github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/docs/reference/security/access-control-lists.md (about) 1 --- 2 title: Access Control Lists (ACLs) 3 description: Access control lists (ACLs) are one of the resource-based options that you can use to manage access to your repositories and objects. There are limits to managing permissions using ACLs. 4 grand_parent: Reference 5 parent: Security 6 redirect_from: 7 - /reference/access-control-list.html 8 - /reference/access-control-lists.html 9 --- 10 11 # Access Control Lists (ACLs) 12 13 {: .note} 14 > ACLs were introduced in their current form in v0.98 of lakeFS as part of [changes to the security model][security-changes] in lakeFS. They are an alternative to the more granular control that [role-based access control](rbac.html) provides. 15 16 17 {% include toc.html %} 18 19 ## ACLs 20 21 You can attach Permissions and scope them to groups in the Groups page. 22 There are 4 default groups, named after the 4 permissions. Each group is global (applies for all repositories). 23 24 | Group ID | Allows | 25 |-----------|--------------------------------------------| 26 | **Read** | Read operations, creating access keys | 27 | **Write** | Allows all data read and write operations. | 28 | **Super** | Allows all operations except auth. | 29 | **Admin** | Allows all operations. | 30 31 ## Pluggable Authentication and Authorization 32 33 Authorization and authentication is pluggable in lakeFS. If lakeFS is attached to a [remote authentication server](remote-authenticator.html) (or you are using lakeFS Cloud) then the [role-based access control](rbac.html) user interface can be used. 34 35 If you are using ACL then the lakeFS configuration element `auth.ui_config.RBAC` should be set to `simplified`. 36 37 ## Previous versions of ACL in lakeFS 38 39 Here's a comparison of the current ACL model against the behavior prior to [the changes introduced][security-changes] in v0.98. 40 41 | Permission | Allows | Previous Group Name | Previous Policy Names and Actions | 42 |------------|--------------------------------------------|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 43 | **Read** | Read operations, creating access keys. | Viewers | FSReadAll \[fs:List*, fs:Read*] | 44 | **Write** | Allows all data read and write operations. | Developers | FSReadWriteAll \[fs:ListRepositories, fs:ReadRepository, fs:ReadCommit, fs:ListBranches, fs:ListTags, fs:ListObjects, fs:ReadObject, fs:WriteObject, fs:DeleteObject, fs:RevertBranch, fs:ReadBranch, fs:ReadTag, fs:CreateBranch, fs:CreateTag, fs:DeleteBranch, fs:DeleteTag, fs:CreateCommit] RepoManagementReadAll \[ci:Read*, retention:Get*, branches:Get*, fs:ReadConfig] | 45 | **Super** | Allows all operations except auth. | SuperUsers (with changes) | FSFullAccess \[fs:*] RepoManagementReadAll \[ci:Read*, retention:Get*, branches:Get*, fs:ReadConfig] | 46 | **Admin** | Allows all operations. | Admins | AuthFullAccess \[auth:*] FSFullAccess \[fs:*] RepoManagementFullAccess \[ci:*, retention:*, branches:*, fs:ReadConfig] | 47 48 ### Migrating from the previous version of ACLs 49 50 Upgrading the lakeFS version will require migrating to the new ACL authorization model. 51 52 In order to run the migration run: 53 ``` 54 lakefs migrate up 55 ``` 56 57 The command will run the migration to ACL. The migration process might adjust the current authorization policies to fit ACL, in that case the command will not make any changes, only print warnings. 58 In case of warnings to apply the migration, re-run with the `--force` flag 59 60 The upgrade will ensure that the 4 default groups exist, and modify existing groups to fit into the new ACLs model: 61 - When creating the 4 default global groups: if another group exists and has the desired name, upgrading will rename it by appending ".orig". So after upgrading the 4 default global groups exist, with these known names. 62 - For any group, upgrading configured policies follows these rules, possibly increasing access: 63 1. Any "Deny" rules are stripped, and a warning printed. 64 2. "Manage own credentials" is added. 65 3. If any actions outside of "fs:" and manage own credentials are allowed, the group becomes an Admin group, a warning is printed, and no further changes apply. 66 4. The upgrade script unifies repositories: If a resource applies to a set of repositories, permissions are unified to all repositories. 67 5. The upgrade script unifies actions: it selects the least permission of Read, Write, Super that contains all of the allowed actions. 68 69 The upgrade will detach every directly attached policy from users 70 71 Note that moving to ACL from RBAC may only be performed once and **will** lose some configuration. The upgrade script will detail the changes made by the transition. 72 73 For any question or concern during the upgrade, don't hesitate to get in touch with us through [Slack](https://lakefs.io/slack) or [email](mailto:support@treeverse.io). 74 75 [security-changes]: {% link posts/security_update.md %}#whats-changing