Catalog tenancy sounds like an admin setting until one catalog starts serving every team, engine, warehouse, and agent.

Tenancy is an architecture boundary

A shared catalog needs clear tenancy long before the platform feels large. The hard question is not only who can see a table. It is which catalog, namespace, warehouse, storage credential, role, and audit trail owns the table relationship.

Apache Polaris sits in the Iceberg REST catalog path, so its boundaries matter. If those boundaries are too broad, every engine and workflow inherits the same accidental trust zone. If they are too narrow, teams rebuild the same catalog pattern over and over.

Polaris gives catalog primitives

Polaris documentation describes catalogs, namespaces, principals, principal roles, catalog roles, privileges, and security controls. Those are the building blocks for tenancy, but they still need an operating model.

Core idea: catalog tenancy is not a naming convention. It is the contract that decides where ownership, policy, storage, and audit evidence begin and end.

Where the boundary belongs

Use catalogs for major control boundaries, such as environment, business domain, regulatory scope, or platform ownership. Use namespaces for data product grouping and local ownership. Use roles for operational access. Use external policy only when request context matters beyond static grants.

For related ODI context, read Polaris namespace ownership models, Polaris policy-as-code controls, and catalogs as the ODI control plane.

What breaks first

  • Every team shares one catalog because it was easier during setup.
  • Namespaces imply ownership, but warehouse credentials cross the boundary.
  • Service principals receive broad access because the role model is not reviewed.
  • Audit records show a catalog action but not the tenant context that justified it.

Tenancy review questions

Ask which catalog owns the table, which namespace owns the data product, which warehouse owns storage, which identity owns access, and which log owns the decision. If those answers disagree, the tenant boundary is already leaking.

Sources to start with

These primary sources anchor the technical claims in this guide.

A catalog boundary that nobody can explain will eventually become a production boundary that nobody can defend.