Add Lakeformation doc

Author: svdimchenko

.gitignore

@@ -28,3 +28,7 @@ yarn-error.log*
 /static/feeds/atom.xml
 /static/feeds/rss.json
 /static/feeds/rss.xml
+
+# IDE
+.idea
+.vscode

dbt-athena-versions.js

@@ -23,9 +23,15 @@ exports.versionedPages = [
     firstVersion: "1.4.1",
     lastVersion: "1.4",
   },
-    {
-    page: "docs/configuration/contract",
-    firstVersion: "1.5.0",
+  {
+    page: "docs/configuration/contract-constraints",
+    firstVersion: "1.5.1",
+    lastVersion: "1.5",
+  },
+  {
+    page: "docs/configuration/lakeformation",
+    firstVersion: "1.5.1",
+    lastVersion: "1.5",
   },
 ];
 

docs/docs/configuration/lakeformation.md

@@ -0,0 +1,136 @@
+---
+title: "Lakeformation"
+id: lakeformation
+---
+
+## Tags
+The adapter implements AWS Lakeformation tags management in the following way:
+- you can enable or disable lf-tags management via [config](./table-configuration) (disabled by default). 
+Here are config examples:
+
+`model_config.sql`:
+```sql
+{{
+  config(
+    materialized='incremental',
+    incremental_strategy='append',
+    on_schema_change='append_new_columns',
+    table_type='iceberg',
+    schema='test_schema',
+    lf_tags_config={
+          'enabled': true,
+          'tags': {
+            'tag1': 'value1',
+            'tag2': 'value2'
+          },
+          'tags_columns': {
+            'tag1': {
+              'value1': ['column1', 'column2'],
+              'value2': ['column3', 'column4']
+            }
+          }
+    }
+  )
+}}
+```
+
+`dbt_project.yml`:
+```yaml
+  +lf_tags_config:
+    enabled: true
+    tags:
+      tag1: value1
+      tag2: value2
+    tags_columns:
+      tag1:
+        value1: [ column1, column2 ]
+```
+
+- once you enable the feature, lf-tags will be updated on every dbt run
+- first, all lf-tags for **columns** are removed to avoid inheritance issues
+- then all redundant lf-tags are removed from **table** and actual tags from config are applied
+- finally, lf-tags for **columns** are applied
+
+:::info
+
+It's important to understand the following points:
+- dbt does not manage lf-tags for database
+- dbt does not manage lakeformation permissions
+
+That's why you should handle this by yourself manually or using some automation tools like terraform, AWS CDK etc.  
+You may find the following links useful to manage that:
+- [terraform aws_lakeformation_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lakeformation_permissions)
+- [terraform aws_lakeformation_resource_lf_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lakeformation_resource_lf_tags)
+
+:::
+
+## Data Cell Filters
+The adapter implements AWS Lakeformation Data Cell Filters management in the following way.  
+`model_config.sql`:
+```sql
+{{
+    config(
+    materialized='incremental',
+    incremental_strategy='append',
+    on_schema_change='append_new_columns',
+    table_type='iceberg',
+    schema='test_schema',
+    lf_grants={
+          'data_cell_filters': {
+              'enabled': True | False,
+              'filters': {
+                  'filter_name': {
+                      'row_filter': '<filter_condition>',
+                      'principals': ['principal_arn1', 'principal_arn2']
+                  }
+              }
+          }
+      }
+}}
+```
+
+or more advanced example for `dbt_project.yml`
+```yaml
+models:
+    directory:
+      +schema: your_schema
+      +materialized: incremental
+      +on_schema_change: sync_all_columns
+      model1:
+        +lf_grants: &default_rls
+          data_cell_filters:
+            enabled: true
+            filters:
+              name1:
+                row_filter: "field1 = 'value1'"
+                principals:
+                  - "role1_arn"
+                  - "role2_arn"
+              name2:
+                row_filter: "field1 = 'value2'"
+                principals:
+                  - "role3_arn"
+                  - "role4_arn"
+      model2:
+        +lf_grants: *default_rls  # reuse previously defined config
+```
+
+- Data cell filters management can't be automated outside dbt because the filter can't be attached to the table
+which doesn't exist.  
+- Once you `enable` this config, dbt will set all filters and their permissions during every dbt run.  
+- Such approach keeps the actual state of row level security configuration actual after every dbt run and
+applies changes if they occur: drop, create, update filters and their permissions.
+
+:::caution
+
+It's important to understand that LF permissions work like `union`.  
+Let's imagine this scenario:
+- Table X has tag `domain=foo`
+- Role A has `select` permission for tables with `domain=foo`
+- We add a data cell filter for a column in table X and then grant permissions to role A
+
+In this case, tag permissions are the ones considered, and cell-level permissions are totally ignored. 
+This means that this data cell filters management feature implies that you should use permissions for specific tables 
+which don't have already tag-level permissions in that specific database or table.
+
+:::

docs/docs/configuration/table-configuration.md

@@ -6,8 +6,8 @@ id: table-configuration
 ## Model configuration
 
 | Property            | Description                                                                                                                                                                                                                                                     | Default               |
-| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| `materialized`      | A table materialization like `table`, `incremental`, [`table_hive_ha`](docs/configuration/materializations/hive-ha)                                                                                                                                             |
+|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
+| `materialized`      | A table materialization like `table`, `incremental`, [`table_hive_ha`](./materializations/hive-ha)                                                                                                                                                              |                       |
 | `s3_data_naming`    | An optional naming policy for the data on S3. See [Table data location](#table-data-location).                                                                                                                                                                  | `schema_table_unique` |
 | `external_location` | If set, the full S3 path in which the table will be saved. (Does not work with Iceberg table).                                                                                                                                                                  | `none`                |
 | `partitioned_by`    | An array list of columns by which the table will be partitioned. ⚠️ [Limited to the creation of 100 partitions](https://docs.aws.amazon.com/athena/latest/ug/ctas-considerations-limitations.html#ctas-considerations-limitations-partition-and-bucket-limits). | `none`                |
@@ -18,12 +18,12 @@ id: table-configuration
 | `write_compression` | The compression type to use for any storage format that allows compression to be specified. To see which options are available, see [CREATE TABLE AS](https://docs.aws.amazon.com/athena/latest/ug/create-table-as.html). Example: `SNAPPY`.                    | `none`                |
 | `field_delimiter`   | Custom field delimiter. Used when the format is set to `TEXTFILE`. See [CREATE TABLE AS](https://docs.aws.amazon.com/athena/latest/ug/create-table-as.html). Example: `','`                                                                                     | `none`                |
 | `table_properties`  | Additional table properties to add to the table. Valid for Iceberg only. Example: `{'optimize_rewrite_delete_file_threshold': '2'}`                                                                                                                             | `none`                |
-| `lf_tags`           | Lake Formation tags for metadata access control, to associate to the table. Example: `{"tag1":{"tag1": "value1", "tag2": "value2"}`                                                                                                                             | `none`                |
-| `lf_tags_columns`   | Lake Formation tags for metadata access control, to associate to columns. Example: `{"tag1": {"value1": ["column1": "column2"]}}`                                                                                                                               | `none`                |
+| `lf_tags_config`    | Lake Formation tags for metadata access control, to associate to the table. See detailed instructions [here](./lakeformation)                                                                                                                                   | `none`                |
+| `lf_grants`         | Lake Formation tags for metadata access control, to associate to columns. See detailed instructions [here](./lakeformation)                                                                                                                                     | `none`                |
 
 ## Table data location
 
-The S3 location in which table data is saved, is determined by:
+The S3 location in which table data is saved is determined by:
 
 1. If `external_location` is defined, that value is used.
 2. If `s3_data_dir` is defined, the path is determined by this value and `s3_data_naming`.

sidebars.js

@@ -38,6 +38,8 @@ const sidebarSettings = {
         },
         "docs/configuration/seeds",
         "docs/configuration/snapshots",
+        "docs/configuration/contract-constraints",
+        "docs/configuration/lakeformation",
       ],
     },