github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/design/open/acl/rbac-to-acl.md (about) 1 # TLD for lakeFS Simplified Authorization: from RBAC to ACL 2 3 ## Goal 4 5 As part of part of [simplifying auth*][auth-sec-update], simplify the lakeFS 6 authorization system to use ACLs instead of PBAC as exists currently. 7 8 A simple GUI will be available for placing users into groups and configuring 9 allowed access for each group. 10 11 The bedrock of authorization in lakeFS remains the policy engine. This is a 12 well-tested proven solution. Advanced users will be able to retain policies 13 if they deploy and configure a external authorization server. However there 14 will be no authorization server in lakeFS itself. 15 16 ## User experience 17 18 ### Simplified user experience 19 20 This section does _not_ do mockups, we may have those separately. 21 22 #### Concepts 23 24 ##### Permissions 25 26 A _permission_ allows a group of users to do something. Users cannot create 27 permissions, lakeFS provides only these permissions: 28 29 | Permission | Allows | Existing Group | 30 |------------|--------------------------------------------|---------------------------| 31 | **Read** | Read operations, creating access keys. | Viewers | 32 | **Write** | Allows all data read and write operations. | Developers | 33 | **Super** | Allows all operations except auth. | SuperUsers (with changes) | 34 | **Admin** | Allows all operations. | Admins | 35 36 In existing RBAC terms, the only permissions for non-admins are under `fs:*` 37 and those to manage own credentials(`AuthManageOwnCredentials`). The latter 38 is given to all users. 39 40 Some service jobs such as GC must be run using a user with Admin permission. 41 42 ##### Scopes 43 44 When granted to a group, permissions Read, Write, and Super may be _scoped_. 45 Then they apply only to a set of repositories. It is not possible to scope 46 permission Admin: it includes global abilities that apply across repos, and 47 can modify granted permissions. 48 49 ##### Grants 50 51 A group is _granted_ a single permission within a scope. "Admin" permission 52 has no scope (grayed out in the GUI, and all repos are allowed). 53 54 #### Out: RBAC 55 56 Remove from the GUI the policy page and all references to policies, and from 57 `lakectl` all policy-related commands. The API will no longer support these 58 operations, either. It will return [405 Method Not Allowed][http-stat-405], 59 or alternatively [501 Unimplemented][http-stat-501] when called: it is now a 60 partial implementation of the auth* API. 61 62 #### In: ACLs 63 64 Every group on the list of groups on the Groups page uses the format: 65 66 | Group ID | Permission | Created at | Repositories | 67 |----------|---------------------|------------|--------------| 68 | <name> | Permission dropdown | datetime | <number> | 69 70  72 73 This gives information about the group and allows editing its permission. 74 75 There are 4 default groups, named after the 4 permissions. Each group is 76 global (applies for all repositories). 77 78 Clicking on the group takes us to the group's subpage with 2 tabs: 79 80 * **Members**: The current "Group Memberships" tab. 81 * **Repositories**: A list of configured repositories. 82 83 This tab has an "all" toggle at the top. If the permission is "Admin" the 84 toggle is set and cannot be changed. Otherwise it controls a selection of 85 groups using the same GUI mechanism as used today for memberships (and for 86 policies, ironically). 87 88 We shall add appropriate options to `lakectl` to control policies at the new 89 levels of granularity. 90 91 ### Upgrade to simplified 92 93 On startup, lakeFS will check the KV schema version. If it has not upgraded 94 to ACLs then lakeFS will check whether an upgrade is required: 95 96 * If the 4 basic policies have not been modified, and no other policies have 97 been defined, and no users have attached policies: no upgrade is required. 98 lakeFS will merely upgrade the KV schema version. 99 * Otherwise lakeFS will not start until an upgrade script runs. 100 101 #### The upgrade script 102 103 Admins will run the upgrade script if required to do so by lakeFS or if they 104 want to be very sure (for instance, there is a minor race condition if there 105 is more than one concurrent lakeFS). We force admins to try the script on a 106 dry run using a `--yes` flag: without it, the script only prints the planned 107 changes. 108 109 The upgrade script will _ensure_ that the 4 default global groups exist, and 110 _modify_ existing groups to fit into the new ACLs scheme. 111 112 * When creating the 4 default global groups: if another group exists and has 113 the desired name, upgrading will rename it by appending ".orig". So after 114 upgrading the 4 default global groups exist, with these known names. 115 * For any group, upgrading configured policies follows these rules, possibly 116 **increasing** access: 117 118 1. Any "Deny" rules are stripped, and a warning printed. 119 1. "Manage own credentials" is added. 120 1. If any actions outside of "fs:" are allowed, the group becomes an Admin 121 group, a warning is printed, and no further changes apply. 122 1. The upgrade script *unifies* repositories: If a permission applies to a 123 set of repositories with a wildcard, permissions are unified to **all** 124 repositories. Otherwise they apply to the list of all repositories, in 125 all the policies. 126 1. The upgrade script *unifies* actions: it selects the _least_ permission 127 of Read, Write, Super that contains all of the allowed actions. If any 128 allowed action contains a wildcard this still makes sense. 129 130 All warnings link to support@ and to Slack. 131 * The upgrade script prints the new permissions of the group.[^1] 132 133 134 [^1] Even JSON-diff cannot be used report detailed changes, as many policies 135 are unified into a single policy. 136 137 ### PBAC user experience with external authorization server 138 139 If lakeFS is attached to an external authorization server, the existing PBAC 140 GUI may continue to be used. It is not possible to use both types of GUI at 141 the same time: Moving from PBAC to simplified may only be performed once and 142 **will** lose configuration. 143 144 ## Implementation 145 146 lakeFS enforcement will remain backed by PBAC. We shall add a "ui" field to 147 policies. It will contain a structure that backs the UI: 148 149 <table> 150 <tr><th>Read all repos</th><th>Read repos `foo`, `bar`</th></tr> 151 <tr><td> 152 ```json 153 { 154 "statement": [ 155 { 156 "action": ["fs:List*", "fs:Read*"], 157 "effect": "allow", 158 "resource": "*" 159 } 160 ], 161 "ui": { 162 "permission": "Read", 163 "repositories": { "all": true } 164 } 165 } 166 ``` 167 </td><td> 168 ```json 169 { 170 "statement": [ 171 { 172 "action": ["fs:List*", "fs:Read*"], 173 "effect": "allow", 174 "resource": "foo" 175 }, { 176 "action": ["fs:List*", "fs:Read*"], 177 "effect": "allow", 178 "resource": "bar" 179 } 180 ], 181 "ui": { 182 "permission": "Read", 183 "repositories": { "list": ["foo", "bar"] } 184 } 185 } 186 ``` 187 </td></tr> 188 </table> 189 190 The UI receives and edits only the ui sub-object. lakeFS translates it back 191 to a statement when the UI posts it back. In effect PBAC statements are the 192 materialized form of the ui sub-object. 193 194 ## Milestones 195 196 - Review and accept design 197 - Server-side support: add ui sub-object and ui -> statement translations 198 - lakectl support for simplified mode 199 - GUI 200 201 202 [auth-sec-update]: https://docs.lakefs.io/posts/security_update.html#whats-changing 203 [http-stat-405]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405 204 [http-stat-501]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/501