    public static final int VERSION_CURRENT = VERSION_109;
 
     // all logs meta version should >= the minimum version, so that we could remove many if clause, for example
     // if (FE_METAVERSION < VERSION_94) ...