Fine Grained ACL

[MFry]

Hello,

Our team at Lockheed is looking into leveraging Hyades and I was wondering if there are any future plans for a more fine grained control of permissions on a per project basis.
Something like what is proposed here, specifically something along this level of control:

Configure user or group permissions for a certain project
In project page, user can config this project auth user or group.
Configure project permissions for a certain users
in Portfolio Access Control module, user can config project permission to a certain user

[nscuro]

Hey @MFry, thanks for reaching out!

No definitive plans yet, but I'd say the work we did so far (and are continuing to do) is contributing towards making such ACLs easier to implement. We're dropping a few persistence-related abstractions which made it harder than necessary to perform ACL checks, among other things.

I'm thinking something similar to Spring Security's ACL implementation would be nice to have.

Slightly related, we have had users ask for mutli-tenancy capabilities. Perhaps a more fine-grained permission model should take tenants into consideration.

[nscuro]

An additional idea (just putting it out there for discussion): We already adopted CEL for policy usage.

Using it for authorization could make sense as well. This is an area where historically OPA was popular, but using CEL avoids additional network calls, while still allowing users to nicely express AuthZ rules.

Project Nessie is doing something similar: https://projectnessie.org/features/metadata_authorization/#authorization-rules

Major downside being that AuthZ can't be enforced on the database level, which can make aggregating queries such as for metrics borderline impossible.

[MFry]

I appreciate the information and input @nscuro. My team is starting to deploy Hyades now and we will be looking at our access control needs and how best we can contribute back to Hyades so that our needs align.