You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -105,137 +105,30 @@ I.e. there should be an abstraction over resources such as Trino tables, Superse
105
105
106
106
We should decide on a general authorization model, what we want it to look like to the user and also have a rough idea of how it will be implemented.
107
107
108
-
== RBAC vs ReBAC
108
+
== Proposed design
109
109
110
-
_RBAC_ is the default choice for authorization models, as it is widely known an understood already, and simple to implement and understand.
111
-
Kubernetes itself uses RBAC with Role, ClusterRole, RoleBinding etc..
110
+
=== Stackable Rego rule library
112
111
113
-
In RBAC it is difficult to give one-of permissions to individual users, since permissions are always assinged to a role, and then the role is assigned to a user.
112
+
For every product (and every supported version of a product) we ship a ruleset that users can use (and might be used as a default).
113
+
Since the rules are dependent on the product version, the product operator needs to ship these rules.
114
+
What about the OPA version? Rules need to also be compatible with the OPA version?
114
115
115
-
How are policies actually derived from the relationships in ReBAC?
116
-
117
-
I think it makes sense to stay close to the applications here, i.e. for druid there should still be read/write permissions on resources.
118
-
119
-
we still need to define things like "an editor on thsi resource group can write to this topic"
120
-
121
-
It would be cool to have "resource groups" and then just relations like "owner", "reader", "edtior" relating to a whole group of resources.
122
-
123
-
A mixed model might make sense, maybe a hierarchical tree of user groups on the one side, and resource groups on the other side? or composing roles and also composing groups, and then mapping groups and roles? I got this idea from Keycloak.
124
-
125
-
I think maybe the idea of having the permission for an action on a resource is still very central to all the products we support, and it makes sense to keep that.
126
-
Maybe just in a "permission bundle" and those can also be grouped?
127
-
128
-
I think in i.e. GDrive we could give someone read permission on a folder of files, but this relation needs to be already embedded in the application.
129
-
We cannot give someone read access on a group of Trino tables, because this concept does not exist in Trino.
130
-
The group will still need to be maintained outside of Trino, and so we do not have a lot to gain here.
116
+
=== product specific JSON data policies
131
117
132
-
== Design A
118
+
The rules work with product specific JSON policies.
119
+
These policies should expose every feature that the authorizer supports.
133
120
134
-
RBAC-based design.
121
+
=== Unified policy CRs
135
122
136
-
Let users define
123
+
The unified policy CRD is modeled as ABAC.
124
+
Resources and users have attributes which get matched in a policy.
125
+
If a decision request matches to a policy, the permissions from the policy apply.
137
126
138
-
== Design B
127
+
Resource attributes are resource specific, i.e. for a Trino table, there is a "catalog" attribute, but that only exists on Trino tables.
139
128
140
-
We design a relation based access control system (ReBAC), inspired by Google Zanzibar.
141
-
ReBAC allows for role-based access control as well (RBAC) but goes beyond that to also allow hierarchies of objects that users can be related to.
142
-
This allows for more flexibility when defining organizational structures, and rules can be attached at any level.
129
+
More advanced stuff like masking properties is maybe not supported. maybe the access levels are also only "read", "write" and "full".
143
130
144
-
We define a CustomResource that allows users to define ReBAC stuff in CRs.
145
-
This allows for more validation instead of putting rules in a DSL or in JSON into a ConfigMap.
146
-
147
-
There are three kinds of rules that users can define easily in a CR:
148
-
149
-
* relations of objects and users
150
-
* relations of objects and user sets
151
-
* relations of objects and other objects
152
-
153
-
Users are pre defined in either LDAP or keycloak, and referenced by their name/ID.
154
-
Resolving users is done in OPA, using the UserInfoFetcher.
155
-
For this ADR, we will assume users are specified by their username, i.e. "alice" or "bob".
156
-
157
-
Other objects in the system can be entities inside of the products, such as a `trino-table`.
158
-
We also allow users to define their own objects and relations, mainly to organize their users and permissions.
159
-
Every user-defined object and relation needs to be specified in an RebacType object.
160
-
161
-
Example:
162
-
163
-
[source,yaml]
164
-
----
165
-
kind: RebacType
166
-
metadata:
167
-
name: project # <1>
168
-
spec:
169
-
relations: # <2>
170
-
- name: member
171
-
objects: # <3>
172
-
- secret-project
173
-
- datascience-spike
174
-
- ladida
175
-
- otherproj
176
-
----
177
-
178
-
<1> The name of the RebacType. This will be referenced in rule definitions.
179
-
<2> The relations that are defined for this type. In this case there is a "member" definition. Users can be members of a project.
180
-
<3> Object defintions. This is optional; if given, only these objects can be referenced, adding another layer of verification.
181
-
182
-
For products, the SDP comes with predefined objects that make sense for the product.
183
-
For example in Trino we will define `trino-table` and `trino-catalog`, each with a `reader`, `editor` and `owner` relation.
184
-
For Superset we can define a `superset-dashboard` with the same relations.
185
-
For Kafka we can define a `kafka-topic` type.
186
-
187
-
We can group some resources together into a project, and then assign users to the project.
188
-
Users can be assigned individually or based on their group memberships.
189
-
190
-
Here is an example of what it could look like in yaml:
191
-
192
-
[source,yaml]
193
-
----
194
-
kind: RebacRelations
195
-
metadata:
196
-
name: project-ladida
197
-
# Project Ladida manages the mydata table in Trino
198
-
# User 13 and all the members of the 'otherproj' project are members
199
-
# of Project Ladida
200
-
relations:
201
-
# Which resources are part of the project?
202
-
- subject: "project:ladida"
203
-
relation: "owner"
204
-
object: "trino-table:mydata"
205
-
- subject: "project:ladida"
206
-
relation: "reader"
207
-
object: "kafka-topic:datasource"
208
-
- subject: "project:ladida"
209
-
relation: "editor"
210
-
object: "superset-dashboard:ladida-viz"
211
-
# Who is part of the project?
212
-
- user: "alice"
213
-
relation: "member"
214
-
object: "project:ladida"
215
-
- userset:
216
-
object: "ad-group:datascience"
217
-
relation: "member"
218
-
relation: "member"
219
-
object: "project:ladida"
220
-
----
221
-
222
-
The first three relations define the project as the owner/reader/editor of a number of resources.
223
-
Transitively, any member of the project will get these relations.
224
-
225
-
The last two relations define the user "alice" as a member of the project, as well as any member of the ActiveDirectoy group "datascience".
226
-
227
-
=== Implementation
228
-
229
-
The RebacType and RebacRelations can both be annotated with the `opa.stackable.tech/bundle: "true"` label to include it into the OPA bundle.
230
-
231
-
The relation definitions can the be verified - to a degree - and subsequently everything is serialized as JSON and provided as `data` to OPA.
232
-
We then need to define a RegoRule framework inside OPA to evaluate these rules correctly.
233
-
234
-
== TODO: Gaia-X considerations
235
-
236
-
TSA? OCM?
237
-
238
-
"TSA ist OPA, unser Authr. ist OPA, aber bauen wir oder TSA dinge drumherum, die die Integration schwer machen?"
131
+
The OPA operator should read these CRs and convert them into JSON data policies.
0 commit comments