You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following diagram shows a high level view of the entire process, which should be helpful for dividing the work into separate projects that have value on their own.
Decision Layer: This refers to the collection of RegoRules that we supply that handle the actual policy decision making in OPA.
Abstraction Layer: This is built on top of the decision layer and should be an opinionated, simplified authorization model that should allow 90% of users to specify their authorization policies in a way that doesn't involve writing RegoRules. This might be implemented with CRDs like KafkaAcl, TrinoAcl, etc.. It should be based on a model like ReBAC, ABAC or RBAC.
Decision Layer
The content you are editing has changed. Please copy your edits and refresh the page.
The decision layer does the actual policy decisions. This still needs to be developed and is product specific.
Most of the work in the decision layer will happen in the operator repositories, as writing the generic RegoRules per product is part of the product specific implementation tickets (e.g. #500).
The groundwork for moving the data and rules into place should already be present in the OPA operator and the bundle builder.
Having these RegoRules in place is necessary for the abstraction layer (next step).
Abstraction Layer
The content you are editing has changed. Please copy your edits and refresh the page.
Rego is not something that is really suitable to be exposed to the average user, so Stackable will define a suitable abstraction layer, probably per product that is the exposed to the users.
This abstraction will be implemented via CRDs, read by the product operators and converted into an internal format (configmaps, secrets, crds, tbd during refinement/implementation).
The initial step here will be to decide on some guiding principles and the overarching design in the form of an ADR (#439).
The actual design and implementation of the decisions from the ADR will then happen in the operator issues (e.g. stackabletech/trino-operator#479).
UserInfoFetcher
The current idea for the UserInfoFetcher is to develop it as part of the OPA Operator. The following diagram shows the current idea of how it could be deployed and interact with the rest of the system.
One thing currently missing, but shown as part of the decision layer is the UserInfoFetcher, which will need to be implemented.
This component is not named "UserGroupFetcher" or similar on purpose, as users may want to enrich user objects with arbitrary data, not just groups.
An example for such a use case would be this message from the Trino slack:
However I wanted to post a user story/use case we have. Need others opinions.
User is a US citizens and employee of a French company
User runs a query against a table that has (hypothetical) mix of US, Canada, Mexico, Korean, and various European customers
Since the user is a US citizen, if the customers is Korean there is a restriction on even accessing said information.
4a) If the customers is European and said user is currently geographically inside the US, rows returned should NOT include the European user.
4a) If the customers is European and said user is currently at the French office, then rows returned can include the European customers.
If the customers is Canadian, the data may be viewed but there is a reporting requirement for said data (reporting handled via Telemetry not OPA)
If the customer is from Mexico or US, said User is entitled to see all rows
The row filters (and/or masking) applied should be based on said geopolitical rules
So the general idea is to allow defining arbitrary properties that user principals should be enriched with, if they are available in the backend. This will have to be backend specific, as for example Keycloak and AD have different concepts around group membership, usernames and custom properties.
The content you are editing has changed. Please copy your edits and refresh the page.
In the products themselves authorizer implementations that use OPA as backend will need to be provided.
This will need to be investigated per product, with a few already being taken care of:
For the rest of the tools we'll need individual tickets in the operators (e.g. stackabletech/hdfs-operator#400).
In some cases it might not make sense, we'll need to determine this per product (e.g. #120 (comment)).
In some cases, on top of the authorizer a group mapper might be needed, as some products actually have a concept of user groups and use these internally (HDFS being a prominent example).
The idea here is to implement a simple group mapper for the product in question that calls out to OPA to retrieve the groups for that user via a rest call, so that the actual functionality remains in the UserInfoFetcher and is not spread throughout the entire plattform (stackabletech/hdfs-operator#401).
The content you are editing has changed. Please copy your edits and refresh the page.
Since this ticket is an initiative now, maybe we can have another tasklist with "Ideas/Nice to Have" or something where tickets like the one above can go?
This is an initiative to track the work needed until we have an integrated authentication & authorization story for our platform.
This will be split into sub-epics to generate units of work that can be pulled onto the board and finished in a reasonable amount of time.
Authentication
Tasks
Authorization
The following diagram shows a high level view of the entire process, which should be helpful for dividing the work into separate projects that have value on their own.
Decision Layer
Tasks
The decision layer does the actual policy decisions. This still needs to be developed and is product specific.
Most of the work in the decision layer will happen in the operator repositories, as writing the generic RegoRules per product is part of the product specific implementation tickets (e.g. #500).
The groundwork for moving the data and rules into place should already be present in the OPA operator and the bundle builder.
Having these RegoRules in place is necessary for the abstraction layer (next step).
Abstraction Layer
Tasks
Rego is not something that is really suitable to be exposed to the average user, so Stackable will define a suitable abstraction layer, probably per product that is the exposed to the users.
This abstraction will be implemented via CRDs, read by the product operators and converted into an internal format (configmaps, secrets, crds, tbd during refinement/implementation).
The initial step here will be to decide on some guiding principles and the overarching design in the form of an ADR (#439).
The actual design and implementation of the decisions from the ADR will then happen in the operator issues (e.g. stackabletech/trino-operator#479).
UserInfoFetcher
The current idea for the UserInfoFetcher is to develop it as part of the OPA Operator. The following diagram shows the current idea of how it could be deployed and interact with the rest of the system.
One thing currently missing, but shown as part of the decision layer is the
UserInfoFetcher
, which will need to be implemented.This component is not named "UserGroupFetcher" or similar on purpose, as users may want to enrich user objects with arbitrary data, not just groups.
An example for such a use case would be this message from the Trino slack:
So the general idea is to allow defining arbitrary properties that user principals should be enriched with, if they are available in the backend. This will have to be backend specific, as for example Keycloak and AD have different concepts around group membership, usernames and custom properties.
Group based authorization
Products
In the products themselves authorizer implementations that use OPA as backend will need to be provided.
This will need to be investigated per product, with a few already being taken care of:
For the rest of the tools we'll need individual tickets in the operators (e.g. stackabletech/hdfs-operator#400).
In some cases it might not make sense, we'll need to determine this per product (e.g. #120 (comment)).
In some cases, on top of the authorizer a group mapper might be needed, as some products actually have a concept of user groups and use these internally (HDFS being a prominent example).
The idea here is to implement a simple group mapper for the product in question that calls out to OPA to retrieve the groups for that user via a rest call, so that the actual functionality remains in the UserInfoFetcher and is not spread throughout the entire plattform (stackabletech/hdfs-operator#401).
HDFS
HBase
Trino
Druid
NiFi
Miscelaneous Tickets
Things related to the initiative but not to any particular epic
Tasks
The text was updated successfully, but these errors were encountered: