-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fine Grained ACL #1075
Comments
Hey @MFry, thanks for reaching out! No definitive plans yet, but I'd say the work we did so far (and are continuing to do) is contributing towards making such ACLs easier to implement. We're dropping a few persistence-related abstractions which made it harder than necessary to perform ACL checks, among other things. I'm thinking something similar to Spring Security's ACL implementation would be nice to have. Slightly related, we have had users ask for mutli-tenancy capabilities. Perhaps a more fine-grained permission model should take tenants into consideration. |
An additional idea (just putting it out there for discussion): We already adopted CEL for policy usage. Using it for authorization could make sense as well. This is an area where historically OPA was popular, but using CEL avoids additional network calls, while still allowing users to nicely express AuthZ rules. Project Nessie is doing something similar: https://projectnessie.org/features/metadata_authorization/#authorization-rules Major downside being that AuthZ can't be enforced on the database level, which can make aggregating queries such as for metrics borderline impossible. |
I appreciate the information and input @nscuro. My team is starting to deploy Hyades now and we will be looking at our access control needs and how best we can contribute back to Hyades so that our needs align. |
Hello,
Our team at Lockheed is looking into leveraging Hyades and I was wondering if there are any future plans for a more fine grained control of permissions on a per project basis.
Something like what is proposed here, specifically something along this level of control:
The text was updated successfully, but these errors were encountered: