Add TLD for lakeFS Simplified Authorization #5267
Conversation
Still missing: upgrade process.
arielshaqed
added
new-feature
|  | ||
|
|
||
| This gives information about the group and allows editing its permission. |
There was a problem hiding this comment.
One thing that I think is worth taking into account, we should block if someone is trying to remove the last admin group available (e.g deleting the group or changing its permissions, and essentially blocking themselves outside of lakefs management)
There was a problem hiding this comment.
Absolutely! I suggest making the 4 "global" groups immutable and undeletable.
Admins will still be able to lock themselves out by removing all users from Admins. The way out will be to run lakefs superuser.
WDYT?
There was a problem hiding this comment.
sounds good, so the 4 global groups are associated with all repos and can't be modified, and if you want to scope users to specific repos you'll create new group?
There was a problem hiding this comment.
I think that will be easiest. This is very light enforcement; being able to modify these groups will be too confusing.
I still want to allow creating new groups with Admin ACL. While all groups with this ACL have identical powers ("do anything"), someone might want to label their "admin" users in two groups for management reasons or something.
| * For any group, upgrading configured policies follows these rules, possibly | ||
| **increasing** access: | ||
|
|
||
| 1. Any "Deny" rules are stripped, and a warning printed. |
There was a problem hiding this comment.
please make sure the warning message contains a link to our slack workspace or support email if they need any assistance.
|  | ||
|
|
||
| This gives information about the group and allows editing its permission. |
There was a problem hiding this comment.
Absolutely! I suggest making the 4 "global" groups immutable and undeletable.
Admins will still be able to lock themselves out by removing all users from Admins. The way out will be to run lakefs superuser.
WDYT?
|  | ||
|
|
||
| This gives information about the group and allows editing its permission. |
There was a problem hiding this comment.
sounds good, so the 4 global groups are associated with all repos and can't be modified, and if you want to scope users to specific repos you'll create new group?
|
@nopcoder I think you volunteered :-), but please remove yourself if you didn't... |
|
yes, I'm still on it |
| to a statement when the UI posts it back. In effect PBAC statements are the | ||
| materialized form of the ui sub-object. | ||
|
|
||
| ## Milestones |
There was a problem hiding this comment.
How the transition will be - I mean we commit everything after all is tested outside main?
Do we plan to deploy some functionality and disable some as we go between milestones?
There was a problem hiding this comment.
No, the whole thing drops as a single release. That release will delete P/RBAC and replace it with ACLs.
| | Permission | Allows | Existing Group | | ||
| |------------|--------------------------------------------|---------------------------| | ||
| | **Read** | Read operations, creating access keys. | Viewers | | ||
| | **Write** | Allows all data read and write operations. | Developers | |
There was a problem hiding this comment.
Checking - it means I can delete a repository as a developer right?
There was a problem hiding this comment.
No, sorry(?). Same permissions you'd get from FSReadWrite today.
|
|
||
| Some service jobs such as GC must be run using a user with Admin permission. | ||
|
|
||
| ##### Scopes |
There was a problem hiding this comment.
Will I be able to give read access to scope "all" - for all repositories?
|
|
||
| Some service jobs such as GC must be run using a user with Admin permission. | ||
|
|
||
| ##### Scopes |
| | Permission | Allows | Existing Group | | ||
| |------------|--------------------------------------------|---------------------------| | ||
| | **Read** | Read operations, creating access keys. | Viewers | | ||
| | **Write** | Allows all data read and write operations. | Developers | |
There was a problem hiding this comment.
No, sorry(?). Same permissions you'd get from FSReadWrite today.
| to a statement when the UI posts it back. In effect PBAC statements are the | ||
| materialized form of the ui sub-object. | ||
|
|
||
| ## Milestones |
There was a problem hiding this comment.
No, the whole thing drops as a single release. That release will delete P/RBAC and replace it with ACLs.
No description provided.